Raj Mallempati is COO at CloudKnox Security, responsible for CloudKnox’s overall business and go-to-market strategy and execution.
Governance has always been essential in keeping IT systems running smoothly and securely, providing a set of rules covering the broad spectrum of operations, from costs and security to improving efficiency and the deployment of new services. However, security professionals in many organizations assume that the same approach to governance that has worked with on-premise infrastructure can be applied to cloud infrastructures. Not so. Cloud has changed the nature of computing environments, and governance must change with it.
The “set and forget” method might have worked at one time in an on-premise infrastructure environment, where an organization had to only worry about protecting its own data, which was conveniently kept securely within its own data center. The adoption of cloud technologies has brought on a different enterprise architecture. It’s a much bigger, faster-moving, constantly changing environment that can’t be managed the same way.
Permissions management is one area where the requirements for governance have changed significantly. The data, resources and services in a cloud infrastructure exist outside the boundaries of a traditional network, and the permissions granted for accessing those resources have grown exponentially. Cloud service providers (CSPs) such as Amazon Web Services (AWS), Azure and Google Cloud Platform (GCP) add new services and permissions daily.
The Permissions Threat
The dangers of over-permissioned and inactive identities have become a systemic risk in cloud infrastructures, as outlined in the Cloud Security Alliance’s 2019 report, “Top Threats to Cloud Computing: The Egregious Eleven.”
Yet I find that many organizations remain blind to the intrinsic risks in their cloud infrastructures. It’s not for a lack of awareness or effort, but a result of the speed at which infrastructure is built in the public cloud environments. Traditional approaches of role-based access control just don’t scale in the cloud. Monitoring activity combined with automation, machine learning, data science and analytics is the key to gaining accurate, calculated and actionable visibility in the cloud.
Based on what I’ve seen, the unfettered growth of permissions is one of the most difficult challenges organizations face when it comes to cloud governance. In the Cloud Adoption Framework developed by Microsoft, “identity baseline” is one of the Five Disciplines of Cloud Governance, along with the “security baseline,” with which it is tightly linked. Other disciplines include “cost management,” “resource consistency” and “deployment acceleration.” Among those five disciplines, identity and permissions management has become the critical focal point for cloud security because of the rampant over-permissioning of identities in the cloud and the vulnerabilities they expose the enterprise to.
At CloudKnox Security, we focus on cloud infrastructure entitlement management solutions, and in a recent study we conducted for the “State of the Cloud Entitlements Report,” we found that more than 95% of permissions in the cloud are unused, and more than 50% of permissions are high risk. That creates unnecessary risk for accidental or intentional damage.
Gaining Control Through Visibility
Remediating this risk begins with continuous and comprehensive visibility. In large enterprise public cloud infrastructure environments, this requires the ability to scale using automation and integration with continuous integration and continuous delivery (CI/CD) tools and IT service management (ITSM) solutions. An organization must be able to monitor and assess the activities of each identity in the cloud — whether a human user or a non-human service account — to uncover unused permissions and identities that accidentally possess high-risk permissions. This allows an organization to enforce least-privilege policies and move toward a “zero trust” environment.
Once an organization gains visibility, it not only automatically right-sizes the access privileges of over-permissioned accounts, it also uses that data to provide more calculated, accurate methods of granting permissions when needed through “privileges on demand.” This corrects another major contributor to permissions creep — the “just in case” model where broad permissions are granted to developers in case they need them. That method doesn’t work, as the spread of over-permissioned accounts has made clear. Instead, developers should be able to request elevated or high-risk permissions on demand so they can complete specific jobs, such as creating or deleting virtual machines. After a set period of time, these permissions can be revoked automatically.
To round out the approach to identity management and governance, continuous monitoring that incorporates user behavioral analysis through machine learning can baseline each user’s normal activities, identify significant deviations and issue alerts on suspicious activities.
Without ongoing monitoring and management, privilege creep will infest a cloud infrastructure, leaving it vulnerable to accidental or intentional damage. Any type of set-and-forget approach would likely prove to be a fatal mistake. In fact, based on my experience, only an automated approach can fully support cloud governance by enforcing least-privilege policies while moving an organization closer to a zero trust environment. Until organizations get to the point, cloud breaches will continue to be all-too-common.