Last week’s Executive Order by President Biden provided a glimpse into each branch of government’s cybersecurity accountabilities and a strong declarative on the mandatory use of foundational security tools.
In part, the Fact Sheet says: “The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption with a specific time period. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.”
The problem with the Executive Order is that it does not mandate least-privilege (although it's mentioned twice). Sigh. The same privilege sprawl and entitlement creep that exists now will inevitably be carried forward to the cloud, behind MFA and SSO, and alongside encryption. And the last thing any of us needs is a cybersecurity resiliency plan for the government to erode confidence in the resiliency of the cloud because of it.
In ESG's Research Report: Trends in Identity and Access Management, The Increasingly Cloud-driven Identity Landscape, we asked organizations, approximately what percentage of your organization’s human and non-human identities have permissions associated with their use of cloud services that are greater than what is required to do their task/job? (N=379):
The reality is privilege sprawl and entitlements creep are much higher, much worse than these respondents approximate. Privacy had a similar problem, too. However, today, it is mainstream and well represented through advocacy, frameworks, legislation, training, corporate programs, and disclosure responsibilities. We as an industry need to come together and formalize least-privilege cloud reference architectures, frameworks, use cases, and security controls that normalize and operationalize least-privilege by design, in deployments, in configurations, in policies, and in use.
Security vendors are not waiting or wasting time and two that I have met with over the past week are, in my opinion, Best in Show:
- CloudKnox: An elegant SaaS offering that takes cloud entitlements seriously, with Linux-based VM that can be configured in read-only and controller-modes for multi-cloud, hybrid environments—CloudKnox FortSentry understands what authentication methods are in use, normalizes cloud permissions and risks so you don’t have to, operationalizes policy changes by providing them ready to use--for any and every cloud resource. Organizations can go well beyond discovery and monitoring to remediate privilege and entitlement risks across all users, machines, and service accounts. Get a demo.
- Ermetic: Another beautifully architected and designed SaaS offering that brings intelligence to identities and privileges without using agents or VMs. Ermetic’s platform provides critical visibility into service accounts, federated identities, third-party identities, and internet-facing resource exposures—a key differentiator. Permission risks are normalized from both AWS and Azure cloud platforms for attack threats such as privilege escalation and reconnaissance. At a resource level, a simple dynamically formatted sentence itemizes which resource has which accounts, with which levels of permissions, which are in use and which are not. There is no guess work. Again, you can remediate with ready-to-use policies and operationalize least-privilege at scale. Get a demo.
And finally, while you are scheduling those demos--here is a great joint-asset from AWS & SANS on How to Design a Least Privilege Architecture in AWS.
If you are not talking to your customers about least privilege in every conversation, you are not helping them with zero trust or to reduce the attack surface.