Editor’s Note: This is part two of a blog series on securing privileged access and identities in the cloud. Read part one on securing the root-level account and cloud management console here.
A major benefit of cloud-based infrastructure is that new virtual machines (VMs), storage, containers and more can be provisioned dynamically as needed. This allows organizations to use cloud resources flexibly based on evolving demands, scaling up when needs surge and scaling down when needs decrease.
Every time a virtual machine or infrastructure resource is dynamically initiated and launched, it is assigned privileged credentials, such as SSH keys. This provisioning process doesn’t necessarily happen automatically. Rather, administrators may use the management console to spin up new VMs and assign the appropriate privileged credentials. No matter the nature of your cloud infrastructure today, protecting these powerful privileged credentials from the moment they’re created and throughout their lifecycle is essential.
Here are five best practices to follow as your cloud infrastructure evolves:
1. Discover all privileged entities with infrastructure access. Manually tracking and securing privileged accounts becomes increasingly difficult as your environment scales and becomes more dynamic. Privileged credentials are created – in fact need to be created – at high velocity, making it difficult for humans to manage. Automation, scripts and cloud management tools make such provisioning possible, but also make credentials hard to manage and track. To better understand your privilege-related risk landscape, take advantage of tools that enable continuous discovery of all privileged credentials, including SSH keys, passwords, password hashes, AWS access keys, and more.
2. Employ a secure, centralized repository for all privileged credentials. By leveraging strongly authenticated APIs, robust integrations and secret injection to securely retrieve and regularly rotate SSH keys and other credentials from a secure digital vault, your organization can automatically secure credentials as they are created – at the speed the cloud requires.
3. Automatically on-board new entities and immediately secure privileged credentials associated with newly provisioned infrastructure. Once you’ve discovered all existing privileged accounts and credentials in your cloud infrastructure, consider programmatic management for new privileged entities via onboarding APIs to dramatically streamline management and improve operational efficiency.
This step is particularly important in the cloud as infrastructure is automated and containers, servers and other resources are provisioned and used for just minutes or hours to complete a specific task. This happens numerous times each day without any human interaction. Auto-scaling in the cloud means VMs and resources are kicked into gear programmatically. To effectively secure privileged access, SSH keys used to access VMs programmatically must be automatically on-boarded and secured with vaulting and rotation as new cloud instances are spun up.
4. Manage the infrastructure credentials using just-in-time privileged access management. Organizations just getting started with the cloud may choose to grant access to medium- to long-term VMs via traditional standing access with privileged credentials that are vaulted and rotated. This is an important first step, as it allows organizations to quickly bolster cloud infrastructure security.
As organizations progress on their cloud journey, infrastructure scales faster and is spun up and down in seconds based on needs. This requires a different, more dynamic approach to privileged access management. Just-in-time access grants users (human, machine or application) elevated access to sensitive resources for a specific amount of time in order to perform a necessary task.
In other words, it gives the right user the right access to the right cloud resource at the right time (and only as long as its required) for the right reasons. Together with privileged session monitoring capabilities, just-in-time access helps strengthen access controls to protect cloud VMs.
5. Automatically remove privileges when the infrastructure is de-provisioned. The ability to remove privileged access quickly, and with precision, is critical to reducing risk. Automating this process will streamline internal IT operations and improve outcomes.
Cloud Infrastructure Access is an Evolving Journey
Cloud infrastructure environments are not static; your cloud security approach shouldn’t be either. If you’re looking for tips along the way, check out our eBook, “Securing Privileged Access and Identities In 4 Key Cloud Scenarios” and our cloud security resources. Stop back soon to explore part three of our series on securing cloud-native applications and the DevOps pipeline.