25 Sep Who has access to your cloud?
Are you prepared for managing multiple identities in the cloud? Morey Haber, chief security officer, BeyondTrust, looks at how to stay safe in the cloud.
For many Middle Eastern enterprises, the cloud is the new neighbourhood for business, commerce and socialisation. Advertised as up-and-coming, it has become the prowling ground of con artists and hoodlums. One report from Proofpoint inc. Looking at the united arab emirates (UAE) suggests as many as 86% of the nation’s companies experienced a successful cyberattack in 2022, with 44% leading directly to financial losses. And cloud-powered remote work was cited as a major cause. Cyber criminals are now targeting people and businesses and the cloud has become their favourite crime-infested neighbourhood.
The complicated cloud
These spates of cyber trespassing, property damage, burglary, and extortion call for swift action. The management of digital assets and identities in the cloud has become fundamental cybersecurity best practices that need to be prioritised for management. Indeed, wherever technology resides – on-premises, in the cloud or in a hybrid environment – organisations must understand their information ecosystem and document workflows that are critical to the business. You may have read many security advisories that put visibility front and centre. Having a comprehensive register of assets may appear to be obvious, but some line-of-business executives leap to the conclusion that they have such a register simply because since it existed on-premise, it also exists in the cloud. The cloud however is more complicated and such an assumption is often flawed. The personal devices of WFH (work from home) employees may slip under the radar, as may the shadow it installed on them for even basic functions like printing a piece of paper. And, because of the way cloud ecosystems work, there may be accounts and digital assets owned by the enterprise of which its own it staff is unaware; especially in the cloud. And then there are the assets not owned by the enterprise that are nonetheless part of its technology neighbourhood like an end user’s mobile phone. To fully manage risk, sec-ops teams need a way of tracking them for vulnerabilities, patch statuses, configuration errors and privileged access dependencies.
Friend or foe?
What is needed is a focus on identity and not just the assets in the cloud. This may sound counterintuitive but it is the identities in a business that will reveal the assets they utilise versus just trying to discover assets using traditional discovery tools. Cloud security asset management (csam) tackles modern cloud attack vectors by doing just that. It takes a long, hard look at the privileged accounts used by an organisation for core business purposes to discover which assets are being utilised by the business. This analysis is then linked to assets to help foresee an attack chain that starts with a compromised account and continues with lateral movement via any account present on that asset.
You may have heard that hacking is ‘so last decade’. Credential and identity theft is the new fashion. Forrester estimates as many as 80% of incidents start with the appropriation of privileged accounts. As the region continues to consider 5g use cases, IoT use will surge from vending machines to home cameras and security systems. And in the many manufacturing pushes we are now seeing in regional economies, OT will increasingly merge with it and leverage this same technology. Nonhuman accounts are therefore targets for cybergangs since these new IoT devices will need to operate with human owners. We are living in a perimeter-less world, where every organisation’s IT estate is, to some extent, an open house. Zero-trust principles have emerged from this reality as a potential solution and to date, the best model we have to really mitigate these risks. Security professionals know that one compromised account allows a threat actor to browse and steal sensitive information, reconfigure systems, compromise resources, drop all kinds of nefarious payloads, and even override policies. If the stolen credentials come with high enough privileges, the threat actor can even erase all signs of their presence and delete an entire digital presence. For a business, this could be devastating and a game-over event. So given the popularity of identity theft and account stealing and its potential for damage as well as the surge in the number of accounts (every cloud asset needs at least one privileged account at some point in its lifecycle), we should examine what options the modern soc has in effectively managing its organisation’s identity ecosystem. How can they bring the unseen accounts to light? How can they undertake effective asset management for identities and their associated accounts?
Neighbourhood watch
A good starting point is to recognise that accounts and identities are separate but that their relationship is critical. Identities to accounts have a one-to-many relationship for humans and a one-to-one relationship for machine accounts where the identity is represented as an owner. Whether we are dealing with human or machine identities, we must then determine what access they have if we are to determine the risk of lateral movement between their assigned accounts. Tying identities and accounts to directory services such as microsoft’s azure ad is a critical step in forming a nuanced understanding of the lifecycle of the identity. Organisations must ensure full governance of the joining, moving and leaving processes of employees and ultimately this will reveal the assets they interact with for csam.
In-depth, any process of asset discovery – whether manual or, preferably, automated – should identify any local accounts embedded in cloud assets as well as any identities that manage the services and cloud infrastructure itself. This extends to saas applications which present its own challenges. All permissions should be catalogued and assessed for risk. And the highest-level accounts, such as root or administrator, should be uniquely identified in the cloud for their risk and placed under formal privileged access management with asset references.
Any house move comes with a dose of the unknowns in a new neighbourhood. While new neighbourhoods can be exciting and offer opportunities for growth and fresh experiences, we should not forget to be wary of the risks involved from crime and even environmental risks. We need to ensure the street lighting is up to code and we need to know who has copies of the door keys. We need to know what to do in case of a fire, flood or earthquake. Cloud-based asset management, including robust oversight of cloud identities and accounts, can help mitigate the risk of cloud-based attack vectors. No threat actor will pass up the opportunity to forgo jimmying a rear window in favour of waltzing through the front door if they have a copy of your keys. Compromised accounts allow adversaries to creep around for days doing what they will. To stay safe in the cloud, you must protect your keys, passwords, secrets, and assets they can potentially access.