Managing identities in the cloud has been described as a “big mess” by many security pros – and that’s why SC Media decided to focus on this issue as we celebrate Data Privacy Day.
For starters, the comparatively orderly on-prem days in which all identities were managed by Microsoft Active Directory, or network admins could geo-locate an employee based on an IP address that was in the company's building are long gone.
Rather, the confluence of the cloud accelerated by the pandemic moved companies outside the building, where they are now managing hundreds of applications and data sets, and permissions and access right for all those applications and data.
“For just AWS alone, a company may have 100 different applications,” said Frank Dickson, vice president for security and trust at IDC. “Someone may have access to Salesforce, but only to the files for their customers. So think about the exponential scaling of that complexity across multiple applications and you begin to understand how challenging managing identities in the cloud has become.”
Based on interviews with Dickson and other security pros here’s a list of tips to consider for managing identities in the cloud.
- Invest in core identity technology. Dickson said once a company gets past 100 users, managing identity becomes unwieldy. Businesses need to invest in a tool such as Okta or Azure AD that can automate the management of all the cloud-based identities – and that’s especially true for large organizations with hundreds, if not thousands of users.
- Consider cloud identity management tools for IaaS and SaaS. There’s no one-size-fits-all solution to managing identities in the cloud, said Dickson. There are products from the likes of CrowdStrike, Microsoft and Sonrai Security for example, under the umbrella of cloud infrastructure entitlement management (CIEM), that let different teams and developers implement least privilege access at scale. It lets security teams grant access to a specific segment in public cloud environments, and it can do this across all the major public cloud environments, such as AWS, Azure and the Google Cloud Platform. And then there are tools known as SaaS Detection and Response that help companies manage identities for SaaS applications. Vendors such as DoControl, Nudge Security, Palo Alto Networks, and Qualys offer such products.
- Ask pointed questions about cloud identities. Eric Kedrosky, chief information security officer at Sonrai Security, said security pros should start by asking the following questions: What are my identities? What data do I have? Who and what has access to sensitive data and what could they do? And finally, what are they doing with it? In a perfect world, companies need to have the capability to automatically inventory, classify, manage access and know what’s being done with the data. “And companies can’t do this every 10, 30 or 60 days,” said Kedrosky. “They need to know they can do this continuously.”
- Focus on non-person identities. Sonrai Security found that non-person identities (NPIs) outnumber human identities by a factor of 20 times. Non-person identities are items such as virtual machines, AWS roles, Lambda functions, and access keys – the infrastructure that makes the cloud tick. Kedrosky said at this point, most companies are only focusing on human identities. They really need to check that these non-person identities don’t have access to sensitive data. Security teams need to inventory, classify, manage access and data use the same way they would for human identities. Kedrosky said NPIs pose risk as attackers can exploit and use them as entryways into cloud environments. If an NPI has excessive permissions to data, it can potentially cause the company’s next breach.
- Extend MFA beyond the admin portal and SaaS apps for users. Most companies will use MFA for their admin portal and for SaaS apps. Yaron Kassner, chief technology officer at Silverfort, said organizations should start by using the best MFA possible. Don’t just settle for SMS text messages or even push notification solutions such as Google Authenticator. Investigate the number matching in Azure MFA where the computer issues an authentication number and the user then puts the number into a mobile app. Kassner said companies also need to think about new products that can run MFA to authenticate identities for servers, virtual machines and appliances. Ransomware propagates in networks within computing infrastructure using PsExec and bash tools. Silverfort, ForgeRock, and TerraZone have one of these “agentless MFA” products that let security teams authenticate identities for computing infrastructure.
IDC’s Dickson points out that it’s “next to impossible” to have a breach without an identity issue. CrowdStrike estimates that 80% of breaches – eight in 10 – are identity-driven. With that context, Dickson said security teams need to look at more effective management of identities for cloud apps as a three to five-year project.