Securing identities and their privileges and access should be at the center of your strategy for reducing your cloud attack surface. The old network perimeter, with its limited number of points of ingress secured with firewalls and other perimeter defenses has given way to a distributed arrangement. Software-as-a-Service (SaaS) today is the new IT, and cloud identities are the new perimeter with thousands of users and points of potential failure existing outside of your traditional security protocols. The greatest threats to this new perimeter include:
High impact cloud activities
Business critical data doesn’t stay in the cloud service to which it was originally uploaded. Lateral movement of data means that it can be transferred to other cloud services – including private accounts. At best this means the data resides outside of your security team’s control, and at worst is an indicator that the data has been exfiltrated with malicious intent.
Security teams need to enforce usage policies that prevent documents from being transferred out of sanctioned apps to private accounts. In addition, they need to be able to automate the process whereby they conduct post-incident investigations, since the process of tracking incidents and risky activities to the user the identities and permission sets that caused the incident can be a complex and time consuming task.
Privileged actions that place data at risk
Privileged actions – ones typically reserved for admins but are often performed by Shadow Admins – should be of highest concern to organizations, especially if the perpetrators also have access to large amounts of data. These actions can negatively impact the entire cloud service or a major part of the experience for everyone, not just a single user or data set.
Security teams should constantly review all identity privileges to identify Shadow Admins and Privileged Users and right-size their permissions to the minimum needed to do their jobs or remove their access if it is determined that their privileges are no longer required or were escalated for malicious purposes.
Shadow admins that aren't identified or monitored
Shadow Admins are privileged users who have unauthorized privileged access acquired outside of the security team’s purview. They can perform admin-level changes that can cause damage across a cloud service.
Shadow Admins should be monitored the same way that you monitor your regular admins, though in most cases their privileges need to be right-sized to their role and aligned with the privileges of the non-privileged user group to which they are assigned.
Stale user identities that aren’t regularly removed
Unused identities that are abandoned by users who are no longer using a cloud service are sitting ducks for account takeovers and therefore substantially increase an organization’s attack surface. These identities, which multiply quickly, need to be continually monitored and identified so that they can be immediately removed from all operation-critical SaaS apps and cloud services.
Misconfigured cloud privileges
User privileges get misconfigured or are changed over time for a number of reasons. Sometimes admins make errors and inadvertently grant excessive, sometimes admin-level privileges to non-privileged users. In other cases, malicious users might abuse bugs, design flaws or configuration oversights in an operating system or app to bypass the security team and escalate a user’s privileges. This can open an organization up to account takeovers and data exfiltration.
User privileges must be continuously monitored for misconfigurations and unauthorized changes so that overly-broad privileges can be right sized and least privileged access effectively enforced.
Identities with escalated privileges
Security teams want to ensure that non-privileged users have only the minimum amount of privileges needed to do their jobs. However, through exploiting a bug, design flaw or app misconfiguration, a user may gain admin or privileged access without the security team’s oversight or sanction. This means that can cause tremendous damage throughout the services for which their permissions have been elevated.
Users with elevated privileges must be constantly uncovered and monitored so that their privileges can be right-sized or removed. In addition, security teams should review privilege misconfigurations and security gaps (i.e. privilege escalation rights in Salesforce using Apex), that may enable privileges to be elevated without security team knowledge.
External contractors who maintain access after they leave the organization
Most ex-contractors have not been fully de-provisioned when they leave, which typically means that they retain access to the organization’s cloud services where they can continue to access - and potentially steal – IP and data.
When a contractor leaves, their identities, privileges, and access must be fully cataloged for complete removal. In addition, their activities over the 60 days prior to termination should be audited for potential data theft or other compromises.
Overlooked and unmonitored non-human identities
Non-human identities include third party apps, serverless applications, virtual machines, etc. Unlike human identities, they are under threat of compromise 24x7 because they are always logged in and are typically overlooked by security teams since they operate in the background.
Like human identities, non-human ones need to be closely monitored to ensure they haven’t been compromised and that their permissions are not overly-broad in relation to the functions that they are required to perform.