Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Shai Morag
Shai Morag
Connect Directly
E-Mail vvv

Why Cloud Security Risks Have Shifted to Identities and Entitlements

Traditional security tools focus on the network perimeter, leaving user and service accounts vulnerable to hackers.

Identities have become the primary attack surface in the cloud. However, they remain largely unprotected because traditional security tools were designed to protect the network perimeter, not user and service accounts.

Gartner predicts that by 2023, 75% of cloud security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020. There are several factors driving these cloud security deficiencies.

A common one is dispensing too many or unnecessary entitlements. This practice provides hackers dozens, even hundreds of weaknesses to exploit.

Tracking cloud-access entitlements is so manually intensive and time-consuming that many organizations just hope for the best. This is easy to understand, given that native cloud platform tools fail to provide adequate visibility or context into entitlements and activity.

Related Content:

You've Got Cloud Security All Wrong: Managing Identity in a Cloud World

Special Report: Understanding Your Cyber Attackers

New From The Edge: Breach Etiquette: How to Mind Your Manners When It Matters

Meanwhile, most identity and access management (IAM) tools, such as identity governance and administration (IGA) and privileged access management (PAM), are typically limited by on-premises infrastructures. When transferred to the cloud, they lack the granular and resource-level visibility to identify or remediate access risks and excessive permissions.

As a result, many organizations resort to cloud security tools with limited capabilities over entitlements such as cloud security posture management (CSPM), cloud access security brokers (CASB), and cloud workload protection (CWPP). These are typically too broad, shallow, or specialized to deliver the insights needed to understand access risk across all identities.

Three Steps to Securing Identities in the Cloud
Securing cloud infrastructure calls for a unified, deep view into all identities to understand the full stack of access entitlements and privileges and their associated risks.

The first step is to discover all identities, human and machine, that have access to resources as well as their entitlements. This visibility can expose excessive or unused permissions, misconfigurations, Internet exposure, and other entitlement or account anomalies.

This includes the ability to identify privileged identities by type, including user, service, third-party applications, and federated identities from external identity providers. It also involves assessing their permissions and risk factors such as their capability to manage permissions, leak data, modify infrastructure, escalate privilege, and/or carry out reconnaissance. Having this visibility makes it possible to eliminate excessive entitlements on an ongoing basis and reduce the risk of compromise by an external or internal malicious actor.

The next step is to assess entitlements of specific entities such as IAM roles and groups to determine whether assigned access and permissions are justified or should be mitigated. This must go beyond general information for a specific entity and include a detailed map of all the entity's permissions.

A reverse view is also needed to identify resources — data, compute, security, or management — that are sensitive and to understand which users and roles can access them. This should include access entitlements and network configuration to attain a reliable measure of risk (and risk sources). For example, a database that may appear to be vulnerable based on certain entitlements might be protected by a network configuration that eliminates the risk.

The last step is to monitor activity logs of identities and the resources they interact with to gain a broader view into the public cloud environment. This provides insights into how entitlements are being used and clues for investigating suspicious access and incidents.

A New Breed of Tools
Traditional cloud security tools such as CASB, CSPM, and CWPP weren't designed to provide these capabilities or address what Gartner calls Cloud Infrastructure Entitlement Management (CIEM) and Forrester dubs Cloud Infrastructure Governance (CIG). What's needed are cloud-native capabilities to enforce the concept of least privilege.

Shai Morag is CEO of cloud identity and access security provider Ermetic. Previously, he was co-founder and CEO of Secdo, an incident response platform vendor acquired by Palo Alto Networks, and CEO of Integrity-Project, a software outsourcing company acquired ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/19/2021 | 2:51:40 PM
awesome article
Hi Shai,


This is an awesome article. As a co-founder of a cloud security company myself, I totally concur with the notion that Identity is one of the most important attributes to manage and protect in the perimeter less world of public clouds. We hear this from our customers too, who have indicated that Identity is one of the new perimeters.

Thanks for writing this article.

Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version You can get the update to regularly via the Auto-U...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below We recommend to update to the current version You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions o...