If we have learned anything over the past year and a half, it’s that the world can change quickly. The business world has gone through a massive upheaval with the explosion of digital transformation initiatives and cloud adoption, which has created a wide array of new security concerns — most notably identity-based risks. Combine the fact that any identity can become privileged under certain circumstances with the massive number of human and machine identities being created across hybrid environments, and you’ve got an attack surface that is getting harder and harder to defend.
The acceleration of digital transformation has brought an end to the traditional network security perimeter. Instead, organizations rely on identity as a security barrier, with the need to implement a zero trust framework to reinforce this new perimeter. Zero trust is an approach that does not assume implicit trust on any corporate resources, no matter where they reside — in the cloud, from home, mobile, etc. — instead requiring that every identity reestablish trust for every session with a corporate resource. A recent survey found that 88% of security leaders say transitioning to a zero trust approach is “important” or “very important.”
A zero trust strategy also helps organizations as they look to gain greater enterprise visibility and reduced IT complexity, demand less of their security teams and more. Let’s explore the key concepts of a strong, modern zero trust model.
The least privilege concept
To address the challenge of identity sprawl, organizations should rely heavily on the principle of least privilege — a zero trust policy requiring that all identities, both human and non-human, have only the minimum entitlements necessary to perform their ongoing responsibilities. Least privilege not only eliminates excessive permissions, but also limits the number of entities that can grant or configure new permissions, making it difficult for attackers who compromise a given identity to escalate privileges and ultimately reach their goals.
Indeed, the concept of least privilege is a pivotal step in establishing strong zero trust frameworks, staying ahead of attackers and proactively shrinking the attack surface.
Attackers are smart. They are well aware of the trends influencing enterprise tech decisions and know how to take advantage — recently, they have shifted their attention to the cloud as organizations’ cloud footprints have grown. While the territory is new, they have not varied in their targets all that much. In fact, the 2020 Verizon Data Breach Investigations Report found that identities remain the weakest link in most organizations, as credential theft was employed in 77% of cloud breaches. It is clear attackers know identities are an easy target, which only reinforces the case for least privilege.
In a least privilege model, organizations proactively protect themselves from insider threats while also limiting the potential damage of external attacks. Least privilege controls help limit attacker movement and protect mission-critical workloads, buying valuable time to detect and respond to an attack.
Shrink the ever-expanding attack surface
Most organizations are now maintaining hybrid or multi-cloud environments, making proper configuration of privileges and permissions a challenge. For example, cloud identity and access management (IAM) roles for certain application services can be provided with a wide range of permissions. In fact, there are over 15,000 permissions across AWS, Azure and the Google Cloud platform. While an excessive number of permissions limits developer friction, it also has significant security implications, as any IAM permission can be weaponized as a potential pathway for attackers. Organizations may also fail to account for outdated permissions, such as not revoking developer access to storage buckets and container pods at the close of a project.
If identities were compromised in either of these scenarios, attackers have an increased chance of escalating privileges or reaching mission-critical data undetected. Enforcing least privilege and continuously validating identities can effectively shrink the attack surface for organizations and lower risk by dissuading malicious insiders and impeding external attackers.
More cloud services, more misconfiguration risks
We’ve seen incredible innovation from the leading infrastructure-as-a-service (IaaS) platforms as they constantly introduce new services to boost business productivity and develop tools for specialized needs like data streaming, blockchain networking and Internet of Things (IoT) analytics.
While these tools have clear use cases and represent value to the business, it only takes one simple misconfiguration to open the doors for attackers. For example, the 2020 IBM Cost of a Data Breach Report found attackers leveraged cloud misconfigurations in nearly 20% of data breaches.
In a least privilege model, managing permissions to identify potential misconfigurations that result in excessive, unauthorized access to key cloud services is emphasized, which mitigates risk while enabling necessary access to advanced workloads.
Least privilege: recommended by peers
The dangers of over-permissioned identities and the difficulty of securely configuring services in immense cloud environments are top of mind for many security executives. Leading IaaS platforms understand the need to establish strong zero trust models, and all specify least privilege as a security best practice.
Even consortiums like Cloud Security Alliance’s Cloud Controls Matrix stress the importance of continuously reviewing permissions, and highly regulated organizations face financial penalties if they are breached for not establishing least privilege. With these added consequences in mind, organizations must continuously enforce least privilege across their on-premises and cloud workloads to ensure compliance.
The consequences for overlooking identities that are overly permissioned — and thus compromise the zero trust framework — can be high. Once compromised, an attacker could access critical workloads undetected or escalate their privileges to steal cloud-hosted data, disrupt high-value applications or even take entire cloud deployments offline.
Least privilege is recognized as a security best practice for a reason. While it must not come at the expense of end-user productivity or overburden IT teams, effective least privilege enforcement brings the right mix of identity security and privileged access management practices together with flexible controls to balance security and compliance requirements with operational and end-user needs — effectively achieving zero trust.