Missed our webinar? Don’t worry. We breakdown the key takeaways from the identity security and secrets management webinar.
On April 9, we hosted our first HashiCorp Vault webinar with Marshall Copeland, Partner Solutions Engineer at HashiCorp, and Eric Kedrosky, Director of Cloud Security Research here at Sonrai Security. The 45-minute webinar features practical advice and cloud security insights on identity security and secrets management in the public cloud.
The webinar covers the current state of the public cloud and the challenges and security benefits from combining identity security and secrets management in a multi-cloud environment. Below we cover some of the highlights from our Identity Security & Vault Secrets Management: Key to Unlocking Public Cloud Security webinar.
The public cloud service market will grow to $331.2 billion by 2022, according to Gartner. This is driven by large enterprises migrating some (if not all) of their workloads to the cloud, as well as by new organizations who are “born in the cloud.”
The public cloud provides agility, speed, and flexibility, but it also comes with a new set of risks. Many of these risks are the result of misconfigurations, which not only cost organizations operationally but lead to more severe consequences like data breaches, as we’ve unfortunately witnessed with companies like Capital One.
"What surprises me the most about public cloud security is that, for all its capabilities, tools, and services, it doesn't get easier to answer the basic some of the most important questions: Where is my data? Who has access to it? How is it moving? And where is it moving to?" says Kedrosky.
The challenges associated with identity security and Vault Secrets management in the public cloud are complex. Here are four of the most important ones:
Let's explore these challenges in further detail.
Vault "Secrets" are all the things that provide people with access to a system. Examples of secrets include username and password combinations, API tokens, TLS certificates, and all the other things that systems, applications, platforms, and even clouds authenticate.
Once someone has been authenticated, they can perform read and write sensitive data. If a third-party accesses this data, it can use it for nefarious purposes.
"It's a mess," says Copeland. "It's hard to manage security at this level. You have different command-line interfaces and different UIs, and customers find this difficult to manage."
Decentralized identity and access management (IAM) happens when an organization doesn't manage access control properly. There's a level of uncertainty (and the "unknown"), which creates a lack of visibility and control.
Decentralized IAM occurs when an organization has limited access control. For example, when application security teams are meticulous about rooting hard-coded passwords from finished applications, they often leave them within the IT infrastructure that supports software development. The same goes for account sharing, where organizations don't really know who has access to passwords.
If an organization doesn't audit the people who access their systems (and what credentials they use), they have weak access control. With an ever-changing number of systems, resources, accounts, and applications —and without centralized visibility and management — an organization won’t be able to manage secrets and data access effectively and securely. Plus, visibility gaps can create additional operational and governance challenges for security teams and audits.
One of the major stumbling blocks for identity security and data governance comes from disjointed monitoring. Organizations must ensure ongoing visibility into cloud-related risks, but those that adopt a manual approach struggle to maintain data and identities with disparate cloud services. Moreover, many teams are unable to mitigate risk properly because they don't continuously assess their cloud infrastructure.
Different cloud components require different monitoring approaches and tools. However, many organizations lack the monitoring solutions that effectively track things across all clouds. A primary reason for this is the use of “cloud-native” tools. While these are useful, they sometimes expose gaps in the associated cloud environment and certainly can’t see into other clouds.
"From a cloud perspective, the levels of maturity in systems differ," adds Copeland. "Customers want to know what cloud provider and what third-party provider have the best maturity levels."
Another challenge is end-to-end visibility. Considering the scale and size of cloud environments, it’s next to impossible to always know who is accessing data (and where) across an entire organization. The lack of visibility into Identities, both human and non-human, increases when there’s no strategy to support the implementation and management of these applications (or no controls when these new identities are created).
“Enterprises need to know: What permissions do your human and non-person identities really have?" says Kedrosky. "I bet it's not what they think they have access to’.”
There are other obstacles. Things change all the time, and some organizations struggle to manage accounts and assets they don’t know about.
When it comes to cloud security, access management is vital. Organizations aim to implement the least amount of privilege for their Identities. In practice, this means assigning credentials and privileges as needed to any type of identity and removing any permissions that are not necessary. This is a complex challenge in and of itself.
"What most organizations want to do is to achieve the least amount of privilege," says Kedrosky. "In the cloud, with so many things moving, this becomes really difficult, and organizations struggle to get at least privilege. If they do, it's really hard to maintain."
The shift to a DevOps model has made it even more difficult to achieve and maintain least privilege. At the heart of DevOps is the ability to express infrastructure as code. This allows operations teams to configure infrastructure needs with code, including privileged access through secrets. This complicated web of machine-to-machine access (or identity-to-identity access) makes it difficult for organizations to tell who or what can access their Vault secrets.
Many organizations have no privileged account security strategy for DevOps and most fail to identify all of the different places privileged accounts or secrets could exist in their environment.
In some cases, if an identity compromises one secret, the same identity gains access to everything that the tool can access. Stitching security policies together means that security teams can better understand the interface and intricacies for each tool in order to continuously maintain least privilege.
How are Sonrai and HashiCorp overcoming these challenges?
By providing centralized management of all identities (whether it's users, groups, services, and/or roles), your organization gains the visibility needed for proper oversight. Centralized IAM makes it easier to enforce policies governing identity and access. This is because an effective centralized approach ensures that privileges are issued in accordance with the policies and controls within your organization's governance framework. As a result, you can align privileges with your business requirements.
Centralized IAM tightens access and control:
“We need to move from stuff living everywhere — all over the place in different systems — to living in a single place where it's tightly access-controlled and tightly audited,” says Copeland.
Having a single source to view all of their Identities and data in the public cloud removes the "noise." Monitoring for public "buckets" or secrets is important but not enough. Enterprises need to extend monitoring to all data, resources, and microservices, even to a system like Vault. Moreover, organizations need to have fine-grain access controls that restrict what people have access to in order to prevent data loss.
Continuous monitoring identifies and manages risks associated with critical systems and data on an ongoing basis. "It's critical to reduce security risks in the cloud," says Copeland.
By continuously monitoring, all potential access paths to your data, serverless functions, containers, VMs, and users are uncovered and categorized by privilege.
With continuous monitoring, organizations gain an additional layer of oversight over their existing cloud security frameworks and optimize the effectiveness of internal controls. It also maintains a documented record of change control and validation, which improves ongoing compliance and reduces auditing workloads. Also, an organization can gain increased visibility into the changes in their environment: Who made the changes? When did the changes occur? What information was accessed?
"When it comes to continuous monitoring, our customers really want a single source," says Copeland. "They're looking for audit-level control, and that's one of the things we build into our solutions, specifically in Vault."
Visibility is key to security, this is why it's important to know the effective permissions for all Identities (human and non-human) in your organization. You can get true visibility into data and access trust relationships by graphing, classifying, and mapping identities.
With end-to-end visibility, organizations will detect misconfigurations and changes — and respond effectively.
"With centralized IAM and continuous monitoring in place, what we can really achieve is true end-to-end visibility," says Kedrosky. "This is where you get to know your respective permissions for all your identities, human and non-human, and you get true visibility into what data those identities can access, and how they are doing it."
Centralization lets you manage all of your identities from a single place, and continuous monitoring enables you to understand what these identities are doing. As a result, you can build a picture of what effective permissions really are, and not just what you think they are. You can then work toward least privilege — and maintain it.
"With continued visibility in place, you are able to detect drift and deviations, so you can take actions to remediate, even automatically," says Kedrosky.
Question: In AWS, I have a Lambda function so I had to create a role with some permissions and also had to add a trusted relationship to the Lambda service. Can your service verify the permissions see that Lambda?
Answer: This is at the heart of what Sonrai does. It lets you see the effective permissions your Lambda truly has in your environment by looking at the Identities associated with it. What you should see is the expected path. That said, if there have been any misconfigurations in your system, the Sonrai platform will show you all the different paths to where it can go, and what data it can access. You can reduce any risky actions that you might not have known about before you used Sonrai.
Question: I run a small DevOps team for my company. We finally moved to the cloud and we are managing identities, roles, etc.. How can your solutions help me out here?
Answer: Again, this is exactly what Sonrai does. It allows you to see the effective permissions for all your identities. It also helps you identify all the places where your data resides, what it is and how it is, or can be, accessed. Once you have that picture in place, you can really start to look at how everything is put together and works, and you can look at this through the context of your security governance model. As you run a small DevOps team, these are the kinds of things you really want to get a handle on now before they become big problems as you grow
Sonrai’s unique integration with HashiCorp Vault allows customers who use Vault in AWS, Azure, and GCP environments to streamline identity security and secrets management.
Want to see Sonrai and HashiCorp Vault in action? Sonrai Security protects your “crown jewels” by continuously monitoring the critical data inside object stores and databases. Explore the where, what, where, and how of identity access management across your public cloud. Click here to request a demo.