Combat Threats in Multi-Cloud Infrastructure
The #1 risk to your hybrid infrastructure is a trusted identity with excessive privileges. When critical workloads can be deleted with a keystroke, understanding and managing privileges for all identities across your clouds is critical.
As organisations start embracing multiple cloud platforms – the probability
of an incident such as the one AWS experienced is going to increase
So, what can you do to protect your business from these types of risks?
Applying the Principle of Least Privilege (POLP) Across Clouds.
At its core, POLP is about ensuring that every single identity that can touch your infrastructure only has the privileges necessary to perform its day to day job. Implementing the POLP is the number one security policy that every security organisation must enforce in order to minimise risk. If you are not operating under least privilege you are running the risk of compromising every other security system, policy, and procedure in place.
While the concept of least privilege is simple to understand, it can be very complex to effectively implement. Consider some of the complicating variables:
– Diverse computing environments (e.g. virtual, private cloud, hybrid cloud,
– Different types of workloads (e.g. servers, virtual machines, containers,
– Variety of services (compute, storage, networking etc.)
– Unique flavours of identities (e.g. employee, third party, bot, service
account, API keys, resource, role, group)
– Number of privileges that increase daily across all cloud platforms
Current Model: Role-Based Access Controls (RBAC)
Implementing a solution that leverages RBAC will not work if you are trying to achieve the principle of least privilege. With RBAC, your identities belong to a static role (e.g. system administrator) and that role comes with a broad a pre-determined set of privileges that will never completely be used by an identity.
The rigid nature of RBAC leads to a dangerous scenario in which identities acquire many more privileges than they actually need or use. The overprovisioning of identity privileges becomes even more serious in the cloud as the number of available actions that automate tasks exponentially grows.
For example: let’s assume that Bob and Fred have been assigned a system administrator role that is tied to the enterprise’s Active Directory. This role by default gives them the ability to perform thousands of tasks, 50% of which are high-risk, but Bob only uses 20 privileges in his day-to-day job and Fred only uses 10 different privileges to perform his day-to-day job.
Both Bob and Fred are over-privileged identities. They carry an unnecessary risk because they were both given a broader set of privileges intrinsic to the static role assigned to them.
Most trusted identities like Bob and Fred use less than 1% of their privileges to perform their day-to-day jobs. The other 99% of unused privileges represent avoidable exposure to risk from accidents, insider threats and compromised credentials. Any misuse of a high-risk privilege, accidental or malicious, can cause service degradation, service disruption, data leakage or a complete shutdown of your business. Moreover, a variety of non-human identities like service accounts; API keys, bots, applications, etc., exacerbate this risk.
Gain Access to a Unique Set of Capabilities
CloudKnox delivers a single platform to implement Activity-based authorisation across any private or public cloud infrastructure. The unique CloudKnox model offers a non-intrusive way to manage the entire identity privilege life cycle based on actual activity while avoiding any impact on productivity or trust.
Monitor and Measure Continuously
The CloudKnox platform continuously monitors the activity and behaviour of all identities and provides a single metric, the CloudKnox Risk Score, to track the risk associated with each identity. This score is a function of unused high-risk privileges by each identity. An identity with many unused high-risk privileges will have a high-risk score
Many of our trusted partners have rallied around to support in this challenging time. Listed of our technology partners offering FREE support at this time.
From the integration with CloudKnox, AWS IAM Access Analyser is a new function that analyses resource policies to help administrators and security teams protect their resources from unintended access.