Vulnerabilities / Threats
03:33 AM

Cloud's Privileged Identity Gap Intensifies Insider Threats

Organizations need to rein in shared accounts and do a better job tracking user activity across cloud architectures

It has been an uphill slog for privileged identity management at most enterprises. And even for those with mature practices and tools in place to manage privileged accounts on premises, cloud infrastructure still stands as the last sheer cliff before reaching the top of that hill. According to identity experts, most enterprises today still experience a big gap in visibility and accountability when it comes to managing privileged accounts in the cloud -- a dangerous situation that poses all of the same kinds of insider risks associated with poor privileged account management under normal circumstances.

"Cloud services are not magical -- they're not run by Care Bears on Fantasy Island," says Jonathan Sander, director of IAM business development for Quest Software (now a part of Dell). "There are servers, there are databases, and there are all of the things that make up all the other parts of IT anywhere else. So, of course, there are privileged identities in them. So it begs the question: What do you do to manage that?"

In fact, the question of privileged identity management may be more important in cloud infrastructure situations. In any virtualized environment, adding more layers and a consolidation of accounts magnify problems if privileged accounts are compromised, explains Patrick McBride, vice president of marketing for Xceedium.

[Are you making a big IAM mistake? See 7 Costly IAM Mistakes.]

"When you think about the cloud, you have similar infrastructure that you have to protect, but you have this mother of all super user accounts -- the console account, a new tool that allows you to do more than just steal or break a single computer or a single server," he says. "You can take down the whole farm pretty quickly or grab the whole farm and run with it pretty quickly."

A recent survey conducted among 400 IT and business managers in the U.S. and U.K. highlighted how little control many organizations have over privileged accounts in the cloud. Released by SailPoint, the survey showed that approximately one-third of organizations reported that they wouldn't be able to put together a complete record of user access privileges in the cloud within a day. And two in three reported that they weren't very confident about their organizations' ability to prove controls around privileges in the cloud if put to an audit.

Scary, considering the same survey showed that one in three business critical applications depend on cloud infrastructure. It's a recipe for insider abuse and misuse that's further exacerbated by the fact that in the case of public clouds, there's a new category of "insiders" added to the equation. Cloud service employees potentially have access to not only client company data, but also the controls of how the infrastructure that houses that data works.

"Any insider is a threat in direct proportion to the amount of rights that they have," Sander says.

If not properly governed, cloud privileged accounts not only pose security risks but also risks to operational reliability. Take the Christmas outage of Netflix, for instance, an embarrassing gaffe caused by an Amazon administrator in charge of underlying cloud infrastructure that runs Netflix's on-demand video service.

And part of the reason why so many organizations have such difficulty keeping track of insider activity is the prevalent use of shared accounts, a problem endemic to both public and private cloud set-ups.

"A lot of people tend to think privileged identity management is just for root, just for administrator accounts," Sander says. "But you have to recognize that any time you have a shared account of any kind, it needs to be approached as a privileged identity management situation."

Both Sander and McBride agree that organizations must be more vigilant about finding ways to assign users privileges in such a way that their activity can be tracked individually and reported clearly for risk managers and auditors alike.

"We have many employees, as well as vendors, accessing the same platform. Having accountability on the SLA to know who did what and when is becoming an operational issue as much as a compliance and regulatory issue," McBride says.

However, many cloud providers today are still hesitant to offer that kind of reporting due to a number of reasons -- for example, instituting the best practices and technology necessary to prove chain of custody eats into a "lean" cloud provider's margins, Sander says. And if they don't employ the right approach, they may worry about giving away some of their competitive differentiation around architectural design through transparency with customers, he continues.

But he does believe that organizations hoping to take "baby steps" toward the big problem of bridging the cloud privileged identity management gap need to hold their cloud providers' feet to the fire.

"You need to look them in the eye and say, 'What do you do for privileged identity management? What can you tell me about that?'" Sander says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/16/2013 | 10:22:06 PM
re: Cloud's Privileged Identity Gap Intensifies Insider Threats
It's a good question Tim.- Too often organizations feel that the administrative shared accounts are self-managed via a mirage of trust.- It's like the old Ronald Reagan philosophy, "trust but verify".-

It starts with discovery.- What shared accounts exist?- Then, what individuals have access to them?- If you can't assign unique accounts, then leverage vaulting capability of privileged access management products.- This-requires individuals check these shared account priviliges in, and out, and changes the credentials when done.- Now you have a clear audit trail of who used what.- But, realtime monitoring becomes a requirement.- Knowing what they did is as important as knowing who is doing it.

I believe identity and access intelligence plays a key role here.- This enables organizations to get real time notification when a risk is identified.- Risky applications with risky access privileges with suspect usage require immediate notification to the right people, with immediate remediation.

It's a key problem and requires preventative controls, detective controls, and realtime monitoring.

- Kurt Johnson, Courion Corporation
User Rank: Strategist
1/15/2013 | 7:48:57 PM
re: Cloud's Privileged Identity Gap Intensifies Insider Threats
What's the best way to provision privileged users in the cloud? How can you be sure you won't get too many users with an overabundance of privileges?
--Tim Wilson, editor, Dark Reading
User Rank: Author
1/15/2013 | 6:37:47 PM
re: Cloud's Privileged Identity Gap Intensifies Insider Threats
As Jonathan Sanders rightly points out, the age old problem of Gǣcontrolling the privileged userGǥ is compounded once you start to adopt a cloud model.

Adding controls like encryption are common to remove the provider from data.- However, one of the problems security professionals find is the one holding the keys, is often the provider themselves. Note that encryption does nothing to protect the data from a privileged user inside the instance itself.- -However, the combination of file-level encryption and database activity monitoring are typically enterprise best practices to protect databases, and file-level encryption in general protects data and can control privileged users.- File-Level encryption also should be driven by access controls that are outside of GǣrootGsGǥ control, to remove the keys to the data kingdom.
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.