Joseph Carson at ThycoticCentrify explores the importance of privileged access management in a cloud environment and explains how organisations can address privileged access to protect sensitive data, ensure compliance and prevent unauthorised access to systems
The Covid-19 pandemic has accelerated digital transformation projects, including the move to cloud. The figures speak for themselves: 90% percent of companies are embracing the technology in some way and 80% of IT budgets are now focused on cloud solutions.
But while cloud has increased agility and efficiency and cut costs for many firms, the speed with which organisations have approached migration has also opened up new cyber security risks.
One of the biggest issues linked with rapid cloud adoption is the resulting increase in privileged accounts and credentials, which can easily reach an unmanageable state. Covid-19 home working has added further complexity with some users managing critical infrastructure and development platforms, and others accessing a constantly changing set of web applications.
Adding to the risk, cloud users can bypass security best practices by sharing credentials, neglecting to change them regularly, or leaving them exposed meaning sometimes a password is the only security control keeping attackers from gaining unauthorised access.
Verizon’s 2020 Data Breach Investigations report, which found 77% of cloud breaches involve compromised credentials, should serve as an alarm call to any firm operating in the cloud. This highlights that traditional on-premise security solutions are not sufficient alone in protecting cloud environments and that the new security perimeter is with identities and privileged access.
As companies continue to focus on moving their remaining on-premises legacy systems to the cloud, addressing this growing security risk is an urgent priority. As part of this, privileged access management (PAM) is key.
If firms can build in stronger authentication, authorisation and access controls for users from the start, it will help to avoid vulnerabilities – and potential breaches – in the future.
Gaining privileged access management benefits
For many firms, the move to cloud is something that simply cannot be delayed as employees continue to work from home. So, as part of their continuing cloud migration, how can organisations address privileged access to protect sensitive data, ensure compliance and prevent unauthorised access to systems?
Visibility is at the heart of any cloud security strategy, and this needs to be constantly maintained. The occasional discovery scan of privileged accounts is not enough: it won’t offer you the visibility and control you need.
With this in mind, continuous discovery for all types of cloud accounts is vital. This approach will help ensure permissions are properly configured and appropriate oversight is in place.
Monitoring is another key part of securing cloud services. While the vast majority of users are trustworthy, it’s best practice to monitor and audit the behaviour of those accessing sensitive information and privileged accounts.
As part of a security program, companies should monitor network traffic for unusual activity, such as off-hours access, remote connections and other outbound activities. Firms can search for signs of compromise by requiring additional security controls dynamically for privileged access such as a zero-trust approach that requires continuous verification.
At the same time, it is important not to limit monitoring to employees only. Today, most companies will be engaging with third-party vendors in several ways – such as remote contractors working on time-limited projects, embedded contractors, or outsourced staff augmentation – and oversight of their privileged access is essential for auditability and accountability.
In the case of external partners, it is worth remembering that vendor security should be practiced both while the third party is actively employed with the organisation, and once the engagement is over. To help manage this, vendor privileged access management (VPAM) solutions can contain the risk, manage privileged access, rotate credentials and provide an audit trail to hold everyone accountable.
Meanwhile, in order to reduce the risks as much as possible and become more resilient, firms should never grant permanent privileged access. Many companies keep privileges in place for too long, neglect to expire passwords and accounts, and fail to remove privileges when projects end or people leave. Granting permanent privileged access violates the best practice principle of least privilege and introduces significant risk. It is best practice to use PAM solutions that enable an organization to use real-time privileged access or on-demand privileged access.
Know your cloud responsibilities
When securing cloud, it is important that organisations know their responsibilities. A lot of firms fail to realise that the vast majority of cloud misconfigurations and inconsistent controls are the customer’s fault, not the cloud provider’s. However sometimes it can result in joint liability, so it is in the cloud providers best interest to help enable security best practices.
Yet it is on the company’s shoulders — not the cloud provider’s — to manage appropriate access and permissions for every identity and system that interacts with cloud-based systems.
These systems could include critical applications or databases stored in the cloud, platforms for application development, or tools used by the business or technical teams. Taking this into account, cloud access should be incorporated and audited using the same PAM policies, processes, and solutions used for the company as a whole.
Firms also need to plan for change. The average enterprise uses approximately 2,000 cloud services, an increase of 15% over last year, mainly due to SaaS growth.
With digital transformation projects rapidly gaining pace, this is where PAM can help. In DevOps organisations, where a broad range of cloud resources are continuously created, used and retired on a large scale, PAM helps by automating high-speed secret creation, archiving, retrieval and rotation.
During a time of increasing cyber-attacks, PAM makes the CISO’s job a lot easier. Among the benefits, PAM helps CISOs to gain better visibility of the mixture of on-premises and multi cloud environments, data and infrastructure, as well as privileges in general.
PAM provides more granular controls across different environments through continuous authentication and authorisation. At the same time, a strong PAM strategy will ensure clearer auditability by making it easy to adhere to regulations and compliance.
Joseph Carson is chief security scientist, ThycoticCentrify. Joseph is a cyber security professional and ethical hacker with more than 25 years’ experience in enterprise security specializing in blockchain, endpoint security, network security, application security & virtualization, access controls and privileged account management. Joseph is a Certified Information Systems Security Professional (CISSP), active member of the cyber security community frequently speaking at cyber security conferences globally, often being quoted and contributing to global cyber security publications. He is a cyber security advisor to several governments, critical infrastructure, financial, transportation and maritime industries
Main image courtesy of iStockPhoto.com