Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Saryu Nayyar
Saryu Nayyar
Connect Directly
E-Mail vvv

The Blind Spot Between The Cloud & The Data Center

Ask most enterprise security analysts responsible for detection and response about their visibility into identity access risks and you're likely to get some confused looks. Here's why.

Account compromise and misuse have emerged as the root cause of most of today’s data breaches. Using basic phishing and social engineering techniques, attackers can easily acquire the credentials they need to hijack identities and walk undetected through the digital front door of a victim organization. To make matters worse, hybrid environments that span both on-premises and cloud apps create a significant blind spot that makes it even more difficult to detect account compromise threats.

One of the reasons for that is because "identity" is a plane with two sides. One side is loaded with access risks created by legacy identity management rules and processes. The other side is a threat plane open to compromise, data exfiltration, and malicious insiders.

Access risks result from excess accounts, privileges, group and role volume proliferation, orphan accounts, dormant accounts, and shared high privilege access accounts. Their sheer numbers make them virtually impossible to manage using manual processes and legacy identity management rules. Providing access for revolving employees, contractors, partners, and even customers, just makes matters worse.

Identity-based threats including malicious insiders, account compromise or hijacking, access abuse, cyber fraud, and data exfiltration are difficult to detect with declarative defenses, human analysis, or traditional software. Time-to-infection is often measured in minutes, while dwell time (before detection) can be weeks or months.

Needed: A Holistic Approach

Since both sides of the identity plane are linked, a holistic approach is required to eliminate the security blind spot between cloud and on-premises infrastructures. For example, it’s necessary to identify and eliminate excess access risks to reduce the identity attack surface area open to phishing and social attacks. Meanwhile, monitoring access and activity associated with legitimate identities will expose compromise and unknown threats.

However, ask most enterprise security analysts responsible for detection and response about their visibility into identity access risks and you are likely to get some confused looks. Identity access is often managed in a different part of the organization than security operations. 

Let’s consider some examples to illustrate the scope of these challenges.

We’ll start with the access side of the identity plane. Let’s say a manager has 100 employees reporting to them. To keep things simple, we will assume each employee has 10 user accounts and each account has 10 privileges, which equals 10,000 entitlements. These could be on-premise and/or cloud accounts -- and likely are. Every 90 days, for compliance purposes, the manager must review these entitlements, then approve or revoke those that are or aren’t necessary for each employee to perform their job functions. Meanwhile, some managers may have high privilege access accounts shared using a simple password.

On the threat side of the identity plane, IT security teams must monitor access and activity associated with “legitimate” accounts (both on-premises and cloud) for signs of anomalous behavior by insiders or account hijacking by external attackers. This is difficult to accomplish, since most of this activity looks “normal” at first blush. 

User Accounts: The New Security Perimeter

In addition to these challenges, cloud and mobility continue to erode any last remnants of a traditional security perimeter. This leaves enterprises with a borderless environment to defend where identity provides the keys to the kingdom. 

So how can enterprises eliminate this blind spot? While log event managers or SIEM products can monitor on-premises activity, they have very limited visibility into cloud apps. This functionality is provided by another solution, cloud access security brokers (or CASB). It’s important to note that an API-based CASB can provide visibility into enterprise-sanctioned cloud apps accessed via mobile devices without compromising ease of access for users. However, private or consumer data-sharing apps will require a forward or reverse proxy to detect this type of shadow IT activity.

Addressing the cloud and data center security gap requires a mix of data sources. Gathering on-premises and cloud app data access and activity can be achieved with log event management or SIEM plus CASB API or proxy solutions as data sources.  Meanwhile, identity, account and privilege data can be extracted from identity access management platforms and directories.

Since the volume of access and activity outputs generated by employees, partners, and customers is beyond large and growing, a big data infrastructure is required to harness it. Making sense of these huge data volumes and analyzing the context to identify excess access risks and behavior anomalies is a data science challenge that the industry is addressing with machine learning.

Solving it is imperative to address the blind spots created between cloud and on-premise apps, now that user accounts have become the new security perimeter in a borderless environment

Related Content:

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.

Saryu Nayyar is CEO of Gurucul, a provider of identity-based threat deterrence technology. She is a recognized expert in information security, identity and access management, and security risk management. Prior to founding Gurucul, Saryu was a founding member of Vaau, an ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/19/2016 | 3:49:47 PM
Identity management in hybrid environments
Entreprises are not moving away from on-premises, but they are adopting more and more cloud applications.  This means that identity management platforms need to embrace both on-prem and cloud applications.  Managing the two separately can only add complexity and waste scarce IT resources. As hybrid environments become larger and more widespread, enterprises will have to turn towards solutions that manage centrally any access to any systems - on-prem, cloud or even mainframe - and data - structured, in applications and systems or unstructured, in files and emails -.
User Rank: Apprentice
6/28/2016 | 3:54:56 PM
Holistic Approach
Saryu, you raise some good points with regard to the number of technologies that will be required to address the blind spot between the cloud and data centers.  The combination of on-premise and multi-cloud applications are disrupting the traditional security models whereby identity and intent are shaping the latest security solutions.  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-28
An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can be uploaded to admin/assets/uploads/ (under the web root).
PUBLISHED: 2020-10-28
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension.
PUBLISHED: 2020-10-27
The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS.
PUBLISHED: 2020-10-27
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a user's credentials.
PUBLISHED: 2020-10-27
An access issue was addressed with improved access restrictions. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. A malicious application may be able to overwrite arbitrary files.