It has been an uphill slog for privileged identity management at most enterprises. And even for those with mature practices and tools in place to manage privileged accounts on premises, cloud infrastructure still stands as the last sheer cliff before reaching the top of that hill. According to identity experts, most enterprises today still experience a big gap in visibility and accountability when it comes to managing privileged accounts in the cloud -- a dangerous situation that poses all of the same kinds of insider risks associated with poor privileged account management under normal circumstances.
"Cloud services are not magical -- they're not run by Care Bears on Fantasy Island," says Jonathan Sander, director of IAM business development for Quest Software (now a part of Dell). "There are servers, there are databases, and there are all of the things that make up all the other parts of IT anywhere else. So, of course, there are privileged identities in them. So it begs the question: What do you do to manage that?"
In fact, the question of privileged identity management may be more important in cloud infrastructure situations. In any virtualized environment, adding more layers and a consolidation of accounts magnify problems if privileged accounts are compromised, explains Patrick McBride, vice president of marketing for Xceedium.
[Are you making a big IAM mistake? See 7 Costly IAM Mistakes.]
"When you think about the cloud, you have similar infrastructure that you have to protect, but you have this mother of all super user accounts -- the console account, a new tool that allows you to do more than just steal or break a single computer or a single server," he says. "You can take down the whole farm pretty quickly or grab the whole farm and run with it pretty quickly."
A recent survey conducted among 400 IT and business managers in the U.S. and U.K. highlighted how little control many organizations have over privileged accounts in the cloud. Released by SailPoint, the survey showed that approximately one-third of organizations reported that they wouldn't be able to put together a complete record of user access privileges in the cloud within a day. And two in three reported that they weren't very confident about their organizations' ability to prove controls around privileges in the cloud if put to an audit.
Scary, considering the same survey showed that one in three business critical applications depend on cloud infrastructure. It's a recipe for insider abuse and misuse that's further exacerbated by the fact that in the case of public clouds, there's a new category of "insiders" added to the equation. Cloud service employees potentially have access to not only client company data, but also the controls of how the infrastructure that houses that data works.
"Any insider is a threat in direct proportion to the amount of rights that they have," Sander says.
If not properly governed, cloud privileged accounts not only pose security risks but also risks to operational reliability. Take the Christmas outage of Netflix, for instance, an embarrassing gaffe caused by an Amazon administrator in charge of underlying cloud infrastructure that runs Netflix's on-demand video service.
And part of the reason why so many organizations have such difficulty keeping track of insider activity is the prevalent use of shared accounts, a problem endemic to both public and private cloud set-ups.
"A lot of people tend to think privileged identity management is just for root, just for administrator accounts," Sander says. "But you have to recognize that any time you have a shared account of any kind, it needs to be approached as a privileged identity management situation."
Both Sander and McBride agree that organizations must be more vigilant about finding ways to assign users privileges in such a way that their activity can be tracked individually and reported clearly for risk managers and auditors alike.
"We have many employees, as well as vendors, accessing the same platform. Having accountability on the SLA to know who did what and when is becoming an operational issue as much as a compliance and regulatory issue," McBride says.
However, many cloud providers today are still hesitant to offer that kind of reporting due to a number of reasons -- for example, instituting the best practices and technology necessary to prove chain of custody eats into a "lean" cloud provider's margins, Sander says. And if they don't employ the right approach, they may worry about giving away some of their competitive differentiation around architectural design through transparency with customers, he continues.
But he does believe that organizations hoping to take "baby steps" toward the big problem of bridging the cloud privileged identity management gap need to hold their cloud providers' feet to the fire.
"You need to look them in the eye and say, 'What do you do for privileged identity management? What can you tell me about that?'" Sander says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.