urlscan.io logo urlscan.io
SecurityTrails logo

www.helpnetsecurity.com Open in urlscan Pro
35.81.17.152  Public Scan

Back to summary
URL: https://www.helpnetsecurity.com/2023/02/28/over-privileged-identity-cloud-damage/
Submission: On March 01 via api from TR — Scanned from DE

Form analysis 2 forms found in the DOM

Name: searchformGET https://www.helpnetsecurity.com/

<form id="searchform" name="searchform" class="searchform" method="get" action="https://www.helpnetsecurity.com/" role="form">
  <div class="input-group">
    <input type="search" name="s" id="headerSearchField" class="form-control" placeholder="What are you looking for?" aria-label="Search" value="" tabindex="1">
    <span class="input-group-append">
      <button class="btn btn-search input-addon-item" type="submit" id="headerSearchSubmit" tabindex="2"><svg class="hic">
          <use xlink:href="#hic-search"></use>
        </svg></button>
    </span>
  </div>
</form>

POST 

<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
  <div class="mc4wp-form-fields">
    <div class="hns-newsletter">
      <div class="hns-newsletter__top">
        <div class="container">
          <div class="hns-newsletter__wrapper">
            <div class="hns-newsletter__title">
              <i>
                        <svg class="hic">
                            <use xlink:href="#hic-plus"></use>
                        </svg>
                    </i>
              <span>Cybersecurity news</span>
            </div>
          </div>
        </div>
      </div>
      <div class="hns-newsletter__bottom">
        <div class="container">
          <div class="hns-newsletter__wrapper">
            <div class="hns-newsletter__body">
              <div class="row">
                <div class="col">
                  <div class="form-check form-control-lg">
                    <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
                    <label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
                  </div>
                </div>
                <div class="col">
                  <div class="form-check form-control-lg">
                    <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
                    <label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
                  </div>
                </div>
              </div>
            </div>
            <div class="form-check form-control-lg mb-3">
              <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
              <label class="form-check-label" for="mcs3">(IN)SECURE - monthly newsletter with top articles</label>
            </div>
            <div class="input-group mb-3">
              <input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
              <button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
            </div>
            <div class="form-check">
              <input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
              <label class="form-check-label" for="mcs4">
                <span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms &amp; conditions</a>
                </span>
              </label>
            </div>
          </div>
        </div>
      </div>
    </div>
  </div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
    value="1677636744"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
  <div class="mc4wp-response"></div>
</form>

Text Content

searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle
upmagazine plus
 * News
 * Features
 * Expert analysis
 * Videos
 * Reviews
 * Events
 * Whitepapers
 * Industry news
 * Product showcase
 * Newsletters

 * 
 * 
 * 



Eric Kedrosky, CISO, Sonrai Security
February 28, 2023
Share


IT ONLY TAKES ONE OVER-PRIVILEGED IDENTITY TO DO MAJOR DAMAGE TO A CLOUD



While moving to the cloud increases efficiency and business agility, security
strategies haven’t been adapted to account for this shift and traditional tools
can’t effectively manage the unique associated risks. CISOs that ignore the
risks are left completely exposed and are putting their company, reputation and
job at risk.



As the limitations of traditional security approaches become obvious, it’s
creating real frustration. After working strictly in the cloud with
industry-leading enterprises for the past six years, I’ve seen it all and can
sympathize with CISOs facing cloud security challenges. Still, I want
organizations to consider this a call to action to take charge of their cloud
security.


EXPOSING THREATS AMONG US

We analyzed our entire customer base last year and found that approximately 60%
of organizations were unsuccessful in meeting even the most basic state of
security for their cloud assets. And of those 40% that achieved it, less than
10% attained what could be considered a moderate level of security. Essentially,
most organizations are either not prioritizing or are unsuccessfully attempting
to secure their cloud.

When looking at the state of cloud security across this range of organizations,
I see five major concerns:

1. The least addressed risks were audit (31%), least privilege (30%), and
credentials (24%). When considering that credentials and least privilege both
relate to securing identities in the cloud, there’s a dangerous gap that should
keep CISOs up at night. Identity has replaced networks as the “boundary” for
security in the cloud but is the least likely to be addressed in an
organization. Attackers will compromise identities to laterally move through an
organization’s cloud and escalate privileges in order to access data and damage
your business (more on that in a bit). 81% of breaches involve a compromised
identity.

2. The fact that audit security is in the lowest three is problematic. Audit
security controls ensure that an organization’s cloud has the necessary auditing
and logging enabled. Most organizations are missing critical logs and audit
findings. This simple misconfiguration is involved in many of the cloud data
breaches in today’s headlines, as organizations had no idea their environment
was compromised. To make matters worse, even if these organizations could
identify the exposed data store, without the proper audit logs they’d be unable
to determine who or what accessed it and what they might have done with it.

3. Far too many organizations are exposed to potential risks, a concerning state
below what should be considered the bare minimum. It’s no wonder we see
headlines of a new cloud-based data breach every two weeks! And all the talk
about how organizations must get their clouds to a state of zero trust or a
certain level of resiliency sounds tone-deaf when so few have reached even a
base level of security.

4. A lot of risks are going unaddressed. Our research found that only 43% of
detected risks are being addressed. That means across the average cloud, almost
60% of all risks are not being managed. Furthermore, the overall risk level in
key areas such as cloud security posture management (CSPM), cloud infrastructure
entitlement management (CIEM), cloud workload protection platform (CWPP) and
data are considered “high”’ While a few organizations were at only a “medium”
level in some areas, none were at “low” risk.

5. On the bright side: CSPM risks top the list of those being handled most
often. Of the 43% of risks being addressed, the top three are encryption (64%),
data protection (50%), and network (48%). Still, it’s worth noting that just
over half of the risks across these top three categories are being addressed
(54%). The concern grows when recognizing that all three risks stem from CSPM.
None of the other areas – CIEM, CWPP and data – showed up as being addressed in
a meaningful way. Put another way, there is a clear and reported lack of focus
on securing risks related to identity, data and workload.

I’ve witnessed numerous examples in recent years that led me to conclude that
most security leaders may be unaware of the severity of the risks in their
cloud. This includes one situation where very sensitive corporate information
was stored in publicly exposed data stores accessible without authorization and
the company was completely unaware; VPN access and transmissions secrets exposed
to all identities across a large organization; cloud access secrets exposed to
the internet without authorization and auditing enabled; and multiple vulnerable
virtual machines, exposed to the internet, with identities attached that had
access to highly sensitive data and the ability to manipulate, ransom, steal
and/or delete this data.

This lack of visibility is one of today’s greatest and most urgent cloud
security concerns. Casting light on these challenges means unearthing,
prioritizing and helping the business manage risks in every corner of the cloud.
This will only happen if CISOs commit to educating and training security and
DevOps teams on the basics of cloud and how to secure it. Here’s why that
matters.


YOU SHIFTED LEFT – RIGHT OFF A CLIFF

In many organizations, cloud security is outsourced to DevOps teams, and the
outcomes are predictably poor from a security perspective. Developers are
building clouds with Infrastructure as Code (IaC), but the security procedures
haven’t caught up – it’s all-Dev-no-Ops.

To be fair, DevOps teams have been tasked with a responsibility that’s
inconsistent with the CISO’s goals and resources. They’re not incentivized to
prioritize security, as they are constantly directed to get code out the door
faster and faster. In those organizations with strong cloud security, however,
it’s no surprise that the DevOps teams often play a strong role in this success.

The security team is usually in the dark when it comes to the cloud. Training
and education for IT teams making the shift from the data center to the cloud
suffers from rampant underinvestment, as well as for the DevOps teams who find
themselves tasked with securing the cloud. Security teams are also in the dark
when it comes to visibility across their entire cloud and the risks within it.
This lack of visibility combined with the lack of training results in teams that
do not fully understand the cloud, the potential risks and what to do about
them. For the risks that they do understand, they lack the strategy or tools to
accurately detect them. At the end of the day, CISOs are left holding a ticking
time bomb.

Consider this: CISOs likely have limited visibility into who or what can access
their data and what they might do with it. Security and DevOps teams likely
don’t understand how all of this can happen either. As the research shows, most
organizations are doing a poor job of managing their cloud identity and data
risks. This is incredibly detrimental to the security of any organization’s
cloud, as “access” rules the kingdom.


YOUR CLOUD CAN BE DELETED AT ANY MOMENT

Everything in the cloud has a relationship to identity. While traditional
security teams are likely familiar with users and groups, applying this
knowledge to the cloud is where the trouble begins. Teams are so focused on
addressing these types of identities and making their cloud security fit into
outdated identity governance models that they fail to understand the biggest
risk lies elsewhere: the non-person identities.

Non-person identities (NPI) include things like AWS Roles, Azure Service
Principles and GCP Service Accounts. They can exist on their own or be assigned
to resources, such as virtual machines and serverless functions, where each of
those becomes its own form of NPI. Organizations are failing to manage their
NPIs, from understanding how they work, to where they exist in the cloud, to how
they are being used. This is alarming because it’s these NPIs that are putting
clouds at risk.

To make matters worse, NPIs are proliferating much more quickly than human
identities. This growth is frightening because identity risks are at the bottom
of the list of addressed concerns; as evidence, teams are already failing to
manage two-thirds of the risks that arise from NPIs.

Our analysis found it’s not unusual for a typical enterprise organization’s
cloud to have approximately 31,000 identities. In fact, approximately 10% of
those identities – 3,100 identities – have enough permissions to delete that
organization’s entire cloud. Not only can they delete the cloud, but they can do
anything they want with it. This could include spinning up resources and
services, causing costs to skyrocket.

It could also include the ability to access all your data to modify, disrupt,
delete or steal it. The scariest part is that most companies are completely
unaware of this reality. Unfortunately, even those that are aware believe that
applying the same data center identity governance approach will secure their
cloud. Nothing can be further from the truth.

Identity risk is the single greatest threat to an organization’s cloud. This is
not a matter of capability or individual performance, but a larger systemic
problem. CISOs likely lack the general ability to inventory all of those
identities, understand their true end-to-end permissions, and know where, when
and how those identities are being used. It only takes one over-privileged
identity to do major damage to a cloud – and most organizations likely have
hundreds, if not thousands, of them. I strongly recommend that CISOs rethink the
importance and risks of identities in their cloud.




More about
 * cybersecurity
 * identity
 * opinion
 * Sonrai Security
 * strategy
 * tips

Share this

FEATURED NEWS

 * LastPass breach: Hacker accessed corporate vault by compromising senior
   developer’s home PC
 * It only takes one over-privileged identity to do major damage to a cloud
 * Expert strategies for defending against multilingual email-based attacks

CISOs struggle with stress and limited resources


SPONSORED


HOW TO SCALE CYBERSECURITY FOR YOUR BUSINESS


GUIDE: HOW VIRTUAL CISOS CAN EFFICIENTLY EXTEND THEIR SERVICES INTO COMPLIANCE
READINESS


EBOOK: 4 WAYS TO SECURE PASSWORDS, AVOID CORPORATE ACCOUNT TAKEOVER


2022 CLOUD DATA SECURITY REPORT




DON'T MISS


THE POWER OF COMMUNITY PARTICIPATION WITH FAYE FRANCY, EXECUTIVE DIRECTOR,
AUTO-ISAC


LASTPASS BREACH: HACKER ACCESSED CORPORATE VAULT BY COMPROMISING SENIOR
DEVELOPER’S HOME PC


IT ONLY TAKES ONE OVER-PRIVILEGED IDENTITY TO DO MAJOR DAMAGE TO A CLOUD


EXPERT STRATEGIES FOR DEFENDING AGAINST MULTILINGUAL EMAIL-BASED ATTACKS


QNAP STARTS BUG BOUNTY PROGRAM WITH REWARDS UP TO $20,000




Cybersecurity news
Daily Newsletter
Weekly Newsletter
(IN)SECURE - monthly newsletter with top articles
Subscribe
I have read and agree to the terms & conditions
Leave this field empty if you're human:

© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us
×