Cybercriminals are focusing malicious attacks on privileged access and secrets management infrastructure more than ever. Specifically, they’re targeting immature cloud identity governance systems and lax security in DevOps processes that don't follow a Zero Trust Framework. These trends shouldn’t come as a surprise, given the new, complex and fast-evolving world of multiple cloud platforms and apps. Security strategies and technologies are catching up, but the explosion in ransomware attacks in recent months tells us that we still have a long way to go to address existing IT security vulnerabilities.
What exactly is the way forward?
There’s growing consensus that Zero Trust will be the future state for security infrastructure. It’s been widely adopted in the US by the DoD, the banking sector, the healthcare sector. Global expansion is well underway and accelerating in EMEA, APAC, and beyond. There are also multiple formulaic working groups—the NIST Framework being the most prominent—that are pushing to optimize and advance the concept. We’re also likely to see zero trust grow to become the standard security model moving forward because it’s based on a strategy, not just more technology.
Zero Trust is not a new concept, but it’s become foundational to IT security in the cloud era where conventional security technologies and techniques—firewalls, VPNs, etc.—are no longer effective at securing devices, data and IT resources. Zero Trust strategies enable organizations to pivot away from conventional ringfencing approach, and proceed with a framework where no individual, no device, no application, no thing can be trusted as secure. Essentially, security measures become organized around digital identity and access management, privileges and permissions. Looking at the current state of zero trust, the approach is coalescing around a handful of technology elements:
- Software defined perimeter
- Secured endpoints
- Managed mobile devices
- Multifactor authentication
- Advanced identity and access management
- Least privilege access / zero standing privileges
- Dynamic / ephemeral permissions (automated processes to revert back to the “zero access” mean whenever possible).
The Cloud Identity Lifecycle
Because it’s not possible to ringfence every application, resource, device, or user in cloud environments, digital identity defines the new perimeter. The problem is the new perimeter-less environment has made managing access privileges magnitudes more critical than ever before. The privileged access and identity management practices optimized for on-premises situations are ineffective in today’s cloud-oriented DevSecOps environments.
A fundamental challenge of securing the identity-defined perimeter is the ability to easily manage and secure the cloud identity lifecycle. This priority comes into sharpest focus with offboarding users, or more accurately, the failure of so many organizations to revoke standing access privileges to DevOps environments and other sensitive IT resources. Companies today use hundreds or thousands of cloud services, and a typical DevSecOps operation can easily generate thousands of data access events every day. The result is that each human and machine user ends up having multiple identities and standing privilege sets sitting vulnerable to exploitation. If those privileges are not revoked or expired when an employee or contractor leaves the organization, that massive threat surface remains in place indefinitely.
Enforcing Zero Trust
The most effective way to manage the cloud identity lifecycle is through the maintenance of least privilege access (LPA) and zero-standing privileges (ZSP) for those users while they are working in the cloud. Likewise, with the complete removal of accounts and access when terminated employees and contractors leave the organization. These offboarding steps are especially critical in today’s dynamic work environment, with employees and contractors frequently joining and leaving your organization.
Today’s advanced dynamic permissioning platforms that incorporate just-in-time (JIT) secrets provisioning capabilities and zero standing privilege (ZSP) enforcement mechanisms can overcome these obstacles. The automated granting and revocation or expiring of permissions—JIT privilege grants—is highly effective at minimizing attack surfaces. These solutions work on the tenets of Zero Trust, which means no one and nothing is trusted with standing access to your cloud accounts and data. With JIT, elevated privileges can extend either for the duration of a session or task, for a set amount of time, or when the user checks the profile back in manually. Once the task is complete, those elevated privileges are automatically revoked—all without involvement from systems administrators.
Webinar:
Extending Zero Trust to Your Cloud Identity Lifecycle
June 23rd, 11am PST/1pm EST
Dr. Chase Cunningham, Chief Strategy Officer (CSO) at Ericom Software
John Morton, Director of Solutions Engineering at Britive
Ready to learn more about Zero Trust in cloud environments? Please join us on June 23rd to explore these concepts in greater detail and learn how just-in-time secrets provisioning and zero standing privilege enforcement can work in concert to secure your cloud development environments. Register here.