The notion of a matrix of “anyness” describes how the combination of knowledge worker mobility and the broad use of cloud services has significantly impacted the cybersecurity remit. The recent surge in remote workers has brought this concept to the fore and shown how conducting business on any device from any location at any time accessing any app and any data is the norm. This reality certainly challenges the castle and moat security model, highlighting the need to evolve how we think about the perimeter, to one that contemplates the many aspects of identity.
Identities are multi-dimensional with respect to how they represent risk and provide the basis for policy. The “anys” is one such dimension, as is behavior, the classification of data being accessed, as well as device profile, whether that device is an endpoint or a “thing.” Account type is yet another dimension. Securing admin accounts with root level privileges has always been a priority. The proliferation of service accounts to support API-interconnected cloud-native applications has made access authentication and activity monitoring of service accounts critical. There is certainly a dose of cloud configuration management here as well – e.g., ACLs on object stores, MFA for cloud consoles, etc.
But has cloud adoption changed the threat model? Well, to channel Pete Townsend, meet the new boss, same as the old boss. Attackers are still phishing for VIP credentials with privileged cloud credentials now in their sights. Such credentials could be the salesforce.com admin account, a developer’s account, and/or the admin account for the Office 365, AWS, Azure, or Google Cloud consoles. If not phished directly, stolen developer creds, for example, could then provide access to (over?) privileged service accounts that could provide access to data stores.
....nearly half of the respondents said their organization’s use of public cloud services has, or is expected to have, a significant impact on their identity and access management programs.
Am I making too big a deal about how the utilization of public cloud services is impacting identity and access management considerations? Not according to recent research conducted by ESG, in which we found that nearly half of the respondents said their organization’s use of public cloud services has, or is expected to have, a significant impact on their identity and access management programs.
From a cybersecurity perspective, we’re ahead of our ski tips when it comes to keeping pace with the extent and rate at which the business is utilizing cloud services. This is impacting identity and access management programs in a number of ways:
- Silos of identities is bringing a renewed focus on privileged access management (PAM).
- Certain cloud properties must be protected with additional, and new factors of authentications.
- A lack of unified visibility into which users are accessing what classes of data with what level of privileges requires that identify governance and administration (IGA) initiatives have cloud in scope.
- User activity and access to cloud-resident must be monitored.
- Third-party access is necessary to support modern business workflows, but introduces risk.
- The need to make the end-user experience of accessing a broad portfolio of cloud apps frictionless is driving SSO adoption.
- The overlap with data security is obvious – as data flows outside of the network perimeter, we need to discover and classify cloud-resident as the basis to drive policy.
Such retooling creates a wide variety of questions including:
- Do cybersecurity and IT leaders understand the concept of an identity perimeter?
- How are Cloud, Ops, Dev, Security, and Compliance teams working together to evaluate and procure purposeful cloud identity and access management (IAM) and identity governance and administration (IGA) tools?
- What are the investment priorities?
These are some of the questions ESG will be exploring in our next cloud security research study focused on cloud-driven identities. We’re conducting background – please reach out with your thoughts and comments on this central cloud security topic.