Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Raj Mallempati, COO, CloudKnox
Raj Mallempati, COO, CloudKnox
Sponsored Article

Manage the Cloud Permissions Gap to Achieve Zero Trust

The Cloud Permissions Gap exposes organizations to highly exploitable risk, combined with the inability to implement and manage Zero-Trust policies.

In 2020, when organizations were prioritizing digital transformation so they could pivot to remote work on an unprecedented scale, Gartner added a new category to its 2020 Hype Cycle for Identity and Access Management Technologies called Cloud Infrastructure Entitlement Management (CIEM).

CIEM? Looks a lot like SIEM.

CIEM may look like and even sound like SIEM (security information and event management), but the two security solutions are not the same.

While there may be some overlapping capabilities for cloud-first and hybrid environments with cloud-native SIEM vendors, none of them have the ability to extend their platform to manage and enforce entitlements and permissions for the multi-cloud and hybrid cloud enterprises. This management and enforcement of entitlements and permissions is a core competency of a comprehensive CIEM platform, and it enables organizations to design and implement zero-trust architectures in multi-cloud and hybrid cloud environments.

As multi-cloud adoption continues to increase across the industry, the movement of workloads to such environments requires in-depth visibility and analysis of cloud infrastructure accounts, permissions, entitlements and activity, and granular controls.

Why is CIEM vital for organizations? The Cloud Permissions Gap.

A new attack surface has emerged in response to mass digital transformation: the Cloud Permissions Gap.

CloudKnox threat research has uncovered that more than 95% of privileged identities (both human and machine) within organizations' cloud infrastructures are using less than 2% of their permissions granted. This delta is known as the Cloud Permissions Gap, and it is a contributing factor to the rise of both accidental and malicious insider threats impacting enterprises of all sizes, as attackers are able to exploit an identity with misconfigured permissions and access across the organization's critical cloud infrastructure.

Specific risks and challenges associated with the Cloud Permissions Gap include:

Inactive identities and super identities. Every company has at least few inactive identities—former employees, testing, POCs, etc.—just hanging out there. Even more dire, there are other identities known as "break-glass accounts" or super identities that are floating around with unlimited permissions and unrestricted access to all cloud resources offered across the organization.

Over-permissioned active identities. Continuously tracking and monitoring the proliferation of new services, roles and permissions in the cloud is almost impossible to do manually.

Cross-account access. Organizations leverage cross-account roles to allow identities to access different environments—development, test, production, etc.—and allow third-party entities to access their accounts. This is both convenient and a potential vulnerability for the organization. The inherent danger is when an identity access management (IAM) role in these instances is over-provisioned. Since these roles grant permissions to an entire account, the misconfigured permissions tied to the role can cause significant—and costly—ripple effects.

Anomalous behavior among machine identities. Machine or non-human identities consist of scripts, bots, access keys and others, and they typically perform the same repetitive actions. If a machine identity executes an action it has never performed on a resource that it has never accessed, chances are someone is misusing the credentials.

The Cloud Permissions Gap exposes organizations to highly exploitable risk combined with the inability to implement and manage zero-trust policies. This is why enterprises adopting cloud-first strategies must leverage a multi-cloud entitlements and permissions management platform that provides comprehensive visibility, automated remediation, continuous monitoring and compliance.

How to close the Cloud Permissions Gap with CIEM

CIEM is the next generation of solutions for managing access and enforcing least privilege and zero-trust access in the cloud. With the benefit of a SaaS offering that deploys in minutes with full up-and-running capabilities in 24 hours or less, here are three ways CIEM can help organizations secure their cloud infrastructure right now:

  1. Leverage activity-based authorization to right-size permissions of identities.
    To accomplish this, the organization empowered by a CIEM solution would remove or scope down permissions for over-privileged users, service accounts and groups automatically. Then it would enable high-risk permissions on demand with controlled timed access using an integrated approval workflow, restricting broad access to critical cloud infrastructure resources.
  2. Identify, improve and monitor Identity and Access Management (IAM) hygiene continuously.
    A CIEM solution allows the organization to migrate from static, assumption-based permission grant processes to continuous, activity-based permissions management processes—helping the organization to monitor, get alerts, and remediate anomalous identity behavior, unauthorized identities and roles.
  3. Implement automated, continuous compliance and reporting.
    To remain compliant and secure, it is essential that organizations restrict access to virtual machines. CIEM can help by removing inbound Secure Shell (SSH) and remote desktop (RDP) access in security groups automatically. Organizations leveraging CIEM can also adopt best practices, such as enabling multi factor authentication (MFA) for all identities with console access; rotating credentials and manage keys regularly; and automating custom risk reports across all accounts using NIST 800-53, CIS Benchmarks and AWS Well-Architectured reporting to drive compliance.

The Cloud Permissions Gap across an organization's cloud infrastructure is exponentially getting more dangerous as bad actors exploit those identities to exfiltrate sensitive information from growing attack vectors. By instituting best practices for cloud permissions and entitlements management and leveraging automated technologies that reinforce those best practices—like CIEM—organizations will be better suited to protect critical cloud infrastructure resources and identities in their hybrid and multi-cloud environments.

Organizations continuing to prioritize digital transformation and cloud-first strategies are not complete without a robust, scalable CIEM platform, especially as they strive to implement a zero-trust architecture.

To learn more, please check out the following resources:


About the Author:

Raj Mallempati, CloudKnox COO: Raj Mallempati recently joined CloudKnox Security as Chief Operating Officer, where he is responsible for CloudKnox's overall business and go-to-market strategies. Prior to joining CloudKnox, Raj was most recently the SVP of Marketing at Malwarebytes. Raj has also held positions as the VP of Global Marketing at MobileIron, VP of Product Marketing at Riverbed Technology, and was the Director of Marketing and Business Strategy at VMware. He holds an MBA from The Wharton School, University of Pennsylvania, MS, Computer Science from the University of Texas, and a B.Tech from Indian Institute of Technology, Madras.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
In SPIRE before versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1, the "aws_iid" Node Attestor improperly normalizes the path provided through the agent ID templating feature, which may allow the issuance of an arbitrary SPIFFE ID within the same trust domain, if the attacker controls the v...
PUBLISHED: 2021-03-05
An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during m...
PUBLISHED: 2021-03-05
An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of I/O activity. The issue relates to misuse of guest physical addresses when a configuration has CONFI...
PUBLISHED: 2021-03-05
An issue was discovered in OSSEC 3.6.0. An uncontrolled recursion vulnerability in os_xml.c occurs when a large number of opening and closing XML tags is used. Because recursion is used in _ReadElem without restriction, an attacker can trigger a segmentation fault once unmapped memory is reached.
PUBLISHED: 2021-03-05
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.