The always-on nature of the cloud has become a blessing and a curse. While it’s possible for people to access computing systems anytime and from anywhere, ubiquitous availability also translates directly into significant security risks.
The problem revolves around the concept of standing access privileges, which refers to permissions for human or machine identities that are granted on a continuous basis to specific resources, such as data repositories, software tools, databases, and network systems. The term “standing” gets used to indicate that these privileges are persistent, meaning they do not expire and remain in place until they are manually revoked or modified. While the practice has been rooted in convenience, it doesn’t take a cybersecurity pro to recognize that standing access can serve as an entry point for cyberattacks. It’s like handing over the keys to the front door.
Standing access has emerged as a critical security vulnerability that centers on administrators/highly-privileged users and access to sensitive systems and environments. In the first scenario, privileged users should only have access to sensitive resources for the time necessary to perform required tasks, also known as just-in-time (JIT) access. Unlike standing access, JIT privileges must get requested, approved, and audited, and they are revoked when the user completes the task.
On the flip side, security teams should apply JIT access to regular (non-privileged) users in the rare occasions when they need special access to sensitive resources, such as an AWS production environment to perform a unique task. In this scenario, it's obviously important to control the entire process so that even if the user’s credentials were compromised an attack could not succeed.
Standing access becomes harder to manage as organizations accumulate cloud resources, since the ability to identify and understand exactly who and what uses a system or the data residing in it becomes murkier. If an attacker gains entry to a system using an administrative credential or the login of a regular user who has been granted elevated privileges – unfettered, and unrestrained access to assets typically follows.
Permissions matter
Getting a handle on user permissions isn’t a point for debate. Humans represent the weakest link in any security chain and any gap translates into real-world risks. It’s particularly troubling with cloud security where the complexity of today’s environments—including multi-cloud frameworks that may hold thousands of identities and resources—makes managing permissions and access daunting.
On the other hand, approaching permissions from a Zero Standing Privileges (ZSP) perspective usually isn’t feasible—or even desirable. People require access to systems and data, and if an organization makes the task too onerous it chips away at business productivity—and potentially revenues.
Different cloud providers approach identity and permissions in different ways. For example, AWS suggests that organizations rely on automation whenever possible. This helps keep people away from systems that they shouldn’t access. However, AWS also recommends using temporary elevated access, coupled with single-sign-on (SSO) to further lock down system exposure.
Temporary elevated access, or JIT access, takes direct aim at standing permissions, and is a good starting point for achieving a zero-trust security framework. Since it addresses a variety of issues, including request and approval workflows, records of requests and session activity. We get a fundamentally better framework for identity management and authorization within and across clouds. By gaining greater control over standing permissions and shrinking the attack surface, many of the risk factors that undermine security begin to evaporate.
Managing elevated access
Implementing JIT requires understanding who to grant elevated access, how and when these permissions should take place, and at what point a temporary elevation of privileges must terminate.
But it’s time-consuming for both developers and security teams to manage and provision granular JIT policies manually. The ping-pong of trying to determine which privileges are justified and what level of escalated permissions are required to perform a task can become a time and resource sinkhole.
JIT automation can relieve security staff from menial tasks and reduce friction by letting developers request and receive approved, time-limited elevated privileges on an as needed basis. It also moves the organization one step closer to least privilege and implementing a zero trust strategy.
Security teams can achieve automation for JIT access by adopting a cloud infrastructure entitlement management (CIEM) layer. CIEM can deliver full visibility into the state of entitlements by maintaining an inventory of identities, resources, permissions and activities across multi-cloud environments. This global view lets CIEM manage and enforce least-privilege policies on a JIT basis.
As organizations venture deeper into the cloud—and deploy highly complex multi-cloud environments—migrating to a more sophisticated framework for permissions and access control isn’t simply a good idea, it’s crucial for eliminating standing access. Granular just-in-time elevated access makes it possible to protect assets from this Achilles Heel without security ever getting in the way of the business.
Arick Goomanovsky, chief business officer, Ermetic
