A guide to privileged access management: The doorman for the cloud

Shai Morag is CEO of cloud identity and access security provider Ermetic. Previously, he was co-founder and CEO of Secdo, an incident response platform vendor acquired by Palo Alto Networks, and CEO of Integrity-Project, a software outsourcing company acquired by Mellanox.

After a year when digital transformation took a quantum leap at most enterprises and remote work exploded, it’s no surprise that the majority of enterprise workloads are now running in cloud-based infrastructure as a service (IaaS) and platform as a service (PaaS) offerings. 

This is creating a whole new set of security challenges around managing access to your organisation’s infrastructure across multiple cloud platforms—with all the various identities and configurations they bring. Studies have shown this is where security failures happen—when the combinations of identities, access entitlements and privileges break down; Gartner forecasts that will account for about three-quarters of security incidents in the cloud by 2023. 

Meanwhile privileged access has its own risks, as we saw in the wake of big events like the SolarWinds breach discovered last year. That’s because the SolarWinds platform has privileged access to certain management functions and may hold AWS and/or Azure root API keys. 

As the story goes, with great power comes great responsibility, so privileged access management—the practice that acts like a doorman managing access to admins and security software across your network—is a challenge all on its own, especially when the public cloud is involved. Just like a VIP room loses its meaning if everyone can get past the velvet rope, an excess of access privileges and mismatched permissions can wreck security in the public cloud. 

The cloud is inside out

Spending on public cloud infrastructure has been growing faster than spending on traditional IT infrastructure, according to an IDC market survey which forecasts spending on public cloud infrastructure worldwide will pass traditional IT spending next year. But at the same time, spending on cloud security is not keeping pace. While better than half our workloads are now moving to the public cloud, surveys show enterprises are only spending a quarter of their security tool budgets on securing the cloud.

Despite this lack of funding for security, enterprises’ top cloud concerns are identity and access, and data protection. According to several recent surveys, two of the three measures most companies choose to take to protect their data in the public cloud are connected to identity. The most popular, used by 61% of organisations, is multi-factor authentication, followed by encryption and then identity and access management (IAM).  

It is the flip side of security in the on-premise environment, which usually leads with external defenses like firewalls and endpoint security, while enhancing identity-centric security controls lags behind. 

If the public cloud brings up such different concerns and requires such a different security architecture than your on-premise network, then it’s logical to think it would need its own, cloud-native security tools. Gartner is projecting that over the next five years, IAM will evolve into a decentralised “cybersecurity mesh” handled mainly by managed security service providers (MSSPs), meant to be more flexible and reliable than the traditional perimeter controls designed to protect on-premise networks. 

Identity is the new perimeter

When identity becomes the security perimeter —as it does in the cloud —then privileged access is even more crucial. Not every account needs an all-access pass to the VIP rooms in your environment, not even admins. So the ability to grant granular access permissions and privileges based on who has access, who really needs it and when, is important. 

If you have hundreds or thousands of privileges in the cloud and only one percent of them are in use, this leaves an enormous attack surface exposed to the bad guys. The cloud gets points for scalability and flexibility, but that means that services are constantly growing, and spinning off more identities and privileges left open to attack. 

Helping security operations keep pace with that activity requires cloud infrastructure entitlement management (CIEM). CIEM software can manage entitlements, eliminate unnecessary permissions and shrink those attack surfaces, but the first step to enabling CIEM is to get a grip on all those identities and cloud entitlements and develop a strategy for your organisation. Think of it as the instructions to your doorman: who can get into the VIP room and at what times, who’s on the A-List, and who’s on the B-list. 

Start by auditing and inventorying all your cloud entitlements; check if their permissions match your access policy, and their role. And pay very close attention to your most sensitive data stores—your VIP room, if you will. Consider a least-privilege approach, so users only get access to the areas most closely related to their role in the network.

Security concerns are still the top barrier to cloud adoption, but organisations are being won over at a fast clip. When it comes to privileged access management, it’s critical to keep out identities that don’t belong in the club using guardrails to manage and eliminate excessive entitlements.

Photo by Matt Seymour on Unsplash

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *