Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:33 AM

Cloud's Privileged Identity Gap Intensifies Insider Threats

Organizations need to rein in shared accounts and do a better job tracking user activity across cloud architectures

It has been an uphill slog for privileged identity management at most enterprises. And even for those with mature practices and tools in place to manage privileged accounts on premises, cloud infrastructure still stands as the last sheer cliff before reaching the top of that hill. According to identity experts, most enterprises today still experience a big gap in visibility and accountability when it comes to managing privileged accounts in the cloud -- a dangerous situation that poses all of the same kinds of insider risks associated with poor privileged account management under normal circumstances.

"Cloud services are not magical -- they're not run by Care Bears on Fantasy Island," says Jonathan Sander, director of IAM business development for Quest Software (now a part of Dell). "There are servers, there are databases, and there are all of the things that make up all the other parts of IT anywhere else. So, of course, there are privileged identities in them. So it begs the question: What do you do to manage that?"

In fact, the question of privileged identity management may be more important in cloud infrastructure situations. In any virtualized environment, adding more layers and a consolidation of accounts magnify problems if privileged accounts are compromised, explains Patrick McBride, vice president of marketing for Xceedium.

[Are you making a big IAM mistake? See 7 Costly IAM Mistakes.]

"When you think about the cloud, you have similar infrastructure that you have to protect, but you have this mother of all super user accounts -- the console account, a new tool that allows you to do more than just steal or break a single computer or a single server," he says. "You can take down the whole farm pretty quickly or grab the whole farm and run with it pretty quickly."

A recent survey conducted among 400 IT and business managers in the U.S. and U.K. highlighted how little control many organizations have over privileged accounts in the cloud. Released by SailPoint, the survey showed that approximately one-third of organizations reported that they wouldn't be able to put together a complete record of user access privileges in the cloud within a day. And two in three reported that they weren't very confident about their organizations' ability to prove controls around privileges in the cloud if put to an audit.

Scary, considering the same survey showed that one in three business critical applications depend on cloud infrastructure. It's a recipe for insider abuse and misuse that's further exacerbated by the fact that in the case of public clouds, there's a new category of "insiders" added to the equation. Cloud service employees potentially have access to not only client company data, but also the controls of how the infrastructure that houses that data works.

"Any insider is a threat in direct proportion to the amount of rights that they have," Sander says.

If not properly governed, cloud privileged accounts not only pose security risks but also risks to operational reliability. Take the Christmas outage of Netflix, for instance, an embarrassing gaffe caused by an Amazon administrator in charge of underlying cloud infrastructure that runs Netflix's on-demand video service.

And part of the reason why so many organizations have such difficulty keeping track of insider activity is the prevalent use of shared accounts, a problem endemic to both public and private cloud set-ups.

"A lot of people tend to think privileged identity management is just for root, just for administrator accounts," Sander says. "But you have to recognize that any time you have a shared account of any kind, it needs to be approached as a privileged identity management situation."

Both Sander and McBride agree that organizations must be more vigilant about finding ways to assign users privileges in such a way that their activity can be tracked individually and reported clearly for risk managers and auditors alike.

"We have many employees, as well as vendors, accessing the same platform. Having accountability on the SLA to know who did what and when is becoming an operational issue as much as a compliance and regulatory issue," McBride says.

However, many cloud providers today are still hesitant to offer that kind of reporting due to a number of reasons -- for example, instituting the best practices and technology necessary to prove chain of custody eats into a "lean" cloud provider's margins, Sander says. And if they don't employ the right approach, they may worry about giving away some of their competitive differentiation around architectural design through transparency with customers, he continues.

But he does believe that organizations hoping to take "baby steps" toward the big problem of bridging the cloud privileged identity management gap need to hold their cloud providers' feet to the fire.

"You need to look them in the eye and say, 'What do you do for privileged identity management? What can you tell me about that?'" Sander says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Author
1/15/2013 | 6:37:47 PM
re: Cloud's Privileged Identity Gap Intensifies Insider Threats
As Jonathan Sanders rightly points out, the age old problem of Gǣcontrolling the privileged userGǥ is compounded once you start to adopt a cloud model.

Adding controls like encryption are common to remove the provider from data.- However, one of the problems security professionals find is the one holding the keys, is often the provider themselves. Note that encryption does nothing to protect the data from a privileged user inside the instance itself.- -However, the combination of file-level encryption and database activity monitoring are typically enterprise best practices to protect databases, and file-level encryption in general protects data and can control privileged users.- File-Level encryption also should be driven by access controls that are outside of GǣrootGsGǥ control, to remove the keys to the data kingdom.
User Rank: Strategist
1/15/2013 | 7:48:57 PM
re: Cloud's Privileged Identity Gap Intensifies Insider Threats
What's the best way to provision privileged users in the cloud? How can you be sure you won't get too many users with an overabundance of privileges?
--Tim Wilson, editor, Dark Reading
User Rank: Apprentice
1/16/2013 | 10:22:06 PM
re: Cloud's Privileged Identity Gap Intensifies Insider Threats
It's a good question Tim.- Too often organizations feel that the administrative shared accounts are self-managed via a mirage of trust.- It's like the old Ronald Reagan philosophy, "trust but verify".-

It starts with discovery.- What shared accounts exist?- Then, what individuals have access to them?- If you can't assign unique accounts, then leverage vaulting capability of privileged access management products.- This-requires individuals check these shared account priviliges in, and out, and changes the credentials when done.- Now you have a clear audit trail of who used what.- But, realtime monitoring becomes a requirement.- Knowing what they did is as important as knowing who is doing it.

I believe identity and access intelligence plays a key role here.- This enables organizations to get real time notification when a risk is identified.- Risky applications with risky access privileges with suspect usage require immediate notification to the right people, with immediate remediation.

It's a key problem and requires preventative controls, detective controls, and realtime monitoring.

- Kurt Johnson, Courion Corporation
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service.
PUBLISHED: 2021-06-18
An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67.Attacker could send a huge amount of TCP SYN packet to make web service's resource exhausted. Then the web server is denial-of-service.
PUBLISHED: 2021-06-18
An issue was discovered on 4GEE ROUTER HH70VB Version HH70_E1_02.00_22. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service.
PUBLISHED: 2021-06-18
Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzip_file_read" in the function "unzzip_cat_file".
PUBLISHED: 2021-06-18
Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.