The old model of relying on firewalls to protect the network is no longer relevant in today’s cloud-centric IT environment. While the old on-premise model made sense earlier on, the rapidly expanding suite of cloud providers, along with their infinite combinations of settings and services, now requires security teams to re-think their entire security strategy. According to Gartner, by 2023, 75% of security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020.”
In the traditional data center, the network provided a secure organizational boundary. The network was carved up into zones, and trusts were established within and between zones and largely involved monitoring traffic and enforcing controls where the zones met. But in the cloud, this approach is less effective and, in some cases, irrelevant. Attackers seek access to people and non-people identities, then pivot between resources, discovering credentials and other identities, then greater access to your critical data. Make no mistake – the new perimeter is all about identities – both people and non-people.
Identifying the Risks of the Cloud. Identity, resource and service misconfigurations are vital challenges that have led to significant data breaches. As we’ve seen, even the most sophisticated and well-funded organizations have had issues. Organizations can minimize risk by first identifying the risks leading to unauthorized identities and excessive privileges. It is essential for data owners and cloud operations, security, and audit teams to recognize these risks to maximize their control management, security, and governance of data within their public cloud environments.
Identity Issues. It has become effortless to create identities, both person and non-person, within the cloud. These identities may be provisioned with, or gain, access rights by accident or in ways that were not originally intended. They also may remain invisible and untrackable to data owners. These roles often contain special administrative privileges, such as the ability to enumerate and extract data (as was the case with many of the more well-known data breaches), which leads to the exposure of your data.
Data Exposures are Inadequate Indicators. Transparent cloud data storage alone is insufficient. While data owners may trust their DevOps teams to manage the storage of data objects, this does not reveal the accessibility and privileges of external parties. Cloud users must remain privy to the micro-movements in their data channels to ensure foolproof security. It is critical to know where their data exists, which Identities have access to it, how it is being accessed and where it might be moving to or from.
Monitor for Drift. One of the most basic mistakes an organization can make in cloud security is not continuously monitoring data and identities. As a starting point, you need to set the baseline and establish and implement a set of cloud security controls. From there, you must continuously monitor the baseline and alert on any deviations. It is these deviations that will be your downfall.
Coordination Issues. The outdated paradigm of sending security alerts to a single team to triage and manage simply isn’t feasible. In the cloud operating model, the environment is simultaneously being used by disparate groups, which include audit, DevOps, cloud and security staff. The solution is to get the issues to the team(s) that created them, as they are in the best position to address them as soon as possible. This solution ensures that problems are addressed in both an appropriate and timely manner. Or, as I like to say, at the speed and scale of the cloud.
Fix the Employee Skills Gap. Many developers are not inherently security experts, so they should be trained in cybersecurity best practices. Organizations that do not want to assign these duties to existing Dev teams may need a new type of operations person that combines operations with security (DevSecOps). With a widening skills gap haunting CISOs, companies cannot afford to keep putting off their employee’s professional development programs. Failure to upskill staff means they don’t have the skills and knowledge necessary to secure their organization.
Things you can do today to improve your enterprise strategy
Since the cloud involves multiple accounts, trust relationships, and permission inheritances, it is highly challenging for data owners to keep close tabs on it. Here are four areas you can use to improve your strategy.
Get to and maintain Least Privilege. Get a solution with advanced analytics to continuously monitor every identity to determine its effective permissions, what it can do, and what data it can access. Through this, detailed graphs can be created and continuously updated to visualize all the identity to data relationships, resulting in a highly systematic structure for easy identification and management of common data threats such as separation of duties, toxic combinations, and privilege escalations. The continuous audit ensures that the least privileged state is maintained and any deviation is immediately alerted.
Continuously Monitor Your Data. Most organizations do not know where all their data is in the cloud. You need to find, classify, and de-risk the most valuable data in your environment. The “blast radiuses” of potential security concerns are reduced by eliminating excessive data access rights. Look for a solution that can lock down precious data and continuously monitor it with a built-in alarm system that triggers in the event of sudden and unexpected activity.
Integrate Security and DevOps. Data owners need to establish an effective system from the get-go. Configure alerts according to their given context and deliver them to the respective teams to respond swiftly using intelligent workflows.
Prevent and Remediate Security Issues. Address data risks before they become incidents and cause damage by leveraging intelligent workflows and automation bots in your cloud. This results in a high-performance compliance structure for your public cloud. Put prevention rules in place across your cloud and make sure the rules are continuously met. Fix risks that are found in the environment before they become incidents.
An enterprise that doesn’t fully understand its role in securing its identities and data in the public cloud is taking unnecessary risks with outdated strategies that, as we see every week, leads to disastrous consequences.