Back to resources

Cloud IAM: Using Privilege Right Sizing to Contain Privilege Sprawl

undefined 2022  /  7 min. read   /  
Britive Team

Advancing Cloud IAM

The following article was published in betanews.

Historically identity and access management has been built around an on-premises model. But with more systems now residing in the cloud the old way of doing things isn't working.

To find out more about why the cloud needs a new approach to IAM we spoke to Britive CEO, Art Poghosyan, about the challenges it raises and how to address them.

BN: What's the biggest challenge companies face when managing identity and access in the cloud?

AP: We often find that most organizations are either without a clear, action-oriented process for managing identity and access in multi-cloud environments, or are struggling to manage user access manually through spreadsheets, which is time-consuming and prone to error. The ability to automatically discover identities and their permissions is essential. Once done, you need to be able to easily remediate overly-privileged accounts, unused privileges, and risky privilege-related activity.

The only way to achieve security in a multi-cloud scenario is to centralize and automate the control of human identities and machine IDs. The problem here is that DevOps teams need a solution that will enable them to secure cloud access while accelerating, rather than slowing cloud app development – a limitation of many traditional IAM and PAM solutions that are perceived as an annoying 'bump in the wire' that can inhibit development velocity.

That's why Britive uses pre-authorizations to assign dynamic, temporary access upon user request – without the time-consuming necessity of requesting elevated privileges through a cloud service admin. By granting and revoking temporary access automatically, users receive the permissions they need when they need them. Authorization, not authentication grants the access; it's then revoked when the allotted time expires or the user completes the task.

Prioritizing authorization over authentication lets organizations move faster and plug security gaps. Only users that are pre-authorized can gain access, which guides organizations toward a zero standing privileges security posture quickly and effectively.

BN: How has the rise of cloud -- and continued growth of individual cloud services – changed how companies should approach identity and access management?

AP: Rather than securing a single or limited number of identities and permissions, which is typical for on-prem access management, migrating to the cloud means that security, IAM, and DevOps teams are faced with managing a proliferation of many identities and privileges for every cloud user. And since this access spans multiple cloud services, each with its own privilege logic and usage model, trying to manage the joiner/mover/leaver process manually, without a unified access model, becomes virtually impossible.

Further, the cloud technology stack is a patchwork of solutions that were designed to address various security needs, many of which are not applicable in a cloud environment. They weren't built as a single integrated entity. As a result, companies have to pick through a number of PAM, IAM, IGA, IA and other traditional solutions to secure cloud services.

Some of these solutions have been repurposed from on-prem solutions, which doesn't work. Retrofitting this way is problematic because cloud services have unique security needs that should be handled by a unified cloud-native solution. Failure to do so brings us to the situation we have today. There are many 'cloud' solutions that overlap and leave serious holes because they have no or limited insight or controls over cross-cloud identities and permissions.

We've developed a cloud-native access management platform with unique temporary access permisssioning and secrets governance capabilities designed to consolidate the most critical cloud-centric IAM, PAM, IGA, and CIEM functions, while empowering development and readily integrating with CI/CD processes and tooling.

Managing Access Privileges Across Your Multi-Cloud Environments

Read the Free White Paper.

Download

BN: Ransomware seems to be a hot topic at the moment, how can the right identity and access management approach help to curb incidents?

AP: The right approach starts by reducing your attack surface. In the cloud, that means using privilege right sizing to contain privilege sprawl. By eliminating standing privileges altogether, your organization limits the opportunities ransomware attackers have to gain a foothold in cloud services and move laterally across infrastructure.

Standing privileges give baleful employees and contractors the access they need to inflict harm. We’ve seen numerous accounts of employees exposing, manipulating, and extorting their former company's data. While typically not considered ransomware in its traditional sense, off-boarding workers so access is removed immediately is a legitimate concern, tantamount to another threat cloud organizations must address.

Therefore, it's incumbent on organizations to secure human and machine IDs in cloud environments. But it must be done in a way that does not impede cloud builders. If security is 'heavy' and slows development, builders are hamstrung.

There are immense expectations placed on builders to deliver quickly and repeatedly, so there is the temptation for engineers to grant excessive privileges that remain open in perpetuity -- therefore minimizing the authentication process. This practice leaves organizations vulnerable.

We also know that many cloud breaches are the result of unsecured databases, human error, and misconfigurations. Gartner predicts that by 2024 organizations running cloud infrastructure can expect a minimum of 2,300 violations of least privilege policies per account per year. So you have these two significant opportunities for bad actors to access your environment.

In sum, the right IAM approach amounts to minimizing your blast radius and using authorization to enforce zero standing privileges. DevOps require a solution that allows them to build at the speed of automation. Therefore organizations need security that integrates seamlessly with CI/CD and other building processes. When identities receive temporary access, there is no need for engineers to keep standing privileges and excessive privileges in place. Misconfigurations are also significantly minimized when access is managed automatically.

BN: What are some general best practices companies can adopt to ensure their cloud environments are kept safe?

AP: On the whole, companies should adhere to the principle of zero trust in multi-cloud environments. This means a do-not-trust but verify posture at the identity/privilege control point for every operation critical cloud service. Unfortunately, merely enforcing least privilege access (LPA) as many traditional IAM, PAM and CIEM solutions do, which is necessary to minimize an organization's privilege attack surface, is insufficient to maintain zero trust access. If there’s a misconfiguration, or an identity is compromised, the bad actor responsible can still access your environment and cause damage -- especially if the compromised user has elevated permanent access or an errantly over-privileged account.

In addition to LPA, it is critical to maintain zero standing privileges and dynamic temporary access because in the event of a security incident, the bad actor has no place to go -- permissions don't exist and the ability to move laterally across an environment is stifled. Zero trust is thereby maintained when it comes to elevated access privileges.

Companies should also remove the complexity and minimize the time it takes to secure identities and permissions across multi-cloud environments, including IaaS, PaaS, SaaS, and DaaS services.

Traditional IAM, even when it is cross-cloud, is limited in its ability to manage privilege access. What's more, monitoring the sheer number of users is a substantial challenge for organizations operating in multi-cloud environments. A cross-cloud privileged access management solution allows organizations to dramatically scale back the amount of time it takes to oversee access and simultaneously diminish the risk of human error. A true cloud-native solution delivers complete visibility across CSPs, improves detection and monitoring, and provides analytics and reporting so teams can quickly evaluate who has access to which accounts.

Moving forward, it's all about cloud-native solutions that provide identity-first security, risk management, and business value.