Author: Morey Haber, CTO and CISO at BeyondTrust
The cloud means so many different things to so many people. If you ask a grade school child “what is the cloud,” you may get a response about the water cycle, evaporation, condensation, and rain. If you ask a meteorologist, they will explain all the different types of cloud from Nimbus (not to be confused with Harry Potters flying broomstick model) to Stratus. And, to make things more complicated, if you ask a technology professional, the cloud will have an entirely different set of definitions from public to private, service to infrastructure, and platform for next generation technologies. There are not too many words in the English language that can mean so many different things and spark a variety of responses depending on age, discipline, and use case.
For the case of our discussion, we are going to focus the information technology perspective of the cloud. If you dig really deep, you will find it gets even more confusing especially when you layer on concepts like security, asset management, vulnerabilities, and privileges. The information technology security definition ends up feeling more like a thunderstorm than just a white puffy summertime cloud in the blue sky. To simplify the conversation either further, lets strip the conversation down another level and focus on Privileged Access Management(PAM) in the cloud. First, the cloud can by defined by three separate disciplines, and each one with its own unique flaws:
IaaS -Infrastructure as a Service provides virtualised infrastructure as a component for an overall solution. Since the IaaS resource is virtualised, and not physical like a router, switch, or firewall, it has privileges for management and underneath, for the hypervisor it is executing on. This mitigates the need for physical privileged access to a datacenter or secure closet and introduces a software-based privileged access risk to the architecture and solution itself.
PaaS – Platform as a Service provides a virtualised environment to host operating systems and applications without the need for dedicated hardware. It is true most people think of PaaS as “the cloud” but forget that it is your computer operating in someone else’s environment. There, it is your resource but someone else has final say on its execution, runtime, and even its security. Privileges are a large component of this to prevent lateral movement even within your own resources and to any other system that may be virtualised in the same environment. This is why the threats Spectre and Meltdown are so scary to virtualised and cloud environments. Threat actors could gain access to the memory space of another resource even if it is fully segmented based on flaws in the microcode of an Intel CPU. That access could reveal data, passwords, keys, and other secrets that are required to keep your PaaS implementation safe.
SaaS – Software as a Service is typically a pay as you go model for an application or service hosted by someone else in lieu of you setting up an entire infrastructure to support it. The typical organisation uses SaaS applications all the time from Salesforce to Office 365. The privileged risks however are very different than IaaS or PaaS. Since you are licensing someone else’s application, there typically are administrative accounts to manage your instance. If those accounts are compromised, then your entire application could be abused, misused, and critical data extracted.
While this is by no means a comprehensive list of all the flaws a cloud-based environment could have, it does tie us back to our initial conversation. The cloud means different things to different people and the threats are different depending on your type of utilisation. There is one thing for certain, Privileged Access Management can help secure each “as a service” using a variety of password management techniques, least privileged models, and automation even when vulnerabilities are present and potentially exploitable. Yes, even threats Spectre and Meltdown do have valid mitigate strategies when administrative accounts are removed, and applications are configured to use a least privilege model. Any attack to steal passwords would reveal only a standard users’ credentials or an application hash that is not usable from an outside resource.
So, the question becomes, why isn’t everyone using PAM in the cloud? The simple answer is everyone uses the cloud differently based on their definition as we have discussed. It therefore becomes an education process to demonstrate that privileged access management can solve many of the risks and help everyone come together on the same solution, and definition, regardless of what the cloud means to them…with the sole exception being the water cycle itself.