Cloud Identities and the Not So Long and Slightly Winding Road to Governance
A look at Forrester’s roadmap for the deployment and use of CIG to decrease the cloud threat surface and the costs of cloud data protection.
Cloud infrastructures (IaaS/PaaS) are complex systems with thousands of moving parts and complicated security policies connecting humans and machines in an intricate web. As the number of possible policies and combinations has exponentially increased, fine tuning and managing access entitlements is no longer something that one person can handle manually. But it remains a crucial piece of an organization’s security plan – one that is getting harder and harder to reel in. In fact, according to Gartner, through 2023, 75% of cloud security failures will result from inadequate management of identities, access and privileges.
So what’s the problem with overprivileged identities? With too many privileges, human and machine identities can intentionally - or unknowingly - make unauthorized changes in the environment and even grant unauthorized administrator privileges to other identities. In the wrong hands, overprivileged identities can be used to steal data.
Forrester has released a roadmap for the deployment and use of Cloud Identity Governance (CIG) solutions to decrease the cloud threat surface and the costs of cloud data protection. In this article, we will take a look at their proposal.
What is Cloud Identity Governance?
Cloud Identity Governance solutions are also known as Cloud Infrastructure Entitlement Management (CIEM) solutions and are leveraged to automate detection, analysis and mitigation of access risk (you can find extended information on What Is CIEM here). According to Forrester, organizations use CIG solutions to track performance, allocate resources and modify access to cloud services in a robust cloud identity management context.
In an enterprise cloud infrastructure environment, manual entitlement management is impossible. Cloud infrastructure is highly dynamic, extremely complex, and generally deployed by developers rather than security teams. This leads to excessive permissions and privileges that significantly expand the attack surface of your cloud as well as the blast radius in case of a breach. CIG offers a way for organizations to automate and streamline identities and entitlements across their environments.
It’s as easy as 1-2-3…4!
Ensuring a seamless rollout requires detailed planning because identities and the policies attached to them impact so many different aspects of the cloud environment, its operation and its availability.
According to a recent report by Forrester, successful organizations follow four steps when deploying a CIG roadmap:
- Prepare, by building a governance process involving the right stakeholders and mapping out compliance requirements
- Identify the data and environments needing protection
- Monitor the cloud
- Take action
Preparation is key
One of the most important components of a successful CIG deployment is the input and support of key stakeholders. Map out who you need to hear from and build a coalition – from DevOps to IAM to compliance to third parties and more. The project will never be successful without their input – and definitely without their support.
Once you’ve assembled the team of stakeholders giving input and feedback, find out what the compliance and growth plans are. CIG can play a significant role in satisfying compliance requirements including HIPAA, PCI DSS, GLBA and more, and any plans to scale up or out should be factored into the roadmap for CIG success.
Identify what to protect
Once you’ve gotten your dream team assembled, work together to determine what assets need protection and what their points of protection are. At the top of the priority list should be determining what sensitive and personal data exists, and which environments and applications use or process that data.
After prioritizing environments and data that need to be protected, map out which identities – both human and machine – have access rights for compute, storage and network resources. Forrester warns: “Pay special attention to machine identities (calling programs, API-based access, etc.) as these are often high-power ones. Given the complexity, inheritance, and overly excessive default privileges generally, use a CIG tool to map out AWS identity access.”
Once you’ve identified the identities and their access privileges, investigate access patterns to compute, storage and network resources. Identity governance solutions receive data from cloud logging environments to “help understand not only how identities accessed compute, storage, network, serverless/lambda function policies and what they did but also how identities may have changed permissions and roles for other identities in the IaaS platform’s console.”
With a clear understanding of identities and relationships in the environment, specialized cloud identity and access governance tools fill in gaps left by current IaaS solutions to successfully build a relationship map of identities – both human and machine – and compute resources.
Lastly, but certainly not least, CIG can be leveraged to map out compute, storage and network resources and their interactions with each other plus all the human and machine identities in the environment. Excessive permissions for any of these resources can lead to gaping holes in your data protection.
Remediate the overprivileged
Now that your plans and tools are in place, it’s time to reel in the excessive privileges. Forrester outlines clear steps for privilege remediation:
- Perform access recertifications - If it’s not required, allow the CIG solution to remove the privileges and reduce the threat surface.
- Let CIG software inform and automate remediations
- Set up ticketing integration - In the case where automatic remediation isn’t possible because of organizational silos, the CIG solution can create help desk tickets and keep the process moving.
Kick back and relax
Ok, maybe CIG won’t completely alleviate all your cloud security problems, but developing and implementing a comprehensive plan will certainly reduce some of your more tedious tasks. Processes that can be automated, should be. And then you’ll be able to zoom out and see the bigger picture of your cloud infrastructure security and all its moving parts. Cloud Identity Governance should be one tool in your arsenal to decrease the blast radius of an attack while simultaneously lowering costs of cloud data protection.