By Shweta Khare, ThycoticCentrify
As enterprises and organizations migrate infrastructure and workloads to the cloud or multi-cloud platforms, the challenges of securing privileges and reducing risk become complex. Identities are the most significant threat vector in the cloud.
Privileged Credential Misuse Is The Leading Causes Of Data Breaches
Accelerated digital transformation and cloud migrations create more complexity in securing identities and related privileges. With 79% of enterprises having an identity-related breach within the past two years, there has never been more demand for cloud-first identity management solutions to secure and protect the hybrid IT infrastructure and data, including human and machine identities.
Recently, high-profile and high-value attacks occurred where the common factor was access to systems due to compromised credentials. The impact of such attacks comes in the form of damaged reputation or shareholder value, poor credit standing due to identity theft, or lower market share due to IP theft, colossal ransomware extortion costs, or even risk to life.
- The ransomware cyberattack on the Colonial Pipeline highlights the importance of establishing a forever-on cybersecurity defensive posture for all government and critical infrastructure organizations. The suspected attackers have a history of harvesting privileged credentials used to gain access to administrative RDP sessions.
- According to CISA's alert on the SolarWinds supply chain attack, "Incident response investigations have identified that initial access in some cases was obtained by password guessing, password spraying, and inappropriately secured administrative credentials accessible via external remote access services." The attackers were able to bypass multi-factor authentication and move laterally within the system, stealing sensitive data.
- An Oldsmar, Fla., water treatment plant was breached because of poor password security and outdated computer systems. Several computers in the plant had TeamViewer installed, and all machines shared the same password for remote access. The attack was thwarted, which otherwise could have resulted in mass poisoning.
- One or more attackers compromised a Ubiquiti administrator's password management account and gained remote, administrator-level access, including its AWS resources. This breach illustrates how single root access to all Ubiquiti AWS accounts makes millions of IoT devices deployed in corporations and homes susceptible to attack.
Although privileged access management has been around for some time, these breaches highlight that not much has changed. Security battles are being lost because of insufficient identity, privilege, and access management policies and controls.
Access Management Challenges In The Hybrid And Multi-Cloud Environments
Hybrid cloud environments give enterprises and organizations business benefits like greater flexibility, agility, and control over data. At the same time, the attack surface has expanded exponentially with infrastructure and workloads on-premises, in private clouds, public clouds, or multiple cloud-hosted environments.
Increased identity complexities and risks result from the migration of thousands of windows and Linux workloads into multi-cloud environments. Security gaps are increasing due to unintended use of cloud infrastructure entitlements and limited visibility into which privileged credentials are secured or not. According to Verizon’s Data Breach Investigations Report, 77% of cloud breaches involve compromised credentials.
However, the traditional approach to protecting access to the data centers and the network perimeter is no longer effective. Organizations need to prioritize securing critical assets from internal and external threats, focusing on prevention and containment in the event of a breach.
There is light at the end of the tunnel. There are PAM innovations and modern best practice models such as Zero Trust and zero standing privileges that can help organizations to apply identity-centric PAM principles more effectively to protect hybrid cloud environments. Zero Trust helps organizations ensure that access to compute (on-premises or in the cloud), network, DevOps, and data resources are appropriate, sanctioned, compliant, and secure.
Given that most cyberattacks on cloud environments involve compromised privileged credentials, it is in the best interest of organizations to approach cybersecurity from the identity-centric perspective.
Best Practices And Recommendations On Securing Privileged Access In Cloud Environments
A comprehensive and modern approach to PAM can keep the most sensitive credentials safe from abuse and reduce the risk of exposure. The goal is to reduce or block identity-related breaches and attacks through enterprisewide authentication, access control, privilege management, and auditing.
Among the recommendations from CISA on cloud security best practices, there are quite a few on identity management that align with recommendations we share with customers and prospects:
- Implement conditional access (CA) policies based upon the organization's needs.
Secure shared accounts and remote access, granting just enough privilege, and auditing all activity for human and machine identities. The overall goal is to remove static access to the system by providing just enough and just-in-time access.
- Routinely review both Active Directory sign-in logs and unified audit logs for anomalous activity.
Many large organizations have standardized on Microsoft Active Directory as the enterprise user store, and to ensure full accountability of privileged actions within it a modern PAM solution should include a multi-directory broker to authenticate users.
- Enforce MFA. Implement MFA for all users, without exception.
Thwarting in-progress attacks in AWS is to consistently implement MFA for AWS service management on login and privilege elevation for EC2 instances. Overall, there must be identity assurance everywhere, especially on the server.
- Have a mitigation plan or procedures in place; understand when, how, and why to reset passwords and revoke session tokens.
Go beyond just-in-time PAM to enforce just enough privilege, meaning that privileges are restricted so that the user only gets access to specific systems, applications, and commands they need to work on and nothing else. This keeps the threat actors from moving laterally throughout the enterprise. As a mitigation plan, practice end-to-end auditing and monitoring. Log and monitor both authorized and unauthorized activities.
- Follow recommend guidance on securing privileged access. Conditional access should be understood and implemented with a Zero Trust Mindset.
Implementing a zero-standing privilege model is beyond basic PAM and is a modern PAM solution designed to protect hybrid IT infrastructure and data. This implements a least privilege access control model specifically for cloud, aligning perfectly with Zero Trust and related best practices such as Gartner's Zero Standing Privileges.
As organizations enforce cloud security solutions and progress on the PAM maturity ramp, there are advanced and mature features to consider such as federated single sign-on, flexible deployment through hub-and-spoke architecture, continuous discovery, visibility, reporting, and session recording
and IAM for container orchestration. Cloud access security is vital to an organization's cyber defense strategy. Today's cloud-ready PAM must include privileged identity and access management, multi-factor authentication as well as privilege threat analytics. Using a reliable and scalable cloud-based identity access management solution as part of a multi-layered approach to cloud security can help mitigate organizational risk.
About The Author
Shweta Khare is senior product marketing manager at ThycoticCentrify.
CISA recommendations on cloud security practices: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-013a