Published : 06.13.2023
Last Updated : 06.15.2023
Identity management has taken on an entirely new level of criticality when we evaluate it in the context of cloud environments. In fact, identities are the single connecting point between high-value assets and the cloud environment. Unfortunately, most organizations overlook the criticality of identity management in general and especially the excessive misuse of machine (i.e. workload/container/application) identities. This lack of ‘identity awareness’ is directly relating to impacts across all industries, as a recent report has 84% of companies polled reported an identity-related breach during 2022.
DevOps teams, striving for the rapid deployment of the necessary environment, often reuse access roles to expedite the deployment process, thus resulting in over-permissions of specific roles across the entire cloud environment. When you consider the duplication of machine credentials along with user identities, it’s no wonder why so many breaches are based in identity mis-management.
This article reviews risks associated with ineffective cloud identity management, the criticality of managing access properly, and the pitfalls of leaving oversight to the DevOps teams. The discussion also highlights some recent breaches due to poor identity management.
The challenge of managing identities in the enterprise is well-known in the context of legacy infrastructure, where access to data center-hosted applications must be administered and organized. Tools such as Microsoft Active Directory have been helpful for such tasks.
The extension of enterprise computing to the public cloud, however, has added a new dimension of complexity and responsibility. And while enterprise teams do not control many aspects of public cloud security, they are expected to handle the task of cloud identity management.
While the integration of user identity management within the cloud is onerous itself, gaining control over machine identities is proving to be one of the most challenging aspects of securing the enterprise cloud. Once again, a recent report estimates a 45:1 ratio of machine-to-user accounts within the average infrastructure. Combining the explosive growth of machine identities with the trust inheritance defaults of all of the major cloud providers, one can easily imagine the extensive risk associated with non-human, machine identities.
When this is not performed properly, the attendant risks can be considerable, especially for organizations that choose to move critical or sensitive workloads to the public cloud for processing, storage, or other uses. Specific risks include the following:
None of these threat outcomes should be considered acceptable to any organization, so steps must be taken to reduce this risk. Our experience at TAG Cyber suggests this is best done by carefully managing access, while also ensuring that responsibility is properly assigned.
The primary objective in any identity and access management (IAM) setting, whether for premise, cloud, or SaaS-based resources is that access to the target asset must be managed accurately. As should be obvious, access is the primary objective for any malicious actor. Unfortunately, most IAM solutions in use today are solely focused on user identities and not machine identities, leaving an already exposed risk even more so when moving services to the cloud.
The access challenge for cloud services involves the clear changes that have occurred in the perimeter definition for an enterprise. The attack surface has expanded to include public cloud services, and this drives the need for identity to serve to protect the associated access paths.
The primary cloud access management requirements that must be considered in any modern enterprise security scheme include the following areas (which are also often included in the most prevalent compliance frameworks):
These requirements provide a useful roadmap for security teams who need to build a suitable cloud access protection program. In the next section, we review how this responsibility should be allocated (or not allocated) in the typical enterprise.
One decision that should be highlighted, and that comes up often in the context of enterprise security research and advisory at TAG Cyber, is that enterprise teams often relegate the decisions for cloud identity and access to the DevOps teams.
This is a management decision with particular consequences, and if the DevOps team is well-positioned to make a good, holistic determination regarding cloud identity roadmaps, then allowing them to provide oversight could be a reasonable approach.
Nevertheless, the ephemeral nature of cloud ‘machines’ mandates special attention by all parties involved, not just the team that manages user access. Organizations that should be included in managing, guiding, and overseeing the identity management process include the following:
Of particular note, the IAM team generally falls under the security team or the IT organization depending on the specific needs of the enterprise. Regardless of where the specific IAM team may sit, it is imperative that this team play a key role in the oversight and management process of cloud identities.
Depending on the type of businesses the organization supports, there could also be a strong case for including business unit leadership in identity oversight, especially if an identity and access management system is in place for customers.
Enterprise leadership teams should review their planned or ongoing identity-related management and oversight teams and associated roadmaps to ensure that proper representation is in place for Security, DevOps, and IT Operations.
The Sonrai platform is well-positioned to play a role here since the solution covers a wide range of concerns for all three groups. TAG Cyber analysts are always available to help enterprise practitioners learn more about commercial platforms such as from Sonrai.