Understanding the Role of Identities in Cloud Breaches

4 mins to read
tag blog 2

Identity management has taken on an entirely new level of criticality when we evaluate it in the context of cloud environments. In fact, identities are the single connecting point between high-value assets and the cloud environment. Unfortunately, most organizations overlook the criticality of identity management in general and especially the excessive misuse of machine (i.e. workload/container/application) identities. This lack of ‘identity awareness’ is directly relating to impacts across all industries, as a recent report has 84% of companies polled reported an identity-related breach during 2022.

DevOps teams, striving for the rapid deployment of the necessary environment, often reuse access roles to expedite the deployment process, thus resulting in over-permissions of specific roles across the entire cloud environment. When you consider the duplication of machine credentials along with user identities, it’s no wonder why so many breaches are based in identity mis-management.

This article reviews risks associated with ineffective cloud identity management, the criticality of managing access properly, and the pitfalls of leaving oversight to the DevOps teams. The discussion also highlights some recent breaches due to poor identity management.

Risk of Ineffective Cloud Identity Management

The challenge of managing identities in the enterprise is well-known in the context of legacy infrastructure, where access to data center-hosted applications must be administered and organized. Tools such as Microsoft Active Directory have been helpful for such tasks.

The extension of enterprise computing to the public cloud, however, has added a new dimension of complexity and responsibility. And while enterprise teams do not control many aspects of public cloud security, they are expected to handle the task of cloud identity management.

While the integration of user identity management within the cloud is onerous itself, gaining control over machine identities is proving to be one of the most challenging aspects of securing the enterprise cloud. Once again, a recent report estimates a 45:1 ratio of machine-to-user accounts within the average infrastructure. Combining the explosive growth of machine identities with the trust inheritance defaults of all of the major cloud providers, one can easily imagine the extensive risk associated with non-human, machine identities. 

When this is not performed properly, the attendant risks can be considerable, especially for organizations that choose to move critical or sensitive workloads to the public cloud for processing, storage, or other uses. Specific risks include the following:

  • Data Leakage – Any data accessible in a public cloud can be compromised by poor cloud identity management.
  • Account Takeover – Accounts for machines, employees, or other stakeholders can also be taken over if identities are poorly managed.
  • Resource Modification – Any resources such as workloads, applications, or data that reside in the cloud can be modified if identities are not secured.

None of these threat outcomes should be considered acceptable to any organization, so steps must be taken to reduce this risk. Our experience at TAG Cyber suggests this is best done by carefully managing access, while also ensuring that responsibility is properly assigned.

Criticality of Managing Access Properly

The primary objective in any identity and access management (IAM) setting, whether for premise, cloud, or SaaS-based resources is that access to the target asset must be managed accurately. As should be obvious, access is the primary objective for any malicious actor. Unfortunately, most IAM solutions in use today are solely focused on user identities and not machine identities, leaving an already exposed risk even more so when moving services to the cloud.

The access challenge for cloud services involves the clear changes that have occurred in the perimeter definition for an enterprise. The attack surface has expanded to include public cloud services, and this drives the need for identity to serve to protect the associated access paths.

The primary cloud access management requirements that must be considered in any modern enterprise security scheme include the following areas (which are also often included in the most prevalent compliance frameworks):

  • Permissions – The need arises to review and manage permissions for access to resources since this is the most fundamental component of protection.
  • Datastores – Access to cloud-based data in the cloud must integrate aspects of cloud security posture management (CSPM) with data security posture management (DSPM).
  • Privileged Access – Every security team understands the critical importance of properly administering and managing high privileges with access to sensitive workloads and data.

These requirements provide a useful roadmap for security teams who need to build a suitable cloud access protection program. In the next section, we review how this responsibility should be allocated (or not allocated) in the typical enterprise.

Pitfalls of Leaving Oversight to DevOps Teams

One decision that should be highlighted, and that comes up often in the context of enterprise security research and advisory at TAG Cyber, is that enterprise teams often relegate the decisions for cloud identity and access to the DevOps teams.

This is a management decision with particular consequences, and if the DevOps team is well-positioned to make a good, holistic determination regarding cloud identity roadmaps, then allowing them to provide oversight could be a reasonable approach.

Nevertheless, the ephemeral nature of cloud ‘machines’ mandates special attention by all parties involved, not just the team that manages user access. Organizations that should be included in managing, guiding, and overseeing the identity management process include the following:

  • Access Management Team – The IAM team will have the best insight into the day-to-day administration and management of all identity-related tools.
  • Security Team – Threat and security technology-related issues for cloud identity are best handled through a dedicated security team.
  • DevOps Team – Since identity management and cloud services are so intimate, the inclusion of the DevOps team in oversight is usually a good idea.

Of particular note, the IAM team generally falls under the security team or the IT organization depending on the specific needs of the enterprise. Regardless of where the specific IAM team may sit, it is imperative that this team play a key role in the oversight and management process of cloud identities.

Depending on the type of businesses the organization supports, there could also be a strong case for including business unit leadership in identity oversight, especially if an identity and access management system is in place for customers.

Action Plan for Enterprise

Enterprise leadership teams should review their planned or ongoing identity-related management and oversight teams and associated roadmaps to ensure that proper representation is in place for Security, DevOps, and IT Operations.

The Sonrai platform is well-positioned to play a role here since the solution covers a wide range of concerns for all three groups. TAG Cyber analysts are always available to help enterprise practitioners learn more about commercial platforms such as from Sonrai.