Managing and Securing Cloud Systems
The complexity of a modern IT system leaves several large risks within the complex administrative access controls. The complexity that is due to third parties, complex software, AI/ML, machine accounts, service accounts etc. Companies are spending a fortune on Firewalls, UEM, Phishing but little or nothing on a critical risk, cloud privilege.
Role-Based Access Control (RBAC) provides the framework for identity and access, it also drives privilege, but is outdated so has some huge gaps.
As an example:
- IAM is Identity. Who are you? It is the username and password mechanism that lets you inside the applications and VPN choke points.
- Where security is key you would use two factor with soft-tokens on your phone. This is still WHO ARE YOU?
- People may want a simple user experience, perhaps removing the troublesome password, Single-sign-on applies (I know who you are)
In general, there are two levels of logic in this model, users and admins. Users get the ability to reach and login to an application. Admins, however, are now a LOT more complex than they used to be.
With the advent of AI, ML, Big Data, GDPR search tools, data mining applications will reside on a machine which requires extensive access privileges. No one ever explains the needs during deployment which is done in a rush and without prior planning resulting in the high likelihood of significant over privilege to the machine identity.
Service accounts are being built to allow access for software to provide automation, what do these need in truth, but what do you provide them with – the usually way over-privileged?
Some questions to ask yourself:
- Did the external consultant/engineer who installed your software have his account closed after the deployment or was it left there in case, he/she needs to change settings in the first month? How many times has this happened?
- Have you sub-contracted functions of admin or support to third parties resulting in them having access to more than necessary.
- Have they been able to onward grant access to others in their organisation?
- When did you last review this for compliance purposes, is it even covered by the audit?
Now you get to privilege
What is the blast radius of a compromise or access? Privileges are typically assigned in bundles by the control mechanism, MS-AAD, AWS, AZURE, Google Cloud, VMWare. A single privilege “destroy” took out the AWS system some time back. It was not a hacker but a single member of staff that had a legal sign on and was over-privileged, they made a mistake thinking the instruction only related to their instance however poor configuration resulted in the whole cloud platform being deleted.
So, where does this fit into my risk? These bundles of privilege are usually designed by the vendors to provide the highest function and least support challenge and so are LARGE groups. They are also designed without the real knowledge of the software developers, about 10 years ago at best, are they ideal or just what we choose because they are on the menu? Also, how much training or what level of certification do we enable our administrative engineers to attain, in general, this area has been poorly developed in recent years.
Implement a PAM or privilege access management application?
These reduce your admins privilege to almost zero and then they request access based on activities. They get elevated access for a set period and then are reset. Whilst a logical approach these products have not transformed to the cloud very well. Machine identities don’t work well in this model. The same account privilege bundles get used leading to the same risk. Also, they are traditionally expensive, complex to deploy and highly unpopular with admins who are constantly asked to do things suddenly causing delay and problems at times of pressure. Most of these are unable to keep up with Cloud deployments as their work model cannot deal with the massive (AWS 14,000 individual actionable privileges for example) range of knobs and buttons that the cloud platforms offer.
CloudKnox works differently.
A sentry within the customers’ own platform learns the admin use patterns and resources and provides a clear view of the gap between real-time usage and permissions. This is called the Privilege Creep Index and is unique to CloudKnox. Most customers find that after a 1-hour deployment and 1 day of discovery they have in excess of 90% over privilege creating risk within their platform.
The CloudKnox platform also provides the ability to restrict privilege however it is based on the live findings rather than the large pre-developed bundles. Admins who have had 1400 privileges in the past are often found using only 10 or 20. The system has a built-in escalation capability to raise privilege by time, platform or individual privilege as needed. Machine accounts can be monitored and corrected to a fixed set of privileges removing the risk of these accounts being hijacked and used against the system.
Now external consultants or service providers can be quickly and easily control or monitor to provide real-time compliance. If you have geographic boundaries, people in China, Europe or other regions, you can provide fixed privilege control over what they are able to access on the same overall platform to match legal requirements of GDPR and other frameworks.
CloudKnox makes this happen in almost no time. It does not need a cast of hundreds to deploy, it does not need vast integration or configuration. 1 hour gets it running. 1 day will show results. After that, it simply provides prevention (remove the destroy/delete function from all Admins in one move and allow a request to be used) and vision into the use of your system.
Given how much is spent on external security it is interesting to understand how much is spent on your internal security, administrative over privilege and also training for this significant risk? Just look at Gartner and Forbes comments on the matter.
To understand more about Cloudknox and benefit from a free 15-day risk assessment.
Many of our trusted partners have rallied around to support in this challenging time. Listed of our technology partners offering FREE support at this time.
When critical workloads can be deleted with a keystroke, understanding and managing privileges for all identities across your clouds is critical.