Multi-cloud environments are likely to stay here. By utilizing IAM and a modern PAM solution to help manage multi-cloud environments, organizations can improve their security posture and operational efficiency for years to come, writes Tony Goulding, cybersecurity evangelist, ThycoticCentrify.
Over the last year, organizations have had to accelerate digital transformation initiatives to sustain a distributed workforce. As a result, enterprises spent a total of $257.5 billionOpens a new window on cloud services in 2020. While the cloud has ensured business continuity during remote work, it has not been without its downfalls. Â
Part one of a two-part survey Opens a new window sheds light on some of the challenges. Despite most organizations beginning the migration to the cloud several years ago, about 25%Opens a new window started the move only in the past two years. Managing multi-cloud environments while employees work from home has become an enormous challenge for organizations, with nearly 40% citing it as the most significant issue during their cloud transition.Â
The Evolving Cyber Threatscape in the Cloud
The evolving cyber threatscape has also presented problems for handling cloud environments in the past year. The nature of cyberattacks has been changing for quite some time. Gone are the days where hackers focused on blasting their way through a network perimeter’s defenses. Now, they simply log in using weak, stolen, or otherwise compromised credentials — as evidenced by high-profile breaches such as Twitter from July 2020Opens a new window .Â
Recent research supports this, revealing that 90% of cyberattacks on cloud environments have involved compromised privileged credentials in the past year.Â
These are a prime target as they allow adversaries to move laterally across a network and gain access to sensitive information, such as employee or customer addresses, emails, phone numbers, credit card data, protected health information, and intellectual property.Â
Under the guise of a regular user, these hackers can go months under the radar, giving them ample time to perform reconnaissance and exfiltrate the data or encrypt it for ransom.Â
Adoption of Cloud-Based Identity and Access Management
Research showed promising adoption of cloud-based identity and access management (IAM) solutions in the enterprise space. IAM solutions can help struggling organizations manage multi-cloud environments and protect themselves against cyber adversaries. The survey revealed that 89%Opens a new window of enterprises have already implemented solutions for IAM and privileged access management (PAM) in cloud environments.Â
A top analyst firm predicts that by the end of 2021, 75% of midsize and large organizations will have adopted a multi-cloud strategy. Utilizing IAM and PAM solutions can help ease the concerns of IT and security teams to ensure business continuity in the hybrid cloud environment. Below, we dive into the top three IAM and PAM solutions identified in the survey that can help organizations successfully manage a cloud environment.Â
Learn More: You Can’t Secure What You Can’t See: Defense In-Depth and Network Security
Multi-Factor Authentication
Over half (53%) of organizations rely on multi-factor authentication (MFA) — and for a good reason. MFA is a method of access control in which an entity is granted access only after successfully presenting additional evidence to prove they’re the owner of that identity. In addition to the username and password, MFA solutions require a second factor from the user:Â
- Something they know – Such as a one-time passcode (OTP) pushed to their mobile device or an email to their registered addressÂ
- Something they have – Such as a smartphone or USB authenticator (for example, a YubiKey or Duo)
- Something they are – Such as a face or fingerprint scanÂ
These extra layers of identity assurance present hackers with a much harder job. Hurdles like this can cause them to simply move on to their next target rather than spin their wheels. Thus, MFA can significantly reduce the chances of a credential-based attack on enterprises and lessen the burden on distributed security teams.
Privilege Elevation and Delegation Management (PEDM)
With PEDM, enterprises can control the execution of privileged applications and commands on critical IT systems. It relies on the concept of “least privilege,†whereby we remove from the equation implicit trust in our admins. Instead of routinely trusting them with “keys to the kingdom†accounts such as “root†and “administrator,†admins use their individual enterprise account – one that has minimum rights and is fully accountable (versus a shared account). If a cyber-attacker compromises this account, they can’t do much with it; they’re unable to move laterally from system to system.Â
However, for legitimate use, the admin can request elevated privileges “just-in-time,†for a limited time, and just enough for the job at hand.
When the time expires, the PAM solution automatically deprovisions them so the user is back to a low-risk, least privileged state.Â
This least privilege model can also extend to headless users – applications and services that need to talk to each other, becoming more common as organizations containerize their workloads in the cloud.
Least privilege via privilege elevation is one side of the PAM coin. It’s a critical element that also forms the cornerstone of best practices for modern security, such as zero trust and zero standing privileges.Â
Learn More: The Cloud-First and Managed Approach to SASE Deployments
Password Vaulting
If privilege elevation is one side of the PAM coin, vaulting is the other. Both are necessary for a comprehensive PAM security posture. In the above scenario, you might be wondering what happens to those shared privileged accounts if we’re no longer trusting our admins to use them routinely. The answer is, we eliminate as many as we can – reducing the attack surface in the process – and put the rest in a vault, strictly controlling access for emergencies only.Â
Originally designed simply to store passwords and rotate them regularly, vaults have evolved over the years and provide additional benefits for IT. Some of these were in response to the rapid adoption of multi-cloud environments. IT has become increasingly fragmented, spreading systems across continents, resulting in new vault capabilities to help streamline secure remote access to this hybrid infrastructure.
DevOps teams have also become increasingly dependent on vaults. They are used to hard-code identities, passwords, SSH keys, AWS Access Keys, and sensitive configuration data in code or files on the disk. An easy target for threat actors. Today, we can store credentials and secrets in the vault and retrieve them programmatically, reducing that attack surface.
Supporting Cloud Transformation
Another example of a modern use case supporting cloud transformation is PAM as-a-Service. Instead of a complicated legacy vault designed for the data center and only accessible from inside the network or via a VPN, a SaaS-based vault is accessible from anywhere. This better supports the remote workforce and provides a more secure way of controlling access for your outsourced IT and other third parties.
It leverages the cloud economy for large scale and performance, and the vendor can provision one for you in less than an hour. PAM as-a-Service can accommodate this fragmented IT infrastructure without replicating the vault stack on-premises, in each VPC or VNet, or each cloud provider.Â
Let us know if you liked this article on LinkedInOpens a new window , FacebookOpens a new window , and TwitterOpens a new window . We would love to hear from you!