Identities: The Connective Tissue for Security in the Cloud

Almost everything in the cloud is one excess privilege or misconfiguration away from exposure. Proper cloud posture and entitlement management can help mitigate risk and eliminate toxic combinations.

When implementing and configuring a cloud security solution, it’s easy to get overwhelmed by the sheer volume of “things” to monitor. These include web applications running on Kubernetes infrastructure, including IaaS and container resources, and the identities, both human and machine related, and more. Cloud security teams must manage each resource's service identity, as well as scan them for vulnerabilities and misconfigurations. Because there are so many things to monitor, organizations often look to tools and point solutions to help combat these threat vectors. Many have ended up with an alphabet soup of security acronyms in their environments and as a result rack up huge costs trying to configure and implement all these disparate products. 

Often, each tool produces its own plethora of security findings and works from different criticality metrics. So, even with technically advanced tooling, security teams are sent back to spreadsheet hell to try to reconcile and prioritize all of the findings. 

The significance of securing identities in the cloud 

To implement a more effective security strategy, you must start by isolating what threat actors are trying to achieve when breaching cloud infrastructure. Recently, it’s become clear that almost all cloud breaches are leveraging misconfigured identities and entitlements. The Identity Defined Security Alliance (IDSA) survey “2022 Trends in Securing Digital Identities” found that 84% of companies suffered an identity-related breach in the 12 months covered by the study. Why? Not just because identities are so deeply intertwined into everything we run and build in the cloud, but because it’s an incredibly complex problem to solve. There are so many variables at play when trying to truly understand risks associated with identity management.

Regardless of whether you have a public Amazon EC2 instance with known exploitable vulnerabilities or misconfigured infrastructure served manually or by way of code, when cloud exposures are exploited, attackers immediately go after an identity. They test entitlements in order to move laterally or escalate privileges in an attempt to access sensitive data and other resources. Identity is the perimeter in the cloud and due to its far-reaching impact, identity and entitlement security should be the foundation for a holistic cloud security program. 

Understanding service vs. human identities

When securing identities, it’s important to understand the difference between service and human identities, as well as the different approaches to securing them, in order to achieve the principle of least privilege. Service identities are meant to serve workloads and operate on a consistent and predictable basis. Evaluating which permissions are assigned vs. which are actually used is important to understand for “effective permissions.” Because service identities are programmed for a specific purpose and requirements seldom change, it’s possible to right-size their permissions to the bare-minimum based on activity – the principle of least privilege. 

In contrast, human identities are made to be used by real people. This makes them unpredictable and it becomes challenging to right-size permissions for specific resources and actions especially when ad-hoc tasks arise. To execute on zero trust, implementing an integrated just-in-time (JIT) access program is the key. No organization can completely eliminate all access into the cloud by human users. That’s not realistic. Here’s a way to massively reduce risks associated with human identities: Give DevOps teams the ability to programmatically request short-term access to the cloud for specific tasks in critical environments and make sure that this short-term access workflow integrates into existing communication tools like Slack, Microsoft Teams and more. 

Security programs that don’t account for these differences can cause toil and friction between DevOps and IT teams. Delivering on the promise of DevSecOps means making sure security is embedded into workflows in a way that is scalable. This is where integrated Cloud Infrastructure Entitlement Management (CIEM) and Cloud Native Application Protection Platforms (CNAPP) tools can come into play. Integration between these tools can give you visibility and control over cloud infrastructure, Kubernetes, containers, infrastructure as code (IaC), identities, workloads and more.

Look for the following in integrated CNAPP and CIEM security solutions: 

• Entitlement insight and visualization: As the old security adage goes, you cannot secure what you cannot see. Accurate multi-cloud visibility into resources, permissions and their activity is an essential starting point. 
• Ongoing risk assessment: You need to continuously monitor the cloud environment to detect and assess risk factors such as network exposure, misconfigurations, risky permissions, exposed secrets, and identity-related threats, including anomalous data access.
• Enforcing the principle of least privilege: Integrated tooling should be able to automate permissions guardrails through least-privilege policies.
• Streamlined remediation: If you know where the risks are, it should be easy to remediate them in the tool with the opportunity to automate wherever it makes sense for your security strategy. 
• Developer-centric access control: Take the frustration out of security for DevOps teams by providing them with the tools to empower them to integrate security into their workflows. 

Combatting alert fatigue with context

While many security teams spend time tuning controls and policies in order to combat alert overload, a better way is to integrate security tools like CNAPP and CIEM into a single platform that delivers rich context across the attack surface. With integrated security tooling, you’re able to standardize on what "critical” truly means and better understand the attack pathways that attackers can leverage to cause damage in your cloud environment. Plus, it’s much easier to update when new threats and zero-days are discovered. 

For example, you might have 100 publicly accessible workloads running in a cloud environment, but only 10 of them have critical vulnerabilities and only five of those have critical vulnerabilities and high privileges. This context gives security teams insight into where they should put their efforts based on what is most likely to be exploited. Too often security teams end up trying to address all 100 public workloads because point solutions lack the integration and identity-focused context needed to efficiently address threats. 

Integrated capabilities to understand risk and exposure are important. And they make sense not just from an infrastructure or vulnerability perspective, but as a way to look at it all together and dynamically adjust risk scoring based on what’s actually happening in your environment. 

For more information on securing identities in the cloud watch the on-demand webinar "Managing Security Posture and Entitlements in the Cloud."