Vulnerabilities / Threats
03:33 AM

Cloud's Privileged Identity Gap Intensifies Insider Threats

Organizations need to rein in shared accounts and do a better job tracking user activity across cloud architectures

It has been an uphill slog for privileged identity management at most enterprises. And even for those with mature practices and tools in place to manage privileged accounts on premises, cloud infrastructure still stands as the last sheer cliff before reaching the top of that hill. According to identity experts, most enterprises today still experience a big gap in visibility and accountability when it comes to managing privileged accounts in the cloud -- a dangerous situation that poses all of the same kinds of insider risks associated with poor privileged account management under normal circumstances.

"Cloud services are not magical -- they're not run by Care Bears on Fantasy Island," says Jonathan Sander, director of IAM business development for Quest Software (now a part of Dell). "There are servers, there are databases, and there are all of the things that make up all the other parts of IT anywhere else. So, of course, there are privileged identities in them. So it begs the question: What do you do to manage that?"

In fact, the question of privileged identity management may be more important in cloud infrastructure situations. In any virtualized environment, adding more layers and a consolidation of accounts magnify problems if privileged accounts are compromised, explains Patrick McBride, vice president of marketing for Xceedium.

[Are you making a big IAM mistake? See 7 Costly IAM Mistakes.]

"When you think about the cloud, you have similar infrastructure that you have to protect, but you have this mother of all super user accounts -- the console account, a new tool that allows you to do more than just steal or break a single computer or a single server," he says. "You can take down the whole farm pretty quickly or grab the whole farm and run with it pretty quickly."

A recent survey conducted among 400 IT and business managers in the U.S. and U.K. highlighted how little control many organizations have over privileged accounts in the cloud. Released by SailPoint, the survey showed that approximately one-third of organizations reported that they wouldn't be able to put together a complete record of user access privileges in the cloud within a day. And two in three reported that they weren't very confident about their organizations' ability to prove controls around privileges in the cloud if put to an audit.

Scary, considering the same survey showed that one in three business critical applications depend on cloud infrastructure. It's a recipe for insider abuse and misuse that's further exacerbated by the fact that in the case of public clouds, there's a new category of "insiders" added to the equation. Cloud service employees potentially have access to not only client company data, but also the controls of how the infrastructure that houses that data works.

"Any insider is a threat in direct proportion to the amount of rights that they have," Sander says.

If not properly governed, cloud privileged accounts not only pose security risks but also risks to operational reliability. Take the Christmas outage of Netflix, for instance, an embarrassing gaffe caused by an Amazon administrator in charge of underlying cloud infrastructure that runs Netflix's on-demand video service.

And part of the reason why so many organizations have such difficulty keeping track of insider activity is the prevalent use of shared accounts, a problem endemic to both public and private cloud set-ups.

"A lot of people tend to think privileged identity management is just for root, just for administrator accounts," Sander says. "But you have to recognize that any time you have a shared account of any kind, it needs to be approached as a privileged identity management situation."

Both Sander and McBride agree that organizations must be more vigilant about finding ways to assign users privileges in such a way that their activity can be tracked individually and reported clearly for risk managers and auditors alike.

"We have many employees, as well as vendors, accessing the same platform. Having accountability on the SLA to know who did what and when is becoming an operational issue as much as a compliance and regulatory issue," McBride says.

However, many cloud providers today are still hesitant to offer that kind of reporting due to a number of reasons -- for example, instituting the best practices and technology necessary to prove chain of custody eats into a "lean" cloud provider's margins, Sander says. And if they don't employ the right approach, they may worry about giving away some of their competitive differentiation around architectural design through transparency with customers, he continues.

But he does believe that organizations hoping to take "baby steps" toward the big problem of bridging the cloud privileged identity management gap need to hold their cloud providers' feet to the fire.

"You need to look them in the eye and say, 'What do you do for privileged identity management? What can you tell me about that?'" Sander says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/16/2013 | 10:22:06 PM
re: Cloud's Privileged Identity Gap Intensifies Insider Threats
It's a good question Tim.- Too often organizations feel that the administrative shared accounts are self-managed via a mirage of trust.- It's like the old Ronald Reagan philosophy, "trust but verify".-

It starts with discovery.- What shared accounts exist?- Then, what individuals have access to them?- If you can't assign unique accounts, then leverage vaulting capability of privileged access management products.- This-requires individuals check these shared account priviliges in, and out, and changes the credentials when done.- Now you have a clear audit trail of who used what.- But, realtime monitoring becomes a requirement.- Knowing what they did is as important as knowing who is doing it.

I believe identity and access intelligence plays a key role here.- This enables organizations to get real time notification when a risk is identified.- Risky applications with risky access privileges with suspect usage require immediate notification to the right people, with immediate remediation.

It's a key problem and requires preventative controls, detective controls, and realtime monitoring.

- Kurt Johnson, Courion Corporation
User Rank: Strategist
1/15/2013 | 7:48:57 PM
re: Cloud's Privileged Identity Gap Intensifies Insider Threats
What's the best way to provision privileged users in the cloud? How can you be sure you won't get too many users with an overabundance of privileges?
--Tim Wilson, editor, Dark Reading
User Rank: Author
1/15/2013 | 6:37:47 PM
re: Cloud's Privileged Identity Gap Intensifies Insider Threats
As Jonathan Sanders rightly points out, the age old problem of Gǣcontrolling the privileged userGǥ is compounded once you start to adopt a cloud model.

Adding controls like encryption are common to remove the provider from data.- However, one of the problems security professionals find is the one holding the keys, is often the provider themselves. Note that encryption does nothing to protect the data from a privileged user inside the instance itself.- -However, the combination of file-level encryption and database activity monitoring are typically enterprise best practices to protect databases, and file-level encryption in general protects data and can control privileged users.- File-Level encryption also should be driven by access controls that are outside of GǣrootGsGǥ control, to remove the keys to the data kingdom.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.