Authored by: Vincent Goh, Senior Vice President, Asia Pacific and Japan, CyberArk
The world is changing quickly. Digital transformation initiatives and new services from cloud providers are creating an explosion of identity-based permissions. Through the eyes of an attacker, each cloud identity represents a potential opportunity and first step toward a company’s most valuable assets. According to IDC's FutureScape : Worldwide Cloud 2020 Predictions, even though 91 per cent of enterprises in APEJ planned to increase spending on cloud, 85 per cent of them struggled to shift to cloud-based on reasons such as low internal competencies.
There are gaps between how well business leaders believe they are securing their business-critical applications – and the reality. Whether it’s outside or inside its network perimeter, Zero Trust should be present where organisations should not automatically trust anything. In order to be effective, security teams must provide centralised management, and secure controls without inhibiting end-user productivity.
Least Privilege Access: A Core Tenant of Zero Trust
Adoption of public cloud services, SaaS applications and remote access have dissolved the traditional network perimeter. This establishes identity as the key line of defence for most organisations and the de facto ‘new perimeter.’ As modern Zero Trust models take hold, authentication and authorisation of all identities become paramount. In cloud environments, any human or machine identity can be configured with thousands of identity and access management (IAM) permissions to access cloud services containing sensitive information. Users, group and role identities are assigned permissions depending on their job functions. Many organisations unintentionally configure their various identities with permissions to access cloud services they don’t actually use or need.
These excessive permissions pose a major challenge for organisations as they move toward Zero Trust security frameworks, which demand that every identity attempting to access corporate resources be verified and their access intelligently limited. A recent ESG survey found over-permissioned accounts and roles as the top-ranked cloud service misconfiguration. Not surprisingly, attackers have taken notice: the same survey ranked overly permissive privileges as the most common attack vector against cloud applications. In addition, 52% of respondents indicated that it is difficult to map user account access to cloud-resident sensitive data.
By compromising a cloud identity with overly broad permissions, an attacker can access critical workloads undetected or escalate their privileges to steal cloud-hosted data, disrupt high-value applications or even take entire cloud deployments offline.
To address this challenge, implementing the least privilege is an established best practice for organisations on their Zero Trust and cloud journeys.
Here are four reasons to introduce or extend least privilege to your cloud environments.
1. Data Breaches Are Increasingly Linked to Cloud Identities
Digital transformation only moves forward. As businesses shift their attention to the cloud, so do attackers. But while attackers are targeting new environments, they rely on the same old tactics. The 2020 Verizon Data Breach Incident (DBIR) identified that identities remain the weakest link in most organisations, as credential theft was employed in 77% of cloud breaches. A recent Forrester research found that top two challenges Asia-Pacific CISOs faced were the complexity of their IT environment and the changing nature of IT threats.
These trends reinforce the case for least privilege access in cloud environments. In the least privilege model, organisations proactively protect themselves from insider threats while greatly limiting the potential damage of external attacks. A compromised identity in the least privilege framework can’t immediately access resources outside of that identity’s standard job responsibilities. Least privilege, therefore, limits attacker movement and protects mission-critical workloads, buying valuable time to detect and respond to an attack.
2. Accelerated Cloud Adoption Expands the Attack Surface. Least Privilege Shrinks It.
More cloud services. More identities. More risk. Several aspects of cloud environments make proper configuration of privileges and permissions a challenge. Cloud IAM roles for certain application services can be provided with a wide range of permissions to limit possible developer friction. A thorough entitlements audit process may identify such excessive permissions and limit them to the least privilege required for this service to work properly. Other organisations fail to account for outdated permissions, such as failing to remove developer access to storage buckets and container pods at the close of a project.
Both scenarios are equally dangerous, as an attacker compromising either of these identities can increase their chances of escalating privileges or reaching mission-critical data undetected. Establishing and continuously validating least privilege is a critical step to shrinking the attack surface, lowering risk by dissuading insider threat actors and impeding external attackers.
3. Cloud Services Are Multiplying. So Are Misconfiguration Risks.
The leading infrastructure as a service (IaaS) platforms – Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) – are constantly introducing new services to differentiate from other platforms. This blistering innovation boosts business productivity, as powerful tools for specialised needs like data streaming, blockchain networking and Internet of Things (IoT) analytics are more accessible than ever before.
That accessibility can come at a price. Configuration of cloud services is challenging for any organisation, and one simple misconfiguration can open doors for attackers. The 2020 IBM Cost of a Data Breach report found attackers used cloud misconfigurations in nearly 20% of data breaches. CyberArk's Cloud Entitlements Manager takes a Zero Trust approach to reduce risk and improving visibility across cloud environments – built on the principle of least privilege.
Least privilege models place emphasis on managing permissions to identify potential misconfiguration s that result in excessive, unauthorised access to key cloud services, mitigating risk while enabling necessary access to advanced workloads.
4. Cloud Provider, Industry and Regulatory Frameworks Recommend Least Privilege
Recognising the dangers of over-permissioned identities and the difficulty of securely configuring services in immense cloud environments, AWS, Azure and GCP all specify least privilege access as a security best practice.
Highly regulated organisations can even face financial penalties if breached for failing to establish the least privilege. Organisations should continuously verify the least privilege across their on-premises and cloud workloads to ensure compliance.
Least privilege cannot come at the expense of end-user productivity or overburden IT teams. Effective least privilege enforcement brings the right mix of privileged access management practices together with flexible controls to balance security and compliance requirements with operational and end-user needs.
Implement Least Privilege Across Your Cloud Estate
Organisations need to rapidly scale cloud deployments and adopt advanced services to digitally transform their business. Many security teams realise that they face a lack of visibility due to thousands of permissions scattered across public cloud platforms. If these permissions are not managed or properly configured, a compromised cloud identity could allow an attacker to gain privileged access to compromise critical resources and entire cloud environments. By leveraging on the Cloud Entitlement Manager, organisations reduce risk by implementing least privilege across cloud environments.
Organisations need a solution such as Cloud Entitlements Manager to provide cloud-agnostic visibility and granular, AI-powered remediation of excessive permissions, so organisations can consistently implement least privilege while preserving necessary access to drive operational efficiency.
A Cloud Entitlements Manager solution can take customers from subscription to AI-powered remediation, while calculating exposure-level analysis for all identities, environments and platforms in an organisation’s AWS, Azure, GCP and AWS Elastic Kubernetes Services environments.