Securing Cloud Environments by Lifting the Veil on Excessive Permissions

July 5, 2022 Sam Flaster

Securing Cloud Environments

Have you ever written an email to your boss only to find multiple typos after you’ve sent it, or missed an important work deadline, or hastily clicked on a phishing email? It happens. There’s a saying that “perfect people aren’t real, and real people aren’t perfect.” Despite our best efforts, we all mess up.

The 2022 Verizon Data Breach Investigations Report (DBIR) found that 82% of all breaches involve the human element and 13% stem from human errors – with one error being particularly problematic: cloud service misconfigurations.

Oops, I Misconfigured It Again  

The Verizon DBIR authors write, “The rise of the Misconfiguration error began in 2018 and was largely driven by cloud data store implementations that were stood up without appropriate access controls… Despite the efforts of the major cloud providers to make the default configurations more secure (which we applaud), these errors persist.”

Cloud service misconfigurations persist for two big reasons. First, as we’ve established, people make mistakes. And second, the scale of enterprise cloud environments creates a proliferation of human and machine identities. Each of these digital identities – from cloud admins to roles used for serverless functions – can be configured with tens of thousands of permissions to access cloud services, data and other resources. Based on CyberArk Cloud Entitlements Manager data, there are now more than 28,000 identity and access management (IAM) permissions across AWS, Azure and GCP.

Appropriately scoping these permissions isn’t something most cloud teams are equipped to do. For one, cloud security is a fairly new and evolving discipline, with 70% of IT leaders saying a skills gap in this area is a “critical concern.” Even with the help of technology, it can be difficult for teams to operationalize siloed tools to discover and constantly track who has access to what. There are simply too many interconnected identities to deal with.

Overprovisioning Cloud Permissions: A Quick but Risky Fix

Overprovisioning of cloud IAM permissions – or giving identities more privileges than they need – often becomes the default solution. It’s much easier than trying to identify the proper least privilege access permissions for each identity. And giving broad access to developers and cloud engineering teams helps prevent productivity roadblocks, while also limiting IT tickets (and complaints) from cloud teams requesting access.

But cyber attackers can exploit these unused or unnecessary privileges. Once they compromise a cloud identity, they can leverage excessive permissions to move laterally through the environment or escalate privileges to reach their target. Attackers can create just as much damage by compromising or creating cloud admin accounts with powerful privileges outside of the organization’s existing privileged access management (PAM) program.

Don’t Let These Five Barriers Hold You Back from Taking Control of Your Cloud Estate

Since cloud adoption isn’t slowing down anytime soon, excessive cloud permissions will continue to pile up, contributing to cybersecurity debt and organizational risk. A new category of cloud privilege security solutions is emerging to help teams reduce these risks, including cloud infrastructure entitlements management (CIEM) technologies that harness artificial intelligence (AI) to clean up misconfigured and unused cloud permissions at scale. As teams prioritize cloud privilege security, understanding these common barriers to success can help them avoid issues as they work to take back control:

1. Lack of visibility. Organizations cannot protect what they cannot see. Identity Security becomes more important – and more difficult – as the complexity of a cloud environment grows. Security teams must be able to discover and map all identities, both human and machine, and what resources those identities can access. Intelligent privilege controls, such as monitoring activity logs, can be useful in gaining a deeper understanding of how permissions are being used. But in multi-cloud environments, this visibility cannot scale if it is limited to each individual cloud provider. It must extend across the entirety of the enterprise cloud estate.

2. Lack of granularity. Any identity can become privileged under certain conditions. The ability to monitor and identify unused permissions or misconfigurations, which could result in overprivileged accounts and the creation of shadow admins, is key to enforcing the principle of least privilege. Don’t assume your native cloud identity and access management (IAM) tools cover you on this front, as they typically don’t have the capabilities to get granular.

3. Lack of control. Standardization is the key to Identity Security at scale—yet cloud environments are complex and dynamic, with siloed IAM tooling and rulesets across AWS, Azure and GCP. This creates an inconsistent user experience, which can slow down security teams and impact operational efficiency. It also encourages an ad-hoc approach to security that can result in siloed teams and specialized knowledge of specific platforms. This makes it more difficult to consistently enforce least privilege.

4. Lack of remediation. Identifying overprivileged identities is only part of the challenge. Security teams also need deployable remediations to quickly mitigate risks without disrupting operations. While native IAM tools can identify certain threats, they lack the granular, code-level IAM policy recommendations needed to immediately rectify the issue. Cloud-native IAM tools also lack the capabilities to automatically onboard cloud admin or shadow admin accounts to an organization’s privileged access management solution.

5. Lack of broader risk mitigation. Properly securing all cloud identities from the point of creation is another important consideration, since digital identities are often spun up quickly and frequently with little regard for Identity Security best practices. Equally important is integrating CIEM and existing Identity Security programs to consistently control credentials and access. This consistency is critical to delivering measurable cyber risk reduction.

Manual, disparate methods for securing digital identities will become even more unwieldy as cloud adoption continues and digital identities surge in number. Don’t wait until “human error” simply becomes “humanly impossible.” Instead, take a centralized, intelligent approach that harnesses AI and automation to curb misconfiguration errors and lift the veil on excessive permissions to mitigate risk.

Be the first to experience new features and enhancements to the CyberArk Identity Security Platform during CyberArk Impact 2022 on July 12-14, 2022 in Boston. To save your in-person or virtual spot, register today and join us in defining the future of Identity Security.

Previous Article
5 Hot Takes from AWS re:Inforce 2022
5 Hot Takes from AWS re:Inforce 2022

The city of Boston was hot this July – and we’re not just talking about record-breaking temperatures. The c...

Next Article
Securing AWS Environments With the CyberArk Blueprint Methodology
Securing AWS Environments With the CyberArk Blueprint Methodology

Learn how you can leverage the methodology from the CyberArk Blueprint for Identity Security Success to hel...