Connect with us

Hi, what are you looking for?

Online Business Success

In Cloud Governance, A Set-And-Forget Approach Can Be Fatal


Raj Mallempati is COO at CloudKnox Security, responsible for CloudKnox’s overall business and go-to-market strategy and execution.

Governance has always been essential in keeping IT systems running smoothly and securely, providing a set of rules covering the broad spectrum of operations, from costs and security to improving efficiency and the deployment of new services. However, security professionals in many organizations assume that the same approach to governance that has worked with on-premise infrastructure can be applied to cloud infrastructures. Not so. Cloud has changed the nature of computing environments, and governance must change with it.

The “set and forget” method might have worked at one time in an on-premise infrastructure environment, where an organization had to only worry about protecting its own data, which was conveniently kept securely within its own data center. The adoption of cloud technologies has brought on a different enterprise architecture. It’s a much bigger, faster-moving, constantly changing environment that can’t be managed the same way.

Permissions management is one area where the requirements for governance have changed significantly. The data, resources and services in a cloud infrastructure exist outside the boundaries of a traditional network, and the permissions granted for accessing those resources have grown exponentially. Cloud service providers (CSPs) such as Amazon Web Services (AWS), Azure and Google Cloud Platform (GCP) add new services and permissions daily.

The Permissions Threat

Advertisement. Scroll to continue reading.

The dangers of over-permissioned and inactive identities have become a systemic risk in cloud infrastructures, as outlined in the Cloud Security Alliance’s 2019 report, “Top Threats to Cloud Computing: The Egregious Eleven.”

Yet I find that many organizations remain blind to the intrinsic risks in their cloud infrastructures. It’s not for a lack of awareness or effort, but a result of the speed at which infrastructure is built in the public cloud environments. Traditional approaches of role-based access control just don’t scale in the cloud. Monitoring activity combined with automation, machine learning, data science and analytics is the key to gaining accurate, calculated and actionable visibility in the cloud.

Based on what I’ve seen, the unfettered growth of permissions is one of the most difficult challenges organizations face when it comes to cloud governance. In the Cloud Adoption Framework developed by Microsoft, “identity baseline” is one of the Five Disciplines of Cloud Governance, along with the “security baseline,” with which it is tightly linked. Other disciplines include “cost management,” “resource consistency” and “deployment acceleration.” Among those five disciplines, identity and permissions management has become the critical focal point for cloud security because of the rampant over-permissioning of identities in the cloud and the vulnerabilities they expose the enterprise to.

At CloudKnox Security, we focus on cloud infrastructure entitlement management solutions, and in a recent study we conducted for the “State of the Cloud Entitlements Report,” we found that more than 95% of permissions in the cloud are unused, and more than 50% of permissions are high risk. That creates unnecessary risk for accidental or intentional damage.

Gaining Control Through Visibility

Remediating this risk begins with continuous and comprehensive visibility. In large enterprise public cloud infrastructure environments, this requires the ability to scale using automation and integration with continuous integration and continuous delivery (CI/CD) tools and IT service management (ITSM) solutions. An organization must be able to monitor and assess the activities of each identity in the cloud — whether a human user or a non-human service account — to uncover unused permissions and identities that accidentally possess high-risk permissions. This allows an organization to enforce least-privilege policies and move toward a “zero trust” environment.

Once an organization gains visibility, it not only automatically right-sizes the access privileges of over-permissioned accounts, it also uses that data to provide more calculated, accurate methods of granting permissions when needed through “privileges on demand.” This corrects another major contributor to permissions creep — the “just in case” model where broad permissions are granted to developers in case they need them. That method doesn’t work, as the spread of over-permissioned accounts has made clear. Instead, developers should be able to request elevated or high-risk permissions on demand so they can complete specific jobs, such as creating or deleting virtual machines. After a set period of time, these permissions can be revoked automatically.

To round out the approach to identity management and governance, continuous monitoring that incorporates user behavioral analysis through machine learning can baseline each user’s normal activities, identify significant deviations and issue alerts on suspicious activities.

Without ongoing monitoring and management, privilege creep will infest a cloud infrastructure, leaving it vulnerable to accidental or intentional damage. Any type of set-and-forget approach would likely prove to be a fatal mistake. In fact, based on my experience, only an automated approach can fully support cloud governance by enforcing least-privilege policies while moving an organization closer to a zero trust environment. Until organizations get to the point, cloud breaches will continue to be all-too-common.

Advertisement. Scroll to continue reading.

Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?


.



Source link

Click to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Advertisement

Latest

Loan And Finance

Brookfield Reinsurance’s Canadian pension risk transfer business successfully closed on 11 transactions during the quarter, capturing more than 20% of the Canadian market. As...

Top Stories

Bitcoin (BTC) and altcoin investment firm Grayscale now has more assets under management (AUM) than the world’s biggest gold fund. According to the latest...

Online Business Success

How can you practice kindness today? Unsplash-nathan-lemon By Dr. Susan Murphy— What if kindness were a muscle? How could you strengthen your kindness muscle?...

Top Stories

Canadian Bitcoin mining company Bitfarms is planning to build its first data center in the United States following the purchase of a land plot...

Technology

A hot potato: Graphics driver updates from GPU hardware manufacturers are typically met with healthy doses of excitement and skepticism. Some users look forward...

Top Stories

Coming every Saturday, Hodler’s Digest will help you track every single important news story that happened this week. The best (and worst) quotes, adoption...

Loan And Finance

Vanguard Digital Advisor is the brokerage’s new automated advisor service, combining their low-cost exchange traded funds (ETFs) with some of the services of a...

Online Business Success

By Gerri Detweiler It can be difficult to spot or completely prevent identity theft. getty As of August 2021, the Small Business Administration reported...

Advertisement

You May Also Like

Blogging

In this post, I will discuss the top ten profitable blogging niches ideas for Adsense approval and high traffic. whether you use Blogger or...

SEO Guide

Want to rank in Google image search? Images that you use as a featured images when writing a post actually appear on Google Images...

Technology

Sonos is one of the most popular wireless speaker brands in the world, and for good reason – its range of portable Bluetooth speakers,...

SEO Guide

How to index website on Google? Do you want to drive more organic traffic to your new website? I am sure your answer is...

Advertisement