Planning a cloud migration? Get your identity privileges in check first
Cloud infrastructure is the foundation of most enterprises and any crack can cause significant damage. A great example of this is the 2017 AWS S3 outage, which was caused by an unauthorized administrator typing an incorrect command when trying to fix a billing system slowdown. The fact that the admin had access to a larger subsystem is what led to the problem that ultimately cost customers an estimated $150 million.
Unfortunately, the probability of identities intentionally or accidentally misusing privileges -- and a corresponding impact on business -- is going to increase greatly for enterprises embracing cloud. In May 2019, for example, a faulty database script deployed by Salesforce inadvertently gave all users full access to sensitive company and customer data, forcing the company to shut down its Marketing Cloud services for 15+ hours.
Enterprises are generally aware of the problem and want to fix it, but they rarely know where to start or what to do. A big pain point is that they don’t have the level of visibility required to understand what actions identities are authorized to perform on critical resources across multiple, complex and vastly different cloud operating models. As such, cloud migrations are an ideal time to prioritize identity privilege management.
Automation: Friend or Foe?
Cloud infrastructure has seen unprecedented and accelerating levels of automation over the past few years. This automation has given enterprises the ability to reach new heights in efficiency and scale. This type of automation -- when you can create or destroy a data center with a single script -- simply wasn’t possible 15 years ago. This newfound capacity comes with a price, including increased risk of accidents, insider threats and compromised credentials.
Additionally, automation has inadvertently created "Super Identities" with extraordinary power and responsibility. IT teams have gone from managing less than 100 to over 20,000 privileges across the four major cloud platforms. Of the 20,000, over fifty percent are defined as high-risk (e.g. can delete an S3 bucket), meaning that if the credentials of any one of these Super Identities falls into the wrong hands, the damage could be catastrophic.
Unfortunately, none of the leading providers are developing their own tools or solutions to combat the over-provisioning problem. Enterprises are forced to use manual processes to manage privileges based on static roles whether they leverage vendor pre-defined roles or create custom roles based on assumptions rather than real identity activity data. Keeping up with the never-ending addition of new privileges, roles, resources and services across multiple cloud platforms is almost impossible, which is why pausing to take inventory of privileges before a migration -- where visibility across complex cloud operating models is at a max -- can help decrease risk down the road.
Multi-Cloud Increases Complexity
With multi-cloud, companies aren’t just moving their apps, but also transforming architectures from monolithic to microservices. With this comes numerous cloud identity privilege considerations and security implications. For example, as an organization grows and adds new services and infrastructure types, correct authorization policies must also remain intact. It is vital to understand how privileges will be provisioned and maintained across all systems, both during and after the migration process, in order to avoid risk.
Many big enterprises now accept cloud as the norm and are looking for strategies to secure both private and public clouds with one solution. Most organizations are not going to migrate one hundred percent of their applications to public cloud, which forces cloud security vendors to deliver solutions that provide a seamless multi-cloud experience. This further blurs the definition of the security perimeter, effectively making "identities" the new perimeter -- a trend Gartner has predicted for 2019.
Invest in Privileged Identity Management First to Avoid Common Pitfalls
Identity privilege management should be a central part of any organization's larger security program. Without it, organizations can’t combat the full range of threats to cloud infrastructure, including accidental and intentional privileged credential misuse. By investing in privilege identity management before a cloud migration, CISOs can ensure proper authorization controls are in place once the switch is complete.
Balaji Parimi is Founder and CEO of CloudKnox Security, a Cloud Security company that empowers organizations to manage identity privileges across private and public cloud infrastructure. Prior to founding CloudKnox, Balaji was VP of Engineering and Operations at CloudPhysics, Staff Engineer at VMware, Architect and Technical Lead at 8X8, and Senior Software Engineer at Quality Call Solutions.