By Manish Kalia, CEO, Orkus
As enterprises move their data and apps to the cloud, security controls that really “matter” are changing.
Enterprises used to focus on securing their network and infrastructure - assets that in the cloud, they no longer own or control. What they still own is the data – which in the cloud, become “objects” with their own set of access controls and associated permissions. While controlling access has always been key to security and compliance, in the cloud, the controls that manage who has access to what, from where and how –a.k.a. Access Control and Authorization, or Access Management - don’t just move to the edge, they replace it - increasing their significance for cyberdefense.
Despite substantial innovations that have occurred in the identity space over the past five years, Access Management remains stuck in the stone age. In fact, the rapid proliferation of cloud platforms has made Access Control and Authorization much harder and more complex to manage. Changes happen way too often across way too many systems to tightly manage Access Control and Authorization across them all. Poorly managed Access Control and Authorization can lead to blind spots and access gaps that leave cloud assets exposed - exposure that invariably leads to unauthorized access.
Plus, the work culture that has arisen around the cloud compounds the problem by creating a separation of control away from IT. For example, due to the ease of managing cloud systems and with the fast pace of Agile development, it’s DevOps teams - and not the security team - who create access and authorization policies for the data and apps in their workloads. In order to remain agile, access controls stay loose and excess privileges abound. And the fast rate of change in cloud combined with loose access controls, make unauthorized access inevitable.
If making Access Management work in the cloud wasn’t a hard enough, compliance regulations such as GDPR raise the stakes of ineffective access controls even higher. GDPR requires any organization that collects or processes data for individuals residing in the EU to protect that data ‘by design and by default’ by maintaining access controls that can resist “accidental events or unlawful or malicious actions” that compromise data confidentiality. With GDPR fines reaching up to 20 million Euros or four percent of annual global turnover, ineffective access controls are likely to become as expensive as they are risky.
So how do we fix this? Like most other areas of cloud security, managing access and authorization needs to be automated and continuous. Add AI into the mix and you get the technological underpinnings for Access Governance - the ability to continuously monitor and adjust access and authorization controls to ensure secure access to cloud data, infrastructure and applications in real time. Cloud Access Governance enables enterprises to approach Access Control and Authorization in a way that to date, has aspirational than operationally feasible, enabling security teams to:
Automate “Least privilege” access controls for everyone, including privileged users: The concept of least privilege refers to restricting access rights for users, accounts, and computing processes to the absolute minimum required for a given task. By automating Access Governance, least privilege controls can actually be sustainable because security teams will no longer have to speculate on what kind of access they think people need - they’ll have visibility into what access people have and correlate that against what they use, delivering a baseline for least privilege access controls that can be automated and adjusted as needed.
Learn and leverage access relationships and patterns: With the exploding amount of data and objects in the cloud, manually understanding and base-lining access relationships and patterns are no longer possible. Cloud Access Governance enables organizations to learn and analyze access relationships at scale, in a continuous manner. AI models can be leveraged for automated analysis, providing unprecedented visibility into access and authorization activity.
Continuously monitor access and prevent unauthorized activity:Because change in the cloud is continuous, checking and verifying access and authorization control two times a year is not sufficient. Controls need to validated continuously and automatically, so unauthorized access can be detected and remediated in real-time – before the damage is done.
Automate compliance, streamline audits and investigations: Audit and compliance benefits have become a checkbox item for security solutions, but they are often the most transparent and easiest to benchmark. Automation enables policy-driven controls and analytics to help auditors understand when and how access was provisioned and used, and how to create controls for complying with regulations such as GDPR, PCI and HIPAA. Access Governance platforms also enable investigation teams to easily query current and historical provisioning and usage and should include other advanced reporting capabilities.
The old adage ‘the best defense is a good offense” has endured for so long because it’s true. Whether internal or at the edge, Access Control and Authorization are fundamental security process that needed a re-boot to work in the cloud. Cloud Access Governance delivers much needed automation to an area of security in dire need of it, and in doing so takes access-related complexity off the table as an opportunity cost of cloud migration. It may not be possible to stop a determined hacker from accessing corporate resources, but Cloud Access Governance should make it a whole lot harder for them to do so.