If your company is like most, it rolled out flexible remote work options and dialed up digital transformation last year – all thanks to the cloud. And now, you probably rely on more cloud services and SaaS applications than you ever have before.
Yet as organizations’ cloud usage grows – and increasingly spans across multiple cloud providers – the creation of human, application and machine identities has accelerated. Mapping relationships between all of these identities and cloud resources has gotten extremely complicated.
A recent ESG survey found that maintaining consistent identity and access management (IAM) controls across public and private clouds is the No. 1 challenge for IT and cybersecurity professionals charged with IAM tasks. Still, achieving a unified approach to IAM is their No. 1 priority, which makes sense, given the onus is on the cloud customer to manage and secure access in their cloud environments, as outlined in the leading cloud providers’ shared responsibility model.
Implementing the principle of least privilege – an essential cybersecurity best practice – is one of five key steps for securing privileged access and identities for cloud-based infrastructure and applications.
In a perfect world, each identity would be configured to have only the privileges and permissions to perform its intended functions – nothing more, nothing less. This is the crux of the principle of least privilege, and a core tenant of Zero Trust. But even the most sophisticated security team will tell you this is easier said than done
Cloud Permission Misconfiguration: A Critical Attack Vector
Especially at scale, the dynamic nature of cloud roles, infrastructure, applications and services often leads to misconfigurations that can result in the accumulation of unused permissions. Attackers can exploit these permissions to gain access to critical cloud infrastructure, steal or alter sensitive data or interrupt cloud hosted services.
Over-permissioned accounts and roles is the top cloud misconfiguration today, according to the same ESG study, and they’ve been traced to some of the largest breaches in history. The 2020 IBM Cost of a Data Breach study found that 19% of all breaches were caused by misconfigurations of cloud servers and virtual machines (VMs) – and they’re costlier than other breach types at $4.41M on average.
Six Steps to Implementing Cloud Least Privilege
It’s clear that least privilege must become a cloud IAM priority. Here are six best practices for reducing risk and driving change across people, process and technology to get there:
1. Get everyone on the same page. Research from CyberArk and the Cloud Security Alliance shows responsibility for cloud IAM design and operations varies notably between organizations. Stakeholders should align to identify which teams and individuals will “own” the implementation of least privilege strategies – and ensure these responsibilities are clearly understood.
2. Don’t make security decisions in a vacuum. Consult cloud architects and developer teams on all process and technology decisions at the start of the program and throughout the implementation. This helps to maximize buy-in from key stakeholders and increase long-term effectiveness.
3. Map all existing IAM permissions. Organizations can’t defend against threats they aren’t aware of. First, identify and visualize all IAM permissions across cloud provider environments and Kubernetes services. Then, map access relationships between identities and resources to uncover potential vulnerabilities.
4. Remediate unused and risky entitlements. Excessive permissions for human, machine and application identities should be removed immediately. AI-powered recommendations can speed and simplify this process, and the most effective solutions can also uncover hidden, platform-specific risks like Shadow Admins. If you’re taking a phased approach, start by eliminating excessive privileges to your most valuable cloud assets – then apply least privilege policies more broadly over time.
5. Make bare minimum permissions the default for new workloads: AWS is especially clear on this point, advising organizations to “Start with a minimum set of permissions and grant additional permissions as necessary. Doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later.”
6. Consistently measure and verify least privilege. Least privilege doesn’t last forever. Structuring consistent, periodic reviews to clean up unused permissions that accumulate over time is essential to combatting permission creep. Quantify risk reduction over time with analytics-based assessments for each unique environment.
Consistent Controls are Key for Scalable Security
Today, you’re likely utilizing capabilities from multiple cloud providers for cost savings, increased availability or unique technical features. And configuring the countless combinations of user to application access – for any time and from any place or device – is a real challenge. Add in the complexity of DevOps tools, increased automation and multiple on-premises data centers, and things get even more… cloudy. Cracking the code requires a unified approach.
The most effective strategies employ centralized, consistent IAM and privileged access management (PAM) controls that enable least privilege for all identities linked to resources – from cloud management consoles to SaaS applications – across hybrid and multi-cloud environments. It’s also important to layer these controls with single sign-on and context-based multi-factor authentication (both also protected by PAM) to further secure access to cloud environments.
Whether you’re focused on securing an initial project in a hybrid environment or fully embracing cloud native applications today, a consistent approach is the key to mastering privileged and identity access management in the cloud.
If you’re interested in further exploring strategies to implement and measure least privilege in the cloud, check out our free trial of CyberArk Cloud Entitlements Manager, an AI-powered SaaS solution that removes excessive permissions across your cloud estate.
Editor’s Note: This is the final post in a series on securing privileged access and identities in the cloud. Explore these previous posts: