Let’s cut the fluff out of cloud security. As you build and innovate in the cloud, you create a maze of roles, permissions and resources that you must secure thoughtfully. The dirty secret is that as organizations launch and build new infrastructure, they also create a labyrinth of permissions that attackers can exploit if they get their hands on a valid password or credential.
Zero Trust principles require connections in ‘never trust, always verify’ interactions with their cloud environments. This concept must extend beyond basic authentication. Yes, most organizations are wisely authenticating cloud access with core controls like single sign-on (SSO) and multi-factor authentication (MFA), but are these basics enough to keep attackers at bay? As we’ve seen repeatedly, some of the largest breaches in cloud environments have started with basic identity compromise attacks.
This is where key controls like Cloud Infrastructure Entitlements Management (CIEM) and privileged access management (PAM) come into play. CIEM controls provide the necessary visibility to reduce permissions sprawl and implement least privilege access, limiting an attack’s blast radius. PAM controls reduce the risk of compromised access while securing and auditing access after authentication.
Together, CIEM and secure access controls can provide effective defense-in-depth protection, but implementing these controls can be more challenging than it looks. The following are some best practices from Wiz and CyberArk.
Gain Full Visibility into Cloud Identities and Effective Permissions
The first step in securing cloud entitlements is understanding who has access to what across cloud, SaaS and identity provider (IdP) environments. With permissions often spread across multiple platforms and layered with complex access controls, organizations need centralized visibility to uncover effective access to cloud resources.
A CIEM solution should provide a complete map of effective access, accounting for cloud-native controls such as boundaries, access control lists (ACLs), service control policies (SCPs) and resource control policies (RCPs). By correlating human and non-human identities with cloud resources, security teams can quickly identify risky permissions and help ensure that only authorized access to critical data is allowed.
Remove Identity Risks and Enforce Least Privilege Access
Once you have a clear picture of your cloud entitlements and their effective permissions, the next step is reducing unnecessary access and removing identity risks to limit exposure. As risky identities can provide an entry point into your cloud and potentially lateral movement and privilege escalation, our goal is to remove identity risks proactively.
To enforce least privilege and secure your identities, using a CIEM solution can help you:
- Identify and remove excessive access and high privileges for both human and non-human identities for full alignment to the rule of least privilege.
- Revoke unused access to prevent inactive or unnecessary roles from becoming security risks.
- Detect identity misconfigurations that weaken security, such as no MFA or weak password policies.
- Secure third-party identities, ensuring vendors have only required permissions to your environment.
A CIEM solution should provide guided remediation steps for all identity risks and excessive permissions to help security teams quickly adjust permissions and reduce risk.
Implement Access with Zero Standing Privileges
After scoping permissions for least privilege access, cloud users can move productively to solve issues with applications and cloud-hosted services.
But what happens after hours when those standing privileges linger?
If engineers are left with access to cloud services after they’ve completed their tasks, they present extremely attractive targets for attackers.
Enter the concept of access with zero standing privileges (ZSP). By granting privileged access in alignment with just in time, just enough and gone just after principles, organizations minimize their attack surface. Least privilege isn’t just a buzzword here—it’s the core principle. If an attacker compromises a credential or identity, they have zero permissions, so they can’t achieve their objectives or move laterally to compromise additional assets.
The combined value of ZSP and CIEM is significant. Organizations gain protection in two ways: first, with least privilege in place from CIEM controls, authorized end users have the necessary privileges to complete their tasks and nothing more. Second, with ZSP access, credentials and identities become worthless for attackers to steal.
Prioritize Critical Attack Paths
To effectively reduce the attack surface and protect crown jewels, it’s essential to understand how identity risks correlate to other cloud risks, such as vulnerabilities, misconfiguration and data. For example, a user with high privileges and access to customer data is a significantly greater risk than an over-permissioned identity without access to critical assets.
Having a security graph to show the context around a risk helps teams understand how risks correlate to create an attack path. By incorporating greater cloud context into a CIEM strategy, organizations can better prioritize identity risks and focus remediation efforts on the most critical risk.
Maintain User Experience While Applying Privilege Controls
Access in the cloud should remain native. Organizations must make controls seamless, not some clunky add-on that end users like engineers and data scientists will hate.
Native user experiences are key; engineers should be able to use their preferred CLI and web console interfaces. In alignment with CSP best practices, organizations must avoid forcing teams to use dedicated shared accounts unless its strictly necessary.
Controls must fit natural workflows. The goal is not to slow users down—it’s to keep them safe.
Apply Privilege Controls Post-authentication for Defense-in-Depth
So far, we’ve discussed using CIEM tools to implement least privilege and safely allow users into the cloud. It’s just as critical to keep users safe while they’re in.
It’s essential to apply Zero Trust principles after valid, least privileged access has been granted and elevated for maximum risk reduction. Here are some additional controls to reduce risk in validated user sessions:
- Continuous authentication: Embrace the Zero Trust “never trust, always verify: mantra. Continuous and step-up authentication helps validate a user ID as an engineer takes additional actions in the cloud.
- Session protection: With secure browsing and the application of intelligent privilege controls, organizations can protect against web-based threats like session hijacking and cookie theft.
- Session recording: Recording sessions help organizations see precisely what occurred in a user’s session for audit and compliance reviews or forensics in the event of an outage or security incident. In addition, it deters insider threats.
Implement Continuous Identity Governance
Cloud environments are dynamic, with constantly changing users, applications and infrastructure. Without continuous governance, identities can accumulate stale permissions or insecure configurations, and those risks can go unnoticed for a long time. That’s why CIEM provides critical continuous governance, detecting new misconfigurations and risks as they are introduced to your environment allowing quick remediation. By implementing continuous governance, organizations ensure that least privilege remains enforced over time rather than drifting due to operational changes.
Plan for Unplanned Events with On-demand Access
Even elite engineering teams face outages or critical situations that require urgent fixes. But what if an on-call engineer doesn’t have the permissions required to fix an outage?
Enabling on-demand access requests is still possible within a zero standing privileges framework. By automating context-based approval of access requests and integrating with ChatOps tooling, organizations can enable seamless, quick access for their on-call engineers to fix issues.
For example, your organization can allow engineers to securely request on-demand access elevation by automating access approvals during their on-call windows. So, engineers can rapidly receive the elevated entitlements needed for the fix in a weekend emergency. Meanwhile, the organization can still protect and monitor that engineer’s session while removing entitlements after fixing the issue and returning to a state of ZSP.
Essentially, when your on-call engineer is paged in a weekend emergency, they can quickly request permissions and automatically receive them to save the day, with a complete audit trail and no risk from standing privileges. So your engineer can quickly save the day—and then go back to sleep.
Ultimately, the goal for any cloud security team should be operationalizing ZSP and other Zero Trust security principles throughout cloud environments. Wiz provides best-in-class discovery of risky permissions and misconfigurations to enforce least privilege and recommendations to enforce zero standing privileges through CyberArk.
Curious to explore the Wiz-CyberArk integration? Learn more on the Wiz Integrations page and on the CyberArk Marketplace.
Sam Flaster is director of IT solutions strategy at CyberArk, and Shaked Rotlevi is a technical product marketing manager at Wiz.
