Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/15/2013
03:33 AM
50%
50%

Cloud's Privileged Identity Gap Intensifies Insider Threats

Organizations need to rein in shared accounts and do a better job tracking user activity across cloud architectures

It has been an uphill slog for privileged identity management at most enterprises. And even for those with mature practices and tools in place to manage privileged accounts on premises, cloud infrastructure still stands as the last sheer cliff before reaching the top of that hill. According to identity experts, most enterprises today still experience a big gap in visibility and accountability when it comes to managing privileged accounts in the cloud -- a dangerous situation that poses all of the same kinds of insider risks associated with poor privileged account management under normal circumstances.

"Cloud services are not magical -- they're not run by Care Bears on Fantasy Island," says Jonathan Sander, director of IAM business development for Quest Software (now a part of Dell). "There are servers, there are databases, and there are all of the things that make up all the other parts of IT anywhere else. So, of course, there are privileged identities in them. So it begs the question: What do you do to manage that?"

In fact, the question of privileged identity management may be more important in cloud infrastructure situations. In any virtualized environment, adding more layers and a consolidation of accounts magnify problems if privileged accounts are compromised, explains Patrick McBride, vice president of marketing for Xceedium.

[Are you making a big IAM mistake? See 7 Costly IAM Mistakes.]

"When you think about the cloud, you have similar infrastructure that you have to protect, but you have this mother of all super user accounts -- the console account, a new tool that allows you to do more than just steal or break a single computer or a single server," he says. "You can take down the whole farm pretty quickly or grab the whole farm and run with it pretty quickly."

A recent survey conducted among 400 IT and business managers in the U.S. and U.K. highlighted how little control many organizations have over privileged accounts in the cloud. Released by SailPoint, the survey showed that approximately one-third of organizations reported that they wouldn't be able to put together a complete record of user access privileges in the cloud within a day. And two in three reported that they weren't very confident about their organizations' ability to prove controls around privileges in the cloud if put to an audit.

Scary, considering the same survey showed that one in three business critical applications depend on cloud infrastructure. It's a recipe for insider abuse and misuse that's further exacerbated by the fact that in the case of public clouds, there's a new category of "insiders" added to the equation. Cloud service employees potentially have access to not only client company data, but also the controls of how the infrastructure that houses that data works.

"Any insider is a threat in direct proportion to the amount of rights that they have," Sander says.

If not properly governed, cloud privileged accounts not only pose security risks but also risks to operational reliability. Take the Christmas outage of Netflix, for instance, an embarrassing gaffe caused by an Amazon administrator in charge of underlying cloud infrastructure that runs Netflix's on-demand video service.

And part of the reason why so many organizations have such difficulty keeping track of insider activity is the prevalent use of shared accounts, a problem endemic to both public and private cloud set-ups.

"A lot of people tend to think privileged identity management is just for root, just for administrator accounts," Sander says. "But you have to recognize that any time you have a shared account of any kind, it needs to be approached as a privileged identity management situation."

Both Sander and McBride agree that organizations must be more vigilant about finding ways to assign users privileges in such a way that their activity can be tracked individually and reported clearly for risk managers and auditors alike.

"We have many employees, as well as vendors, accessing the same platform. Having accountability on the SLA to know who did what and when is becoming an operational issue as much as a compliance and regulatory issue," McBride says.

However, many cloud providers today are still hesitant to offer that kind of reporting due to a number of reasons -- for example, instituting the best practices and technology necessary to prove chain of custody eats into a "lean" cloud provider's margins, Sander says. And if they don't employ the right approach, they may worry about giving away some of their competitive differentiation around architectural design through transparency with customers, he continues.

But he does believe that organizations hoping to take "baby steps" toward the big problem of bridging the cloud privileged identity management gap need to hold their cloud providers' feet to the fire.

"You need to look them in the eye and say, 'What do you do for privileged identity management? What can you tell me about that?'" Sander says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ANON1233933295565
50%
50%
ANON1233933295565,
User Rank: Apprentice
1/16/2013 | 10:22:06 PM
re: Cloud's Privileged Identity Gap Intensifies Insider Threats
It's a good question Tim.- Too often organizations feel that the administrative shared accounts are self-managed via a mirage of trust.- It's like the old Ronald Reagan philosophy, "trust but verify".-

It starts with discovery.- What shared accounts exist?- Then, what individuals have access to them?- If you can't assign unique accounts, then leverage vaulting capability of privileged access management products.- This-requires individuals check these shared account priviliges in, and out, and changes the credentials when done.- Now you have a clear audit trail of who used what.- But, realtime monitoring becomes a requirement.- Knowing what they did is as important as knowing who is doing it.

I believe identity and access intelligence plays a key role here.- This enables organizations to get real time notification when a risk is identified.- Risky applications with risky access privileges with suspect usage require immediate notification to the right people, with immediate remediation.

It's a key problem and requires preventative controls, detective controls, and realtime monitoring.

- Kurt Johnson, Courion Corporation
@kurtvj216:twitter
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
1/15/2013 | 7:48:57 PM
re: Cloud's Privileged Identity Gap Intensifies Insider Threats
What's the best way to provision privileged users in the cloud? How can you be sure you won't get too many users with an overabundance of privileges?
--Tim Wilson, editor, Dark Reading
solcates
50%
50%
solcates,
User Rank: Author
1/15/2013 | 6:37:47 PM
re: Cloud's Privileged Identity Gap Intensifies Insider Threats
As Jonathan Sanders rightly points out, the age old problem of Gǣcontrolling the privileged userGǥ is compounded once you start to adopt a cloud model.

Adding controls like encryption are common to remove the provider from data.- However, one of the problems security professionals find is the one holding the keys, is often the provider themselves. Note that encryption does nothing to protect the data from a privileged user inside the instance itself.- -However, the combination of file-level encryption and database activity monitoring are typically enterprise best practices to protect databases, and file-level encryption in general protects data and can control privileged users.- File-Level encryption also should be driven by access controls that are outside of GǣrootGsGǥ control, to remove the keys to the data kingdom.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13660
PUBLISHED: 2020-05-28
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
CVE-2020-11079
PUBLISHED: 2020-05-28
node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.
CVE-2020-13245
PUBLISHED: 2020-05-28
Certain NETGEAR devices are affected by Missing SSL Certificate Validation. This affects R7000 1.0.9.6_1.2.19 through 1.0.11.100_10.2.10, and possibly R6120, R7800, R6220, R8000, R6350, R9000, R6400, RAX120, R6400v2, RBR20, R6800, XR300, R6850, XR500, and R7000P.
CVE-2020-4248
PUBLISHED: 2020-05-28
IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 175484.
CVE-2020-8329
PUBLISHED: 2020-05-28
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, causing an error to be displayed and preventing printer from functioning until the printer is rebooted...