The mantra within the IT SecOps community regarding cloud security is that visibility into digital identities, access privileges and authentication processes is critical in securing cloud assets, data, and DevOps pipelines. And rightly so — but with a caveat, as we will see. 

The overall context is that the lightning-fast evolution of cloud DevOps and continuous integration / continuous deployment (CI/CD) processes have outpaced the emergence of technologies and practices necessary to effectively secure these environments. As businesses have replaced on-premises software and infrastructure with cloud applications and infrastructure as a service (IaaS), identity and access management has become increasingly difficult for companies to control. While implementing single sign-on (SSO), multifactor authentication (MFA), and identity provisioning are good first steps to strengthen and secure the authentication process at cloud services, these tools do little to provide visibility and control for granted privileges in cloud services. 

Once a user has authenticated, few tools provide visibility into privileges that the user uses. Identity governance and administration (IGA) tools can map users to groups and roles but lack the capability to show effective access levels. Additionally, information mapped between users, groups and privileges is typically stale because the information is refreshed periodically rather than in real time. 

Combining the lack of deep visibility into user, group, and role privileges with the dynamic nature of cloud infrastructure results in little oversight and control over the activities of users within cloud infrastructure and applications. Companies risk giving too many privileges to too many people and losing control of critical business data managed and stored in cloud environments. 

Emerging security technologies such as privileged access management (PAM) and cloud security posture management (CSPM) are changing this equation. These technologies can help organizations automatically scan and retrieve the users, roles, and privileges from each cloud system. This information can then be correlated with user identity information so that privileged users are identified and flagged for review to ensure the right people have the right levels of access to work efficiently. 

CSPM can help empower organizations to secure public clouds through automated scanning and monitoring to uncover configuration issues that could lead to unauthorized access to cloud assets. With these tools and best practices, organizations can dramatically improve visibility into cloud operations and DevOps pipelines. 

Yet does that visibility translate into more effective security? Not necessarily. Absent enforcement mechanisms, that visibility can only set the stage for securing cloud assets. The question, then, becomes: what kind of enforcement mechanism needs to be brought to bear? 

To Successfully Implement CSPM, Reduce Standing Privileges 

We know that the cloud has complicated identity and access management, traditionally used to protect organizations from privilege misuse and abuse within on-prem systems. Complex, custom permission controls and access models for each cloud service hinder administrators from confidently deploying consistent access rules and policies cross-cloud. 

Additionally, administrators often inadvertently or unintentionally grant privileges that leave an organization exposed to breaches or insider threats without a deep understanding of each cloud service. The complexity involved with configuration and maintenance also prevents administrators from automating many required tasks. Requests to update admin access privileges or add and remove users can take days or weeks to complete. 

So, how to proceed? The first step to strengthening privileged access in the cloud is to enforce least privilege access. However, it is not enough to grant permanent standing privileges to a human or non-human user, even if they are limited to only those permissions needed to do their jobs. Instead, users need to be granted temporary elevated privileges on-demand, based on need or request. What would this look like in practice? Here are three enforcement mechanisms that are essential for any effective multi-cloud security program: 

1. Automatically Grant And Expire Permissions 

With just-in-time (JIT) privilege grants, users and machine IDs can quickly check out a role-based elevated privilege profile for a specific cloud service, either for a session or task, for a set amount of time, or until the user checks the profile back in manually. Once the task is complete, those privileges are automatically revoked. 

2. Maintain Zero-Standing Privileges (ZSP) 

Adding and removing privileges enables the DevSecOps team to maintain a zero-standing privilege (ZSP) security posture. It works on the concept of zero trust, which means no one and nothing is trusted with standing access to your cloud accounts and data by default. 

3. Centralize & Scale Privilege Management 

Minimizing sprawl is a critical challenge when using static identities, with many DevSecOps teams today struggling to manage IDs and privileges manually using Excel spreadsheets. With centralized provisioning, it becomes possible to automate this process across all cloud resources, dramatically reducing the likelihood of errors that can place accounts and data at greater risk. 

These capabilities enable security teams to bake automated policy enforcement into their overall cloud security programs. To fully realize the benefits of CSPM, however, further tools and capabilities must be deployed. These include privileged access broker, cloud access governance, secrets management, and data analytics.

By deploying CSPM technology and implementing security best practices, organizations can provide visibility and control for the cloud without impeding user productivity. Security administrators can easily monitor, review and update access policies to better support the business, and the organization can have a robust set of controls that protect against lost or stolen accounts and reduce the risk of information loss or infrastructure disruption.