Over the next few weeks, we’ll explore best practices for securing privileged accounts and identities in common cloud scenarios. This series can help guide effective risk reduction strategies for today and for the future as cloud workloads evolve.
First up, we’re looking at cloud management consoles, which are used by admins to set up the entire cloud environment, oversee all types of cloud activities (i.e. use tracking, data integration, resource deployment and more) and configure operational and security settings. Before we dive in, here’s a look at the current state of the cloud.
How Are Enterprises Adopting Cloud?
While achieving a fully cloud-based IT infrastructure may be an ultimate digital transformation goal for some organizations, the vast majority are taking a hybrid approach today. According to a recent industry study, 93% of enterprises have a multi-cloud strategy in place. Meanwhile, as the world adapts to new realities, software-as-a-service (SaaS) use continues to skyrocket, enabling companies to conduct critical business and empower remote workforces.
There’s no denying the business benefits of deploying cloud infrastructure and running enterprise applications in the cloud – enhanced flexibility, simplified operations, cost savings and scalability are just a few. Yet every cloud deployment scenario creates new risk. This is particularly true in the wake of COVID-19. As leaders accelerate their cloud journeys to digitize quickly, attackers are targeting critical data and assets in the cloud in earnest. Within the first few months 2020 alone, cyber attacks targeting the cloud grew by a staggering 630%.
Now more than ever, it’s important for organizations to fully understand their role in securing cloud workloads as part of the shared responsibility model. While cloud providers are responsible for the cloud infrastructure itself, cloud customers must secure their data, applications, operating systems, supporting infrastructure and other assets running in the cloud environment.
Privileged accounts associated with human users and application and machine identities are exceptionally powerful and highly susceptible to compromise in the cloud. Protecting privileged access in these environments is paramount and the onus lies on the cloud customer. In fact, more than half of the top cloud computing threats today can be mitigated with strong privileged access management (PAM) and identity access management (IAM) controls.
5 Best Practices for Securing the Cloud Management Console
Since cloud management consoles and portals enable full control of an organization’s cloud resources, they are prime targets for cyber attackers and all access to them must be secured and monitored. This is particularly true for powerful root-level accounts – the accounts with irrevocable administrative privileges such as the AWS root user account, Azure global admin role and the Google Cloud Platform (GCP) super user account.
1. Treat all cloud management console access (for both human and machine users) as privileged. First, identify what permissions a user or application/machine needs to do their specified job. Build roles for each user persona, giving them access to only what they need by following the principle of least privilege. Enforce privileged access management controls including session isolation, monitoring and credential rotation to reduce risk.
2. Implement just-in-time access to reduce the attack surface. By providing just-in-time access to the cloud management console, versus standing access, permissions are provided when the session is launched – helping to ensure that only the right users have access to the right assets at the right time, and only for a certain amount of time.
3. Secure all human access to the cloud console using single sign-on (SSO) and multi-factor authentication (MFA). Whether access to the cloud console is standing or temporary, human access should be protected by SSO and MFA. SSO makes it easier for users to access their work applications in one place without having to remember multiple passwords. Additionally, SSO via SAML to the cloud console enables federated users to assume roles within the cloud provider. A role is an IAM identity that has specific permissions and can be assumed by anyone who needs it – it is not associated with a specific user and does not have long-term credentials. The intent of a role is to provide temporary access to the console for that specific session only. In parallel, MFA confirms that users are who they say they are by requiring them to pass multiple authentication challenges.
4. Secure API and automated access to the cloud management console. Cloud management consoles and portals can be accessed by automated scripts via API access keys. These API keys are highly privileged and very powerful – for example, they can enable a script or user to stop or start a virtual server, copy a database or even wipe out entire workloads. To protect your cloud workloads, securing API keys and applying least privilege is imperative.
5. Consistently apply access policies to administrators across multi-cloud, on-premises and hybrid environments. One compromised admin is all it takes to delete your whole cloud environment configuration. Strong privileged access oversight is necessary for security and audit purposes. Record admin activity and monitor active sessions, assigning session risk scores based on pre-defined risky behavior and activity, such as accessing the console during off hours or from irregular locations. This enables organizations to identify misuse fast and terminate sessions when a potential attack is suspected.
Attackers can find and abuse permissions to escalate privileges and become full cloud admins. What’s more, they can easily use these permissions to hide stealthy shadow entities that remain hidden and can be used as backdoors to the cloud environment. Scan your environment to discover privileged entities (users, groups and roles) and expose stealthy cloud shadow admins.
A Secure Cloud Is Your Business Advantage
Today, you may be extending cloud initiatives with DevOps pipelines to increase business agility. Or maybe you’re looking at on-demand compute and storage to drive cost savings. No matter where you are on your cloud journey, privileged access and identity policies must be enforced consistently across your organization to reduce exposure and protect your critical assets. Get practical guidance in our eBook, “Securing Privileged Access and Identities In 4 Key Cloud Scenarios,” and visit cyberark.com/cloud. Be sure to check back soon to explore part two of our series on securing your organization’s dynamic cloud infrastructure.