A new report has warned of a ‘dubious’ gap for permissions across enterprise hybrid and multi-cloud environments.
The study from CloudKnox Security, which is described as an industry first, polled more than 150 global organisations on their usage of Amazon Web Services (AWS), Microsoft Azure, Google Cloud, and VMware vSphere.
Overall, the standout finding saw more than 90% of organisations were using fewer than 5% of permissions granted. Each specific provider told a grim story. For AWS, more than 95% of identities were using fewer than 2% of permissions granted; Azure saw 90% for less than 2% respectively; while Google was 90% for less than 5%.
This is defined by CloudKnox as the ‘cloud permissions gap’. This publication has explored various gaps, both skills- and security-based, which companies have been keen to fill. In many cases, this is down to misunderstandings over shared responsibility, and how cloud providers only have responsibility ‘of’ the cloud, and its associated infrastructure. Other gaps have appeared as a result of the Covid-19 pandemic. Ivanti found last month that almost a third of remote workers polled did not have to use a secure access tool to log into corporate databases and systems.
CloudKnox argues that it is ‘almost impossible’ for identity and access management (IAM) or cloud infrastructure teams to manually manage who is accessing cloud infrastructure and using particular permissions. Legacy tactics, such as role-based access control (RBAC), do not work at cloud scale, and organisations need to properly implement the principle of least privilege to ensure the best defence.
The company’s recommendations for operationalising permissions management (above) revolve around iterative and automated processes. Companies should leverage activity-based authorisation to right-size permissions of identities; identify, improve and monitor IAM hygiene continuously, and implement automated, continuous compliance and reporting.
“The focus on digital transformation over the last few years – and accelerated throughout 2020 – has led to a significant delta between permissions granted and permissions used in the cloud,2 said Raj Mallempati, COO of CloudKnox. “This ‘cloud permissions gap’ is a massive contributing factor to the rise of both accidental and malicious threats for organisations of all sizes.
“Permissions misuse or abuse can allow both human and machine identities to create and destroy portions of the cloud infrastructure; and without right-sizing these permissions, enforcing least privilege and Zero Trust access, these identities have the potential to become CISOs’ worst nightmares,” Mallempati added.
You can read the full report here (pdf, email required).
Want to find out more about topics like this from industry thought leaders? The Cloud Transformation Congress, taking place on 13 July 2021, is a virtual event and conference focusing on how to enable digital transformation with the power of cloud.