The Convergence, Part 4: IGA and Cloud Security
As we begin the new decade, let’s start it off right with a look at the convergence of IGA and Cloud Security. In the coming year, we can expect to see more businesses undergo digital transformations as the Cloud has become the gold standard in modern business. Once, not long ago, the Cloud was viewed as the wild west, a foreign cyberscape outside of the standard security perimeter, and beyond boundaries of on-premise policies. The vast expanse of Cloud systems behaved (and still do) similar to server rooms yet they scale rapidly to meet workload demands resulting in dynamic systems that might have shorter lifespans but still offer access to company assets. Because this new wilderness required a more elastic and dynamic security than server rooms, it was more challenging to truly secure. This fostered the belief that their security came through obscurity, resulting from the difficulty of reaching these systems which, as we now know, proved to be short-sighted. Today Cloud usage has become more common than ever and it is clearly the answer to a market yearning for modernization and flexibility. It is equally clear we need a Cloud security solution offering elasticity, visibility, and scalability more than ever.
Threats in the Cloud
With the advent of the cloud, organizations saved both time and money allowing them to respond to the increasingly global marketplace. With the improved collaboration, worldwide reach, and streamlined resource management there arose new security challenges; specifically in relation to risk, identity, and access. These threats became so prevalent that organizations began tracking them and sharing information on what they were experiencing in hopes of discovering countermeasures. Today when Cloud-First is the mantra for organizations both large and small, and elasticity and scalability have morphed from idealistic buzzwords to day-to-day reality, digital transformation still comes with its share of pitfalls. One look at the annual Verizon Data Breach Investigation Report makes clear the pervasive threats and numerous vulnerabilities currently impacting cloud technology. While some of the threat landscape for this brave new ecosystem is familiar, there are others that herald major concerns for 2020 and beyond.
Migration to the Cloud has become a necessity for companies to remain competitive in today’s global market. This digital transformation blurs the once clearly delineated boundaries of organizational infrastructure. These blurred boundaries make it harder for threat actors to target an organization’s resources without targeting the cloud provider. Attackers will have to be more skilled and attacks will become more sophisticated. Insider threats will continue to be a serious concern. Kaspersky predicts “Growth in the number of attacks using social engineering methods. As the human factor remains a weak link in security, the focus on social engineering will increase as other types of attacks become more difficult to carry out.”
Verizon’s Data Breach Investigation Report for 2019 has already indicated that the most prevalent threats in this space involve stolen credentials and privilege abuse. Directly and indirectly, insider threats are and will continue to be a security challenge.
Of these threats, the numbers in the Verizon DBIR are quite telling:
- 49%: cyberattacks arising from account or credential hijacking
- 42%: cyberattacks arising from misconfiguration of cloud services and/or resources
- 39%: cyberattacks arising from privileged user abuse
- 31%: cyberattacks arising from unauthorized (rogue) application component or compute instances
Shifting from an on-premises security model to a cloud model requires a shift in security thinking to handle these new threats. This is where a comprehensive Identity Governance and Administration (IGA) solution comes into play. IGA provides a means to manage the numerous identities in today’s cloud ecosystem. IGA and Cloud security converge when we not only track access but provide intelligent access governance across a diverse set of platforms.
What is Cloud IGA?
Cloud IGA, or using a cloud-based identity governance and administration (IGA) solution, allows organizations to extend enterprise identity management, automated provisioning, lifecycle governance, and policies in the various cloud service models. This helps organizations ensure they are embracing the principle of least privilege in several ways.
First, Saviynt automates cloud access with the user lifecycle process. Whether accounts are created directly in the console or managed through federated access, Saviynt provisions the account into the appropriate identity data store when a user should be granted access, and de-provisions it when a user leaves the organization or moves to a position in which that access is no longer required. This ensures there are no lingering or orphan accounts with access to the cloud ecosystem.
Second, Saviynt implements time-limited and granular privileged access for administrative accounts and activities, rather than granting someone permanent access to a root or privileged account. Access is requested on-demand and analyzed via an intelligent risk-based system in order to facilitate low-risk access but elevate the higher-risk access request to the approvers. This creates a zero-standing privilege situation which reduces the standing attack surface and helps to ensure adherence to the principle of least privilege across on-premises, hybrid, and cloud ecosystems. All-access with the privileged account is logged so it can be reviewed to validate only approved activities were undertaken during the time of access.
Saviynt doesn’t limit this zero standing privileges model to human users, though; this extends to privileged functions and services. Rather than leaving credentials in code which needs to execute privileged functions, Saviynt provides APIs to call programmatically to obtain credentials and privileges at the time of execution, then remove those privileges when the process is complete.
Instead of focusing on locking down a business system by controlling every access point, IGA controls the identity, what is accessed, and how the access is used. An important point to remember is that identity is no longer simply a user, but now includes things such as virtual networks, APIs, bots, and even cloud workloads. Security is no longer building a giant wall around your organizational network but instead intelligently granting rights to your organizational assets and resources while monitoring how that access is used.
Converging IGA and Cloud Security
Saviynt’s cloud-native, IGA platform not only provides governance in the cloud but brings automation capabilities that help organizations tackle cloud security issues saving both time and money. Using a single pane of glass, Saviynt provides unprecedented visibility into the cloud, drawing risk-based insights into the cloud security posture from multiple security tools and identifying shadow IT across the multi-cloud ecosystem. These insights help to drive real-time remediation of threats all while still addressing compliance needs such as Separation of Duties (SoD) and just in time access to resources for different identities in the cloud. Let’s take a deeper look at how Saviynt’s Solution helps.
The Saviynt Advantage
The convergence of IGA and Cloud Security gives the ability to create a cloud-architected Intelligent Identity Hub to store all of the identity, data, attributes, and information. Analyzing information from the CASB, shadow IT can be automatically identified, integrated into the Intelligent Identity Hub, and rapidly onboarded into compliance with governance. Through this centralized location, we create a proper map of otherwise amorphous space. It is here that we draw the new security perimeter. This provides a holistic view of the organizational ecosystem where smart policies can be implemented, posture can be evaluated, and compliance can be ensured in order to respond to ever-evolving risk.
Multiple tools are used to evaluate the security posture of a cloud environment in real-time, from SIEM to vulnerability analysis. Each of these tools generates large quantities of logs and alerts and is often managed from separate dashboard, making it time consuming and difficult to manually amalgamate the data for analysis. Saviynt’s solution ingests this data and intelligently curates the logs and alerts, providing a depth of visibility across the multi-cloud ecosystem. With this visibility we then apply risk scoring parameters to rapidly detect, effectively investigate, and automatically respond to incidents. This is the convergence of IGA and Cloud Security where Saviynt combines all of the power of these tools into a single pane of glass interface with out-of-the-box and custom controls, helping organizations gain further insight than these tools can offer independently.
CI/CD was designed to expedite the development and production cycle but did not focus on security. Highly privileged accounts are managing code repositories and pushing code into production systems. This access is required to maintain the CI/CD pipeline, but it creates a high-risk situation due to persistent highly privileged accounts. Saviynt implements a Zero Standing Privilege foundation by managing temporal and granular privileged access. We create temporary identities and scoped privilege elevation to command the power of the CI/CD pipeline when needed but dramatically decreasing the potential damage that could be wrought if the identity is compromised.
Being cloud-native, Saviynt integrates with notification services across the multi-cloud ecosystem. When cloud assets such as workloads, databases, and serverless functions are initialized, they are examined on the fly for misconfiguration, looking for every risk from basic items such as open ports on a database management system to more complex controls such as utilizing production data on development systems. When risky behaviors are detected, they can be instantly remediated by intercepting the action, blocking it and alerting administrators to the policy deviance.
Managing the rapidly scaling technology of the cloud requires a deep understanding of how its architecture and scale works. Saviynt’s IGA solution was designed in the cloud for the cloud. Being cloud-native ensures that as your enterprise grows, Saviynt can scale with it, factoring in new identities, data, attributes, and information into the Intelligent Identity Hub and automatically rolling them out as they cease to exist. This smart scaling allows your security to grow with your environment, rather than racing to catch up days or weeks after the fact.