Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Saryu Nayyar
Saryu Nayyar
Connect Directly
E-Mail vvv

The Blind Spot Between The Cloud & The Data Center

Ask most enterprise security analysts responsible for detection and response about their visibility into identity access risks and you're likely to get some confused looks. Here's why.

Account compromise and misuse have emerged as the root cause of most of today’s data breaches. Using basic phishing and social engineering techniques, attackers can easily acquire the credentials they need to hijack identities and walk undetected through the digital front door of a victim organization. To make matters worse, hybrid environments that span both on-premises and cloud apps create a significant blind spot that makes it even more difficult to detect account compromise threats.

One of the reasons for that is because "identity" is a plane with two sides. One side is loaded with access risks created by legacy identity management rules and processes. The other side is a threat plane open to compromise, data exfiltration, and malicious insiders.

Access risks result from excess accounts, privileges, group and role volume proliferation, orphan accounts, dormant accounts, and shared high privilege access accounts. Their sheer numbers make them virtually impossible to manage using manual processes and legacy identity management rules. Providing access for revolving employees, contractors, partners, and even customers, just makes matters worse.

Identity-based threats including malicious insiders, account compromise or hijacking, access abuse, cyber fraud, and data exfiltration are difficult to detect with declarative defenses, human analysis, or traditional software. Time-to-infection is often measured in minutes, while dwell time (before detection) can be weeks or months.

Needed: A Holistic Approach

Since both sides of the identity plane are linked, a holistic approach is required to eliminate the security blind spot between cloud and on-premises infrastructures. For example, it’s necessary to identify and eliminate excess access risks to reduce the identity attack surface area open to phishing and social attacks. Meanwhile, monitoring access and activity associated with legitimate identities will expose compromise and unknown threats.

However, ask most enterprise security analysts responsible for detection and response about their visibility into identity access risks and you are likely to get some confused looks. Identity access is often managed in a different part of the organization than security operations. 

Let’s consider some examples to illustrate the scope of these challenges.

We’ll start with the access side of the identity plane. Let’s say a manager has 100 employees reporting to them. To keep things simple, we will assume each employee has 10 user accounts and each account has 10 privileges, which equals 10,000 entitlements. These could be on-premise and/or cloud accounts -- and likely are. Every 90 days, for compliance purposes, the manager must review these entitlements, then approve or revoke those that are or aren’t necessary for each employee to perform their job functions. Meanwhile, some managers may have high privilege access accounts shared using a simple password.

On the threat side of the identity plane, IT security teams must monitor access and activity associated with “legitimate” accounts (both on-premises and cloud) for signs of anomalous behavior by insiders or account hijacking by external attackers. This is difficult to accomplish, since most of this activity looks “normal” at first blush. 

User Accounts: The New Security Perimeter

In addition to these challenges, cloud and mobility continue to erode any last remnants of a traditional security perimeter. This leaves enterprises with a borderless environment to defend where identity provides the keys to the kingdom. 

So how can enterprises eliminate this blind spot? While log event managers or SIEM products can monitor on-premises activity, they have very limited visibility into cloud apps. This functionality is provided by another solution, cloud access security brokers (or CASB). It’s important to note that an API-based CASB can provide visibility into enterprise-sanctioned cloud apps accessed via mobile devices without compromising ease of access for users. However, private or consumer data-sharing apps will require a forward or reverse proxy to detect this type of shadow IT activity.

Addressing the cloud and data center security gap requires a mix of data sources. Gathering on-premises and cloud app data access and activity can be achieved with log event management or SIEM plus CASB API or proxy solutions as data sources.  Meanwhile, identity, account and privilege data can be extracted from identity access management platforms and directories.

Since the volume of access and activity outputs generated by employees, partners, and customers is beyond large and growing, a big data infrastructure is required to harness it. Making sense of these huge data volumes and analyzing the context to identify excess access risks and behavior anomalies is a data science challenge that the industry is addressing with machine learning.

Solving it is imperative to address the blind spots created between cloud and on-premise apps, now that user accounts have become the new security perimeter in a borderless environment

Related Content:

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.

Saryu Nayyar is CEO of Gurucul, a provider of identity-based threat deterrence technology. She is a recognized expert in information security, identity and access management, and security risk management. Prior to founding Gurucul, Saryu was a founding member of Vaau, an ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
6/28/2016 | 3:54:56 PM
Holistic Approach
Saryu, you raise some good points with regard to the number of technologies that will be required to address the blind spot between the cloud and data centers.  The combination of on-premise and multi-cloud applications are disrupting the traditional security models whereby identity and intent are shaping the latest security solutions.  
User Rank: Ninja
7/19/2016 | 3:49:47 PM
Identity management in hybrid environments
Entreprises are not moving away from on-premises, but they are adopting more and more cloud applications.  This means that identity management platforms need to embrace both on-prem and cloud applications.  Managing the two separately can only add complexity and waste scarce IT resources. As hybrid environments become larger and more widespread, enterprises will have to turn towards solutions that manage centrally any access to any systems - on-prem, cloud or even mainframe - and data - structured, in applications and systems or unstructured, in files and emails -.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.