Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Shai Morag
Shai Morag
Connect Directly
E-Mail vvv

Why Cloud Security Risks Have Shifted to Identities and Entitlements

Traditional security tools focus on the network perimeter, leaving user and service accounts vulnerable to hackers.

Identities have become the primary attack surface in the cloud. However, they remain largely unprotected because traditional security tools were designed to protect the network perimeter, not user and service accounts.

Gartner predicts that by 2023, 75% of cloud security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020. There are several factors driving these cloud security deficiencies.

A common one is dispensing too many or unnecessary entitlements. This practice provides hackers dozens, even hundreds of weaknesses to exploit.

Tracking cloud-access entitlements is so manually intensive and time-consuming that many organizations just hope for the best. This is easy to understand, given that native cloud platform tools fail to provide adequate visibility or context into entitlements and activity.

Related Content:

You've Got Cloud Security All Wrong: Managing Identity in a Cloud World

Special Report: Understanding Your Cyber Attackers

New From The Edge: Breach Etiquette: How to Mind Your Manners When It Matters

Meanwhile, most identity and access management (IAM) tools, such as identity governance and administration (IGA) and privileged access management (PAM), are typically limited by on-premises infrastructures. When transferred to the cloud, they lack the granular and resource-level visibility to identify or remediate access risks and excessive permissions.

As a result, many organizations resort to cloud security tools with limited capabilities over entitlements such as cloud security posture management (CSPM), cloud access security brokers (CASB), and cloud workload protection (CWPP). These are typically too broad, shallow, or specialized to deliver the insights needed to understand access risk across all identities.

Three Steps to Securing Identities in the Cloud
Securing cloud infrastructure calls for a unified, deep view into all identities to understand the full stack of access entitlements and privileges and their associated risks.

The first step is to discover all identities, human and machine, that have access to resources as well as their entitlements. This visibility can expose excessive or unused permissions, misconfigurations, Internet exposure, and other entitlement or account anomalies.

This includes the ability to identify privileged identities by type, including user, service, third-party applications, and federated identities from external identity providers. It also involves assessing their permissions and risk factors such as their capability to manage permissions, leak data, modify infrastructure, escalate privilege, and/or carry out reconnaissance. Having this visibility makes it possible to eliminate excessive entitlements on an ongoing basis and reduce the risk of compromise by an external or internal malicious actor.

The next step is to assess entitlements of specific entities such as IAM roles and groups to determine whether assigned access and permissions are justified or should be mitigated. This must go beyond general information for a specific entity and include a detailed map of all the entity's permissions.

A reverse view is also needed to identify resources — data, compute, security, or management — that are sensitive and to understand which users and roles can access them. This should include access entitlements and network configuration to attain a reliable measure of risk (and risk sources). For example, a database that may appear to be vulnerable based on certain entitlements might be protected by a network configuration that eliminates the risk.

The last step is to monitor activity logs of identities and the resources they interact with to gain a broader view into the public cloud environment. This provides insights into how entitlements are being used and clues for investigating suspicious access and incidents.

A New Breed of Tools
Traditional cloud security tools such as CASB, CSPM, and CWPP weren't designed to provide these capabilities or address what Gartner calls Cloud Infrastructure Entitlement Management (CIEM) and Forrester dubs Cloud Infrastructure Governance (CIG). What's needed are cloud-native capabilities to enforce the concept of least privilege.

Shai Morag is CEO of cloud identity and access security provider Ermetic. Previously, he was co-founder and CEO of Secdo, an incident response platform vendor acquired by Palo Alto Networks, and CEO of Integrity-Project, a software outsourcing company acquired ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/19/2021 | 2:51:40 PM
awesome article
Hi Shai,


This is an awesome article. As a co-founder of a cloud security company myself, I totally concur with the notion that Identity is one of the most important attributes to manage and protect in the perimeter less world of public clouds. We hear this from our customers too, who have indicated that Identity is one of the new perimeters.

Thanks for writing this article.

Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.