As enterprises and organizations embrace multi-cloud and migrate their infrastructure and services to the cloud, the challenges of securing privileges and reducing risk are becoming more complex. Identities are becoming the largest threat vectors in the cloud.
79% of enterprises have had an identity-related breach within the past two years.
- IDSA Identity Security: A Work in Progress, 2020
Privileged Credential Misuse is the Leading Causes of Data Breaches
Accelerated digital transformation and cloud migrations create more complexity in securing identities and their privileges. The last couple of years have shown us that there has never been more demand for cloud-first identity management solutions to secure and protect the hybrid IT infrastructure and data, including human and machine identities.
Why so, you ask?
Let's have a quick look at these recent high-profile and high-value attacks where the common factor was access to systems due to compromised credentials. Such attacks are increasing in frequency, scale, and impact in terms of the damage it often results in colossal ransomware extortion or even life-threatening consequences.
- The recent ransomware cyberattack on the Colonial Pipeline highlights the importance of establishing a forever-on cybersecurity defensive posture for all government and critical infrastructure organizations. The suspected attackers are known to access systems by credential harvesting and gaining control of privileged accounts such as administrator RDP sessions. Colonials’ swift actions helped contain the threat, but such incidents can become a big problem to a country or even the global economy.
- The SolarWinds supply-chain attack was a highly sophisticated identity-based attack. According to CISA's alert, "Incident response investigations have identified that initial access in some cases was obtained by password guessing, password spraying, and inappropriately secured administrative credentials accessible via external remote access services." The attackers were able to bypass multi-factor authentication and move laterally within the system. As a result, major tech firms and top government agencies were breached, and sensitive data was stolen.
- In Feb 2021, Oldsmar, Fla., water treatment plant was breached because of poor password security and outdated computer systems. Several computers in the Oldsmar plant had TeamViewer installed, and all of those computers shared the same password for remote access. Thankfully the attack was thwarted, which otherwise could have resulted in mass poisoning!
- One or more attackers compromised a Ubiquiti administrator's LastPass password management account and used it to gain remote, administrator-level access to the organization, including its AWS resources. Ubiquiti breach shows how single root access to all Ubiquiti AWS accounts can make millions of IoT devices deployed in corporations and homes susceptible to attack.
More than 77% of cloud breaches involve compromised credentials.
- 2020 Verizon Data Breach Report
There's no doubt that hybrid cloud environments give enterprises and organizations greater flexibility, agility, and control over their data. However, at the same time, the attack surface has expanded exponentially with infrastructure and workloads on-premises, in private clouds, public clouds, or multiple cloud-hosted environments.
Increased identity complexities and risks result from the migration of thousands of windows and Linux workloads into multi-cloud environments. Security gaps are increasing due to unintended use of cloud infrastructure entitlements and limited visibility into which privileged credentials are being secured or not secured. No wonder that privileged credential misuse is emerging as the leading cause of data breaches.
However, the traditional approach to protecting access to the datacenters and perimeter protection is no longer good enough. Organizations need to prioritize securing key assets from internal and external threats, focusing on prevention and containment in the event of a breach. Security battles are being lost because of insufficient identity, privilege, and access management policies.
It can't be emphasized that cloud security is a shared responsibility between the organization and the cloud vendor.
Do you have robust identity-centric security controls in place to adequately protect access to your valuable data?
Best Practices and Recommendations on Securing Privileged Access in Cloud Environments
"There's broad consensus that a new approach to cybersecurity is needed – one grounded in Zero Trust."
National Security Agency guidance, Feb 2021
A comprehensive and modern approach to Privileged Access Management (PAM) can help keep your most sensitive credentials safe from abuse and reduce their cyber risk exposure. The goal is to raise the barrier of entry for the threat actors, or better, block access with enterprise-wide authentication, access control, privilege management, and auditing.
Among the recommendations from CISA on cloud security best practices, these are the ones that stand out on identity management:
- Implement conditional access (CA) policies based upon your organization's needs.
Our recommendation is to secure shared accounts and remote access, granting just enough privilege, and auditing all activity for human and machine identities. The overall goal is to remove static access to the system by providing just enough and just-in-time access.
- Routinely review both Active Directory sign-in logs and unified audit logs for anomalous activity.
Our recommendation is to ensure full accountability of privileged actions within the Active Directory. Many large organizations have standardized on Microsoft's Active Directory as their enterprise user store. Modern PAM solution such as Centrify PAM includes a multi-directory broker that can authenticate users in Active Directory, LDAP, Google Cloud Directory, Okta, or Centrify's own Directory Service.
- Enforce MFA. Implement MFA for all users, without exception.
Our recommendation on thwarting in-progress attacks in AWS is to consistently implement MFA for AWS service management on login and privilege elevation for EC2 instances. Overall, there must be identity assurance everywhere, especially on the server.
- Have a mitigation plan or procedures in place; understand when, how, and why to reset passwords and revoke session tokens.
Our recommendation is to practice end-to-end auditing and monitoring. Log and monitor both authorized and unauthorized activities.
- Follow recommend guidance on securing privileged access. Conditional access should be understood and implemented with a Zero Trust Mindset.
Our recommendation is to go beyond the basic PAM by implementing zero standing privilege model. Centrify PAM is a modern PAM solution designed to protect your hybrid IT infrastructure and data. Designed for the cloud, it implements a least privilege access control model, aligning perfectly with Zero Trust and related best practices such as Gartner's Zero Standing Privileges.
Check out our report Reducing Risk in Cloud Migrations to know how organizations view securing privileged access to cloud infrastructure and workloads.
Cloud identity security is vital to your organization's cyber defense strategy. Today's cloud-ready Privileged Access Management (PAM) must include Privileged Identity and Access Management, Multi-Factor Authentication as well as Privilege Threat Analytics. Invest in a reliable and scalable cloud-based identity access management SaaS solution as part of your multi-layered approach to cloud security. Adopting cloud-ready privileged access management software is essential in protecting access to workloads in the public cloud.
With a modern cloud-ready identity-centric privileged access management approach, you can:
- Benefit from a least expensive approach from a resource perspective
- Deploy options for today's SaaS or customer-managed (on-premises, private cloud) environment
- Experience high scalability without synchronization, supporting multi-VPCs, multi-SaaS, and multi-directory use cases
- Reduce your overall security risks by applying Zero Trust Principles to stop privileged access abuse
Check out our webinar to learn how Cloud PAM can enable you to reduce identity-centric risks within your cloud environment.
ThycoticCentrify's market-leading privileged access management (PAM) solutions address the complexity and challenges of access and control of workloads in multi-cloud and hybrid environments. By leveraging existing enterprise identity infrastructure to enforce least privilege access at scale for humans and machines, our solutions are ready to meet the cybersecurity and access needs of the modern enterprise in the cloud and on-premises.
To learn more, visit our Cloud PAM micro-site: https://cloud-pam.centrify.com/.
CISA recommendations on cloud security practices: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-013
This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.