www.helpnetsecurity.com
Open in
urlscan Pro
54.201.46.8
Public Scan
URL:
https://www.helpnetsecurity.com/2023/09/28/cloud-identity-management-pitfalls/
Submission: On September 29 via api from TR — Scanned from DE
Submission: On September 29 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
POST
<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
<div class="mc4wp-form-fields">
<div class="hns-newsletter">
<div class="hns-newsletter__top">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__title">
<i>
<svg class="hic">
<use xlink:href="#hic-plus"></use>
</svg>
</i>
<span>Cybersecurity news</span>
</div>
</div>
</div>
</div>
<div class="hns-newsletter__bottom">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__body">
<div class="row">
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
<label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
</div>
</div>
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
<label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
</div>
</div>
</div>
</div>
<div class="form-check form-control-lg mb-3">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
<label class="form-check-label" for="mcs3">(IN)SECURE - monthly newsletter with top articles</label>
</div>
<div class="input-group mb-3">
<input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
<button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
</div>
<div class="form-check">
<input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
<label class="form-check-label" for="mcs4">
<span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms & conditions</a>
</span>
</label>
</div>
</div>
</div>
</div>
</div>
</div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
value="1695953462"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
<div class="mc4wp-response"></div>
</form>Text Content
searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus * News * Features * Expert analysis * Videos * Events * Whitepapers * Industry news * Product showcase * Newsletters * * * Tim Chase, Global Field CISO, Lacework September 28, 2023 Share HOW TO AVOID THE 4 MAIN PITFALLS OF CLOUD IDENTITY MANAGEMENT Securing cloud identities isn’t easy. Organizations need to complete a laundry list of actions to confirm proper configuration, ensure clear visibility into identities, determine and understand who can take what actions, and on top of it all make sure the actions aren’t malicious or inappropriate. But one of the core benefits of the cloud is the ability to move fast and innovate rapidly, which means teams may just throw in the towel and grant admin privileges to their entire cloud identities instead of tackling the massive deluge of individual requests for access. This is a key reason why there are more than 35,000 possible permissions from AWS, Azure, and Google Cloud alone. In the cloud, developers are capable of spinning compute, storage, and database services on their own, making it difficult to know what’s actually running in an environment. Behind cloud complexity you’ll almost always find out that users and entities are over-permissioned, which puts the company at risk. Cloud identity management is a real challenge, but organizations are capable of preventing identity risk exposure and identity threats, especially if they avoid the four common pitfalls. PITFALL #1: MISCONFIGURATIONS Misconfigurations tied to cloud identities leave organizations vulnerable to malicious actors and more prone to breaches. To avoid misconfigurations, organizations need to first implement a system which automatically discovers cloud resources and services. From there, it’s possible to assess configurations for identity-related risks, like weak and default passwords, hardcoded secrets/keys, and wildcard permissions. There’s also the case for increasing visibility to avoid misconfigurations. The Center for Internet Security (CIS), PCI Security Standards Council, and International Organization for Standardization (ISO) provide frameworks and best practices that can help organizations learn how to improve visibility across their environment. Lastly, organizations should always write custom policies to meet their unique needs. If your security posture is more mature, consider cutting through alert noise with innovations like attack path analysis, which can pinpoint the riskiest assets and provide visibility into exactly how an attacker could exploit a misconfiguration. PITFALL #2: LEVERAGING IAC WITHOUT FACTORING IN SECURITY DevOps and Security teams are often at odds with each other. DevOps wants to ship applications and software as fast and efficiently as possible, while Security’s goal is to slow the process down and make sure bad actors don’t get in. At the end of the day, both sides are right – fast development is useless if it creates misconfigurations or vulnerabilities and security is ineffective if it’s shoved toward the end of the process. Historically, deploying and managing IT infrastructure was a manual process. This setup could take hours or days to configure, and required coordination across multiple teams. (And time is money!) Infrastructure as code (IaC) changes all of that and enables developers to simply write code to deploy the necessary infrastructure. This is music to DevOps ears, but creates additional challenges for security teams. IaC puts infrastructure in the hands of developers, which is great for speed but introduces some potential risks. To remedy this, organizations need to be able to find and fix misconfigurations in IaC to automate testing and policy management. It’s important to correlate potential cloud misconfigurations to IaC and enable remediation at the source before they happen. Only then can organizations truly benefit from IaC and move quickly without compromising security and reliability. PITFALL #3: CHECK YOUR PRIVILEGE A least-privileged approach to granting access is truly the best way to prevent dangerous identities from entering a cloud environment. But that’s not realistic anymore. Most users are granted access for the sake of speed and innovation, and this only creates problems down the line. Not everyone needs admin access. Microsoft’s 2023 State of Cloud Permissions Risks report reveals that even though 50% of cloud identities are granted access as “super admins,” only 1% of permissions are used. How do we fix this? Let’s start with visibility. Organizations need to first discover cloud identities and associated entitlements to receive an honest and up-to-date inventory of cloud users, resources, groups, and roles. Each cloud identity should also be analyzed and correlated to understand which entities and permissions are used and at what rate. Usage patterns can help pinpoint which cloud identities require attention. From there, you can determine how to limit access to only resource-based permissions that the users will actually utilize. PITFALL #4: ALWAYS ON THE DEFENSIVE Unfortunately, the best least-privilege program won’t always be able to prevent credentials and accounts from being compromised. That’s why risk prevention and threat detection are mission critical for cloud identity management. Organizations need to actively keep an eye on activities within their environment, human and non-human, to track unusual behavior. A unified set of automated tools can help with this by continuously collecting, monitoring, and analyzing massive amounts of data, making it easier to quickly detect unusual behaviors or malicious threats. CONCLUSION The first step to avoiding these pitfalls is to better understand your cloud identity environment. With visibility into all cloud identities and permissions, your organization will be able to determine all potential threats in progress and more easily determine which pose a genuine risk. Pay close attention to which users are causing access and identify misconfigurations both during development and at runtime. Paying attention to your cloud environment and the security it requires will only help you innovate faster, and at much lower risk. More about * access management * cloud security * DevOps * identity * identity management * Lacework * misconfiguration * opinion Share this FEATURED NEWS * Yet another Chrome zero-day exploited in the wild! (CVE-2023-5217) * The hidden costs of neglecting cybersecurity for small businesses * Kubernetes attacks in 2023: What it means for the future Guide: SaaS Offboarding Checklist SPONSORED EBOOK: 9 WAYS TO SECURE YOUR CLOUD APP DEV PIPELINE FREE ENTRY-LEVEL CYBERSECURITY TRAINING AND CERTIFICATION EXAM GUIDE: ATTACK SURFACE MANAGEMENT (ASM) CIS SecureSuite membership DON'T MISS YET ANOTHER CHROME ZERO-DAY EXPLOITED IN THE WILD! (CVE-2023-5217) HOW TO AVOID THE 4 MAIN PITFALLS OF CLOUD IDENTITY MANAGEMENT THE HIDDEN COSTS OF NEGLECTING CYBERSECURITY FOR SMALL BUSINESSES KUBERNETES ATTACKS IN 2023: WHAT IT MEANS FOR THE FUTURE NEW TWIST ON ZEROFONT PHISHING TECHNIQUE SPOTTED IN THE WILD Cybersecurity news Daily Newsletter Weekly Newsletter (IN)SECURE - monthly newsletter with top articles Subscribe I have read and agree to the terms & conditions Leave this field empty if you're human: © Copyright 1998-2023 by Help Net Security Read our privacy policy | About us | Advertise Follow us ×