How We Can Close The Cloud Permissions Gap
Mike Raggo—author, ethical hacker, former CISO and cloud security expert— shares his insights on the state of cloud security, and how we can better protect identities in the cloud.
Over the course of the pandemic, many businesses quickly underwent a period of digital transformation. And scrambling to support a remote workforce by migrating key services to the cloud often meant sacrificing security for speed.
Ensuring users have access to all the accounts they need, with the right level of permissions, can be a major headache for IT teams. This was one of the security issues that was massively exacerbated by the pandemic. Think for a moment of the cloud applications you have access to. Do you know exactly how many accounts you have? Do you know what data each of these accounts has access to, or what would happen if one of these accounts was compromised?
For many security teams, this represents a critical challenge. Cloud permissions can quickly become out of control and impossible to track, with 49% of organizations having at least some users with more access privileges than are required for them to do their job. The security risks are immense; compromised accounts with high permissions can lead to damaging data breaches, and lack of auditing over account access can lead to compliance violations.
A new category of security solutions has emerged to deal with the challenges posed by the ever-increasing number of cloud platforms and permissions. Pithily termed ‘Cloud Infrastructure Entitlement Management’ (CIEM) providers by Gartner, these services are designed to tackle the inherent weaknesses in cloud identities, leveraging enhanced automation and security processes.
We spoke to Mike Raggo, a Cloud Security Expert with CIEM provider CloudKnox, to find out more about the permissions problem in the cloud. Raggo has worked on the front lines helping organizations to protect themselves against cloud threats, with over 25 years of experience in the security industry. He has worked as an ethical hacker, a pen-tester and an author, and is a regular speaker at security conferences around the world.
The Pandemic And The Cloud Permissions Gap
The pandemic has created unprecedented new challenges for businesses over the past 14 months, and for security teams in particular. The rapid move to home working caused businesses to rely more heavily than ever on cloud applications, Raggo tells me.
“It’s certainly the pace at which people are building out in the cloud, across these different cloud infrastructures. It’s like nothing we’ve ever seen,” he says. “Traditionally, 20–25 years ago, you would have a network team that would build the network, another team that would build servers, and then another group that would install the operating system. All of that build process could take days, weeks, even months.”
“In the cloud, you can build out a stack, build out an environment and infrastructure, in just a matter of minutes.”
The fast pace of this digital transformation has brought about a plethora of cloud risks, including the major issue of cloud permissions, Raggo says. Many organizations are unsure which permissions need to be given to certain individuals and, as a result, assign much broader permissions than users actually need, just in case they do need them at some point. This is a problem that CloudKnox refers to as the “Cloud Permissions Gap”.
“In our recent State of Cloud Entitlements report, CloudKnox found that on average, less than 5% of permissions assigned are actually being used,” Raggo says. “So, there’s a big fundamental problem with over-permissioned access. And, as a result, there’s a big problem with potential security risks.”
These risks are also likely to continue as we move back to the office, but in a more hybrid way of working, Raggo says. “Hybrid working will certainly have an impact,” he says. “Understanding who has access to what, and when, will have to also take into account that some folks will be going back and working in the office, some will be staying home.”
“That will have a direct impact on how you determine what type of access that you’re going to provide, and what those permissions should look like.”
The Risk Of Insider Threats
One of the security risks posing a critical challenge to organizations in the cloud are insider threats. Insider threats are a type of security risk which originates inside the target organization––something exploited by cybercriminals, rather than something they themselves cause. The Cloud Permissions Gap greatly increases the risk of employee threats, Raggo says.
“If you think of it from a fundamental perspective, when you’re not sure what permissions to add to an individual or a role, you’re going to use a little bit of guesswork,” he says. “Our research has found that roughly half of all these permissions are actually high-risk permissions, which are permissions that allow employees to escalate their access to admin-level.”
From the perspective of an insider threat actor, this means that cyber-criminals can gain access to a whole range of controls that they shouldn’t be able to access, which could be completely invisible to your security team.
One example might be the ability to create a second user account for nefarious purposes, which will stay under the radar. “There’s certainly a plethora of risks that can stem from over-permissioned access, and they’re being leveraged by insiders with malicious intent.”
Resolving The Cloud Permissions Gap
Cloud Infrastructure Entitlement Management (CIEM) solutions like CloudKnox help users to mitigate against the Cloud Permissions Gap, using a variety of different tools and technologies. One of the most important ways that security teams can help reduce the risk of “over-permissioning” users is by implementing a Zero-Trust approach to managing user identities in the cloud, which CIEM vendors can help facilitate.
“Fundamentally, Zero Trust is based around the concept of ‘never trust, always verify,’” Raggo says. “One of the key pillars of that is the concept of least privilege.” This is the concept that users should only ever have access to the specific applications and privileges necessary to fulfil their job function effectively.
“So, the challenge for teams again, is trying to determine what privileges, and what permissions, to assign to a role. And so, we built a patented concept built to help organizations pursue least privileges to fulfil that portion of Zero Trust. We provide a second ingredient, to help you determine which permissions you need to assign.”
The CloudKnox solution works in two ways. The first is performing risk assessments, which can help organizations identify instances of over-permissioned access. The second is an activity-based monitoring feature that CloudKnox has developed, which vastly simplifies the user permissioning process.
“Activity Monitoring allows us to look historically at what permissions an individual has actually used over that period, compared to what permissions have been assigned. By contrasting this data, we can, in an automated way, determine how over-permissioned users are, and use that for the basis of removing all the permissions they’ve never utilized,” Raggo explains.
Fundamentally, this means admins can easily remove unused and often high-risk account permissions. This greatly reduces the risk of a malicious threat actor––whether internal or external––being able to exploit over-permissioned access for nefarious reasons, in an automated way.
The solution does not remove any permissions the user is actively using, so users shouldn’t see any impact on their day-to-day workflows. On top of this, additional security layers can also be implemented, including the ability to filter high-risk permissions, and isolating permissions to certain groups of users.
How We Can Implement Better Cloud Security
Raggo’s advice for organizations looking to close the Cloud Permissions Gap and implement a Zero Trust compliance strategy is to embrace automation and pursue a policy of least privilege.
“I think every organization would acknowledge that the cloud environment is growing like a carbon lifeform. And as a result of this, it’s imperative that security teams embrace automation,” he says.
“Cloud is just moving at such a fast pace compared to how we traditionally managed our on-premises environments, and so automation will be key to pursuing least privileges and fundamentally reducing risk.”
Thanks to Mike Raggo for taking part in this interview. You can find out more about CloudKnox via their website here: https://cloudknox.io/