Human identities have emerged as a top security concern for CISOs in the wake of the pandemic. Sivan Krigsman, Chief Product Officer and Co-founder of Ermetic, shares why the least privilege principle can reduce data threats and how an automated approach can help manage and monitor cloud access policies and permissions for applications and services.
The flexibility of public cloudOpens a new window environments enables customers to provision resources with the click of a button, spin up containers based on dynamic scaling requirements, and more. A typical public cloud deployment Opens a new window can quickly turn into a vast maze of interconnected machines, users, applications, services, containers, and microservices.
Keeping track, evaluating risks and defining access policies and permissions for a multitude of machines (applications, services, etc.) and human identities is therefore a huge undertaking, especially as more and more organizations adopt a multi-cloud strategyOpens a new window .
Some of the most high-profile cybersecurity Opens a new window incidents in recent years were the direct result of customers failing to properly configure their cloud environments, or granting excessive or inappropriate access permissions to cloud servicesOpens a new window , rather than a failure of the cloud provider in fulfilling its responsibilities. Since access policies must be frequently adjusted over time, the potential for human error increases sharply.
This rising concern over excessive permissions in the cloud is reflected in a recent IDC survey Opens a new window where more than 71% of respondents cited detection of excessive permission in the cloud as either very important or extremely important.
In addition, only 20% of respondents reported that they were able to identify situations in which employees in their organization have had excessive access to sensitive data. These numbers clearly reflect the gap between the important decision-makers attribute to the issue, and their limited capabilities.
Meanwhile, excessive permissions may go unnoticed as they are often granted by default when a new resource or service is added to the cloud environment. This is where the human factor comes into play: an overworked securityOpens a new window or IT admin may fail to identify and remove such permissions and create a significant vulnerability that may only be detected after the fact.
According to the survey, early detection doesn’t necessarily guarantee prevention; more than 13% of respondents that detected excessive permissions reported that they were unable to mitigate the risks before data was exposed.
Learn More: Why Every CISO Should Continuously Test For Security WeaknessesOpens a new window
Unauthorized Access Leads to Sensitive Data Exposure
Given these challenges, it’s not surprising that more than 79% of the survey respondents reported they had experienced a cloud data breach Opens a new window in the last 18 months. Even worse, forty three percent of respondents reported that they have experienced ten breaches or more.
Many of the organizations that reported the largest number of cloud data breachesOpens a new window were among those who identified excessive access to sensitive data among their employees. According to the survey, the healthcare industry appears to be particularly exposed to this risk as 31.25% of organizations in this sector reported they have identified a situation where employees had excessive access permissions.
The steps taken by many CISOs Opens a new window to mitigate risks stemming from excessive permissions reflect the growing interest in the least privilege model which is based on limiting every user or application to the exact permissions required to complete legitimate work activities in order to protect cloud environments.
Learn More: Why Organizations Need to Talk About Cloud SecurityOpens a new window
Least Privilege Is Daunting & Not Foolproof
Least privilege relies on continuous and accurate understanding of the relationships between entities – whether human or machine identities – and the systems they need to access to perform their job. However, defining and enforcing dynamic, least privilege access policies involves significant challenges.
Most notably, in a typical cloud environment consisting of multiple applications, services and dependencies, implementing least privilege permissions for even a single user could be a daunting task – let alone when dealing with multi-cloud environments.Opens a new window
In this regard, the proliferation of machine identities exacerbates the difficulty of achieving least privilege. Unlike human identities that employ usernames and passwords to authenticate and access resources, machine authentication is based on certificates and encryption keys.
Learn More: Don’t Leave Cloud Data Security Behind: 5 Best Practices to FollowOpens a new window
For organizations that rely on cumbersome manual processes and homegrown tools to manage and track their certificates and keys, enforcing least privilege is virtually impossible. Especially in dynamic cloud environmentsOpens a new window where machine accounts are frequently created for multiple entities, many of which have a lifespan of only a few days or hours, resulting in limited visibility and control.
These difficulties were evident in the survey where “ensuring that users, applications, and services can access only the cloud data and cloud resources that are necessary for their legitimate purposes†was selected as the top cloud data protectionOpens a new window challenge among organizations of all sizes. Least privilege was mentioned as the main challenge to protecting sensitive data in banking and healthcare, two of the most regulated industries in relation to data protection and privacy.Opens a new window
Final Thoughts
As more workloads are running in IaaS and PaaS, and more sensitive data is located outside the corporate data center, least privilege capabilities are becoming critical. Given the scale and flexibility of IaaS and PaaS environments, organizations require an automated, centralized approach for managing least privilege that reduces their reliance on manual processes and compensates for the lack of adequate and qualified IT resources.
Fortunately, new technologies are emerging that can analyze access policies at scale across massive human and machine identity populations and continuously compare them against actual access patterns to identify anomalies, excessive permissions and risk, and adjust them accordingly.
Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!