Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/8/2021
10:00 AM
Raj Mallempati, COO, CloudKnox
Raj Mallempati, COO, CloudKnox
Sponsored Article
50%
50%

Manage the Cloud Permissions Gap to Achieve Zero Trust

The Cloud Permissions Gap exposes organizations to highly exploitable risk, combined with the inability to implement and manage Zero-Trust policies.

In 2020, when organizations were prioritizing digital transformation so they could pivot to remote work on an unprecedented scale, Gartner added a new category to its 2020 Hype Cycle for Identity and Access Management Technologies called Cloud Infrastructure Entitlement Management (CIEM).

CIEM? Looks a lot like SIEM.

CIEM may look like and even sound like SIEM (security information and event management), but the two security solutions are not the same.

While there may be some overlapping capabilities for cloud-first and hybrid environments with cloud-native SIEM vendors, none of them have the ability to extend their platform to manage and enforce entitlements and permissions for the multi-cloud and hybrid cloud enterprises. This management and enforcement of entitlements and permissions is a core competency of a comprehensive CIEM platform, and it enables organizations to design and implement zero-trust architectures in multi-cloud and hybrid cloud environments.

As multi-cloud adoption continues to increase across the industry, the movement of workloads to such environments requires in-depth visibility and analysis of cloud infrastructure accounts, permissions, entitlements and activity, and granular controls.

Why is CIEM vital for organizations? The Cloud Permissions Gap.

A new attack surface has emerged in response to mass digital transformation: the Cloud Permissions Gap.

CloudKnox threat research has uncovered that more than 95% of privileged identities (both human and machine) within organizations' cloud infrastructures are using less than 2% of their permissions granted. This delta is known as the Cloud Permissions Gap, and it is a contributing factor to the rise of both accidental and malicious insider threats impacting enterprises of all sizes, as attackers are able to exploit an identity with misconfigured permissions and access across the organization's critical cloud infrastructure.

Specific risks and challenges associated with the Cloud Permissions Gap include:

Inactive identities and super identities. Every company has at least few inactive identities—former employees, testing, POCs, etc.—just hanging out there. Even more dire, there are other identities known as "break-glass accounts" or super identities that are floating around with unlimited permissions and unrestricted access to all cloud resources offered across the organization.

Over-permissioned active identities. Continuously tracking and monitoring the proliferation of new services, roles and permissions in the cloud is almost impossible to do manually.

Cross-account access. Organizations leverage cross-account roles to allow identities to access different environments—development, test, production, etc.—and allow third-party entities to access their accounts. This is both convenient and a potential vulnerability for the organization. The inherent danger is when an identity access management (IAM) role in these instances is over-provisioned. Since these roles grant permissions to an entire account, the misconfigured permissions tied to the role can cause significant—and costly—ripple effects.

Anomalous behavior among machine identities. Machine or non-human identities consist of scripts, bots, access keys and others, and they typically perform the same repetitive actions. If a machine identity executes an action it has never performed on a resource that it has never accessed, chances are someone is misusing the credentials.

The Cloud Permissions Gap exposes organizations to highly exploitable risk combined with the inability to implement and manage zero-trust policies. This is why enterprises adopting cloud-first strategies must leverage a multi-cloud entitlements and permissions management platform that provides comprehensive visibility, automated remediation, continuous monitoring and compliance.

How to close the Cloud Permissions Gap with CIEM

CIEM is the next generation of solutions for managing access and enforcing least privilege and zero-trust access in the cloud. With the benefit of a SaaS offering that deploys in minutes with full up-and-running capabilities in 24 hours or less, here are three ways CIEM can help organizations secure their cloud infrastructure right now:

  1. Leverage activity-based authorization to right-size permissions of identities.
    To accomplish this, the organization empowered by a CIEM solution would remove or scope down permissions for over-privileged users, service accounts and groups automatically. Then it would enable high-risk permissions on demand with controlled timed access using an integrated approval workflow, restricting broad access to critical cloud infrastructure resources.
  2. Identify, improve and monitor Identity and Access Management (IAM) hygiene continuously.
    A CIEM solution allows the organization to migrate from static, assumption-based permission grant processes to continuous, activity-based permissions management processes—helping the organization to monitor, get alerts, and remediate anomalous identity behavior, unauthorized identities and roles.
  3. Implement automated, continuous compliance and reporting.
    To remain compliant and secure, it is essential that organizations restrict access to virtual machines. CIEM can help by removing inbound Secure Shell (SSH) and remote desktop (RDP) access in security groups automatically. Organizations leveraging CIEM can also adopt best practices, such as enabling multi factor authentication (MFA) for all identities with console access; rotating credentials and manage keys regularly; and automating custom risk reports across all accounts using NIST 800-53, CIS Benchmarks and AWS Well-Architectured reporting to drive compliance.

The Cloud Permissions Gap across an organization's cloud infrastructure is exponentially getting more dangerous as bad actors exploit those identities to exfiltrate sensitive information from growing attack vectors. By instituting best practices for cloud permissions and entitlements management and leveraging automated technologies that reinforce those best practices—like CIEM—organizations will be better suited to protect critical cloud infrastructure resources and identities in their hybrid and multi-cloud environments.

Organizations continuing to prioritize digital transformation and cloud-first strategies are not complete without a robust, scalable CIEM platform, especially as they strive to implement a zero-trust architecture.

To learn more, please check out the following resources:

 

About the Author:

Raj Mallempati, CloudKnox COO: Raj Mallempati recently joined CloudKnox Security as Chief Operating Officer, where he is responsible for CloudKnox's overall business and go-to-market strategies. Prior to joining CloudKnox, Raj was most recently the SVP of Marketing at Malwarebytes. Raj has also held positions as the VP of Global Marketing at MobileIron, VP of Product Marketing at Riverbed Technology, and was the Director of Marketing and Business Strategy at VMware. He holds an MBA from The Wharton School, University of Pennsylvania, MS, Computer Science from the University of Texas, and a B.Tech from Indian Institute of Technology, Madras.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-35210
PUBLISHED: 2021-06-23
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
CVE-2021-27649
PUBLISHED: 2021-06-23
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2021-29084
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2021-29085
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2021-29086
PUBLISHED: 2021-06-23
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.