Identities have become the primary attack surface in the cloud. However, they remain largely unprotected because traditional security tools were designed to protect the network perimeter, not user and service accounts.

Gartner predicts that by 2023, 75% of cloud security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020. There are several factors driving these cloud security deficiencies.

A common one is dispensing too many or unnecessary entitlements. This practice provides hackers dozens, even hundreds of weaknesses to exploit.

Tracking cloud-access entitlements is so manually intensive and time-consuming that many organizations just hope for the best. This is easy to understand, given that native cloud platform tools fail to provide adequate visibility or context into entitlements and activity.

Meanwhile, most identity and access management (IAM) tools, such as identity governance and administration (IGA) and privileged access management (PAM), are typically limited by on-premises infrastructures. When transferred to the cloud, they lack the granular and resource-level visibility to identify or remediate access risks and excessive permissions.

As a result, many organizations resort to cloud security tools with limited capabilities over entitlements such as cloud security posture management (CSPM), cloud access security brokers (CASB), and cloud workload protection (CWPP). These are typically too broad, shallow, or specialized to deliver the insights needed to understand access risk across all identities.

Three Steps to Securing Identities in the Cloud
Securing cloud infrastructure calls for a unified, deep view into all identities to understand the full stack of access entitlements and privileges and their associated risks.

The first step is to discover all identities, human and machine, that have access to resources as well as their entitlements. This visibility can expose excessive or unused permissions, misconfigurations, Internet exposure, and other entitlement or account anomalies.

This includes the ability to identify privileged identities by type, including user, service, third-party applications, and federated identities from external identity providers. It also involves assessing their permissions and risk factors such as their capability to manage permissions, leak data, modify infrastructure, escalate privilege, and/or carry out reconnaissance. Having this visibility makes it possible to eliminate excessive entitlements on an ongoing basis and reduce the risk of compromise by an external or internal malicious actor.

The next step is to assess entitlements of specific entities such as IAM roles and groups to determine whether assigned access and permissions are justified or should be mitigated. This must go beyond general information for a specific entity and include a detailed map of all the entity's permissions.

A reverse view is also needed to identify resources — data, compute, security, or management — that are sensitive and to understand which users and roles can access them. This should include access entitlements and network configuration to attain a reliable measure of risk (and risk sources). For example, a database that may appear to be vulnerable based on certain entitlements might be protected by a network configuration that eliminates the risk.

The last step is to monitor activity logs of identities and the resources they interact with to gain a broader view into the public cloud environment. This provides insights into how entitlements are being used and clues for investigating suspicious access and incidents.

A New Breed of Tools
Traditional cloud security tools such as CASB, CSPM, and CWPP weren't designed to provide these capabilities or address what Gartner calls Cloud Infrastructure Entitlement Management (CIEM) and Forrester dubs Cloud Infrastructure Governance (CIG). What's needed are cloud-native capabilities to enforce the concept of least privilege.