A Zero Trust Approach to Protecting Cloud Identities Begins with Least Privilege

November 9, 2020 Sam Flaster

Zero Trust Starts with Least Privilege

The world is changing quickly. Digital transformation initiatives and new services from cloud providers are creating an explosion of identity-based permissions. Through the eyes of an attacker, each cloud identity represents a potential opportunity and first step toward a company’s most valuable assets.

Today we are proud to unveil CyberArk Cloud Entitlements Manager, an artificial intelligence-powered cloud security service that centralizes visibility and control across cloud environments, helping organizations strategically remove excessive permissions that pose a security risk.

CyberArk Cloud Entitlements Manager is a key component of our Identity Security strategy, which reflects that any identity can become privileged in modern IT environments. Cloud Entitlements Manager takes a Zero Trust approach to reducing risk and improving visibility across cloud environments – built on the principle of least privilege.


Least Privilege Access: A Core Tenant of Zero Trust

Adoption of public cloud services, SaaS applications, and remote access have dissolved the traditional network perimeter. This establishes identity as the key line of defense for most organizations and the de facto ‘new perimeter.’ As modern Zero Trust models take hold, authentication and authorization of all identities become paramount. In cloud environments, any human or machine identity can be configured with thousands of identity and access management (IAM) permissions to access cloud services containing sensitive information. User, group and role identities are assigned permissions depending on their job functions. Many organizations unintentionally configure their various identities with permissions to access cloud services they don’t actually use or need.

These excessive permissions pose a major challenge for organizations as they move toward Zero Trust security frameworks, which demand that every identity attempting to access corporate resources be verified and their access intelligently limited. A recent ESG survey, sponsored by CyberArk and other technology vendors, found over-permissioned accounts and roles as the top-ranked cloud service misconfiguration. Not surprisingly, attackers have taken notice: the same survey ranked overly permissive privileges as the most common attack vector against cloud applications*.

By compromising a cloud identity with overly broad permissions, an attacker can access critical workloads undetected or escalate their privileges to steal cloud-hosted data, disrupt high-value applications or even take entire cloud deployments offline.

To address this challenge, implementing least privilege, in which all identities have only the minimum necessary entitlements to perform their ongoing responsibilities, is an established best practice for organizations on their Zero Trust and cloud journeys. Establishing least privilege also limits the number of entities that can grant or configure new permissions, making it difficult for attackers to escalate privileges and reach their goals.

Here are four reasons to introduce or extend least privilege to your cloud environments.  

1. Data Breaches Are Increasingly Linked to Cloud Identities

Digital transformation only moves forward. As businesses shift their attention to the cloud, so do attackers. But while attackers are targeting new environments, they rely on the same old tactics. The 2020 Verizon Data Breach Incident (DBIR) identified that identities remain the weakest link in most organizations, as credential theft was employed in 77% of cloud breaches.

These trends reinforce the case for least privilege access in cloud environments. In a least privilege model, organizations proactively protect themselves from insider threats while greatly limiting the potential damage of external attacks. A compromised identity in a least privilege framework can’t immediately access resources outside of that identity’s standard job responsibilities. Least privilege, therefore, limits attacker movement and protects mission-critical workloads, buying valuable time to detect and respond to an attack.

2. Accelerated Cloud Adoption Expands the Attack Surface. Least Privilege Shrinks It.

More cloud services. More identities. More risk. Several aspects of cloud environments make proper configuration of privileges and permissions a challenge. Cloud IAM roles for certain application services can be provided with a wide range of permissions to limit possible developer friction. A thorough entitlements audit process may identify such excessive permissions and limit them to the least privilege required for this service to work properly. Other organizations fail to account for outdated permissions, such as failing to remove developer access to storage buckets and container pods at the close of a project.

Both scenarios are equally dangerous, as an attacker compromising either of these identities can increase their chances of escalating privileges or reaching mission-critical data undetected. Establishing and continuously validating least privilege is a critical step to shrinking the attack surface, lowering risk by dissuading insider threat actors, and impeding external attackers.

3. Cloud Services Are Multiplying. So Are Misconfiguration Risks.

The leading infrastructure as a service (IaaS) platforms – Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) – are constantly introducing new services to differentiate from other platforms. This blistering innovation boosts business productivity, as powerful tools for specialized needs like data streaming, blockchain networking and Internet of Things (IoT) analytics are more accessible than ever before.

But that accessibility can come at a price. Configuration of cloud services is challenging for any organization, and one simple misconfiguration can open doors for attackers. The 2020 IBM Cost of a Data Breach report found attackers used cloud misconfigurations in nearly 20% of data breaches.

Least privilege models place emphasis on managing permissions to identify potential misconfigurations that result in excessive, unauthorized access to key cloud services, mitigating risk while enabling necessary access to advanced workloads.

4. Cloud Provider, Industry and Regulatory Frameworks Recommend Least Privilege

Recognizing the dangers of over-permissioned identities and the difficulty of securely configuring services in immense cloud environments, AWS, Azure, and GCP all specify least privilege access as a security best practice.

Consortiums like Cloud Security Alliance’s Cloud Control Matrix also stress the importance of continuously reviewing permissions. Meanwhile, highly regulated organizations can even face financial penalties if breached for failing to establish least privilege. Organizations should continuously verify least privilege across their on-premises and cloud workloads to ensure compliance.

Least privilege is recognized as a security best practice for a reason. But it cannot come at the expense of end-user productivity or overburden IT teams. Effective least privilege enforcement brings the right mix of privileged access management practices together with flexible controls to balance security and compliance requirements with operational and end-user needs.

Implement Least Privilege Across Your Cloud Estate

Born out of CyberArk Labs, CyberArk Cloud Entitlements Manager provides cloud-agnostic visibility and granular, AI-powered remediation of excessive permissions, so organizations can consistently implement least privilege while preserving necessary access to drive operational efficiency.

We’re proud of the solution’s user experience, too; in under one hour, CyberArk Cloud Entitlements Manager can take customers from subscription to AI-powered remediation, while calculating exposure-level analysis for all identities, environments and platforms in an organization’s AWS, Azure, GCP and AWS Elastic Kubernetes Services environments.

Discover how our latest innovation empowers organizations to operate cloud services securely and efficiently. Join our virtual launch event for demonstrations and a free trial opportunity, and hear from CyberArk customers and executives.

*ESG eBook, Trends in IAM: Cloud-driven Identities, October, 2020


Previous Article
Secure Your Cloud Native Applications and DevOps Pipeline in Six Steps
Secure Your Cloud Native Applications and DevOps Pipeline in Six Steps

Editor’s Note: This is part three of a blog series on securing privileged access and identities in the clou...

Next Article
Four Reasons to Strengthen Identity Security with SSO
Four Reasons to Strengthen Identity Security with SSO

While it’s widely accepted that the “perimeter is dead,” current realities are forcing many organizations t...