As cloud becomes the norm rather than the exception, identity -- specifically, privilege allocation -- is still the elephant in the room. Organizations are creating more complex cloud infrastructures even as they employ a wider variety of services. But they are also finding themselves saddled with overly permissive privilege models.
The principle of least privilege -- a cornerstone in on-site identity and access management (IAM) -- should be extended to the cloud to maintain security and ensure users and devices only have access to those resources necessary to complete their jobs.
Fortunately, there are a variety of cloud least privilege practices organizations can implement and manage to address the elephant in the room.
Control and manage cloud policies
The biggest issue organizations face is how easy it is to exploit cloud policies to allocate privileges. For many years, security professionals have railed against the overallocation of privileges with servers and applications on site. It's also always true that job functions are easier to fulfill when you're the root or admin user. But that isn't secure.
This is a common problem in the cloud too. DevOps and cloud engineering teams often deploy infrastructure that "just works" with identity policies and is entirely too permissive.
To counteract privilege creep in the cloud and other cloud access security pitfalls, security teams should do the following:
- Monitor cloud services that monitor. Enable and monitor all cloud-native security services that monitor cloud IAM policies and provide alerting and guidance on privilege reduction. These include AWS IAM Access Analyzer, Google Cloud Policy Analyzer for IAM and Azure role-based access control policy analytics in Azure Policy. Such services provide insight and reporting into what privileges are defined, where they're allocated and how current privilege levels could be reduced to improve security.
- Use cloud security posture management (CSPM). Consider a CSPM service that integrates with IaaS and PaaS clouds used by the organization and continually scans for configuration issues and vulnerabilities -- which can easily include IAM policies.
- Secure SaaS with a CSPM, SaaS security posture management (SSPM) or cloud access security broker (CASB). For SaaS clouds, use a CSPM, SSPM or CASB that can help identify any vulnerabilities in how privileges are allocated.
- Evaluate cloud security analysis platforms. Consider a dedicated cloud security analysis platform that focuses on identity. These may not technically fall into the CSPM or SSPM categories. But they can analyze the entire set of interrelated policies defined and implemented within a cloud environment.
Consider cloud provider privileged identity management tools
Major cloud providers are increasingly offering easy-to-implement privilege management tools that are tightly integrated with their core services. Azure AD Privileged Identity Management, for example, features just-in-time access for administrators with time limits on sessions, manager approval (if desired), granular logging and auditing, automated alerting and access review reports for admin access. Similar stacks that rely on least privilege in the cloud are available from other large providers.
Administrator access to the cloud should include the following:
- Short-term access governed by just-in-time conditional access that takes user location, endpoint and behavior into account. Step-up authentication ensures only valid admins access the cloud environment.
- Multifactor authentication (MFA) that is flexible and integrated with access management options such as federation and single sign-on.
- Extensive logging and monitoring for all admin access through native logging engines, such as AWS CloudTrail, Azure Monitor or Google Cloud Logging.
MFA and other privileged access impediments can hamstring DevOps and engineering teams that need more automated workflows. In these cases, a secrets management platform that features real-time privilege allocation for builds and deployments likely makes the most sense.
Many API-integrated services are available for both on-premises and cloud-based pipelines that help security teams define and implement automated privilege allocation, revocation and monitoring for pipeline activities. Any changes to the defined policies within these platforms should require MFA or put other access restrictions in place, such as location-based access.