Last year at Saviynt’s first annual Converge Conference, Saviynt expert Vibhuti Sinha hosted a panel discussion on why privileged access management in cloud environments is different and what IT administrators should consider in to ensure the principle of least privilege for critical assets including IaaS and SaaS.
A few challenges exist today making privileged access management for cloud more tricky than in traditional on-premises environments. Chiefly, cloud computing’s nascent entrance into the market means security and risk standards are still being defined or don’t exist. What’s more, the elastic nature of cloud computing enables developers to build and test code faster. Untethered from traditional IT operations, the responsibility of ensuring least privilege has shifted to less security and risk-savvy teams. As a result, DevSecOps is now becoming top-of-mind for organizations managing infrastructure and services in the cloud.
The lack of awareness and training to address identity lifecycle of privileged users with access to mission critical data and infrastructure has unveiled more than a few gaping security and compliance concerns for organizations, including data leaks from unencrypted file systems accessed using poorly managed privileged accounts to hacking into to administrative control, or “command and control” workloads to blackmail an organization.
The thing is, solving this critical issue is difficult because cloud-managed workloads and services are just that, managed services from third-party providers. And today, many only offer binary identity and access controls to applications and services making it even more challenging for IT operations and security pros to manage risk and IT auditors to achieve continuous compliance. What this all amounts to is a need for fine-grained, risk-analytics driven, governance of identities across the entire lifecycle of that workload, from the bare metal it runs on to the developer that manages the APIs to the IT administrator that has to govern who has access to applications, data, and infrastructure.
To mitigate risk, Saviynt expert Vibhuti Sinha recommends the following five security and identity governance considerations for cloud access governance.
1 – Visibility, Continuous Controls Monitoring and Compliance
Gaining visibility and being able to continuously monitor for vulnerabilities and risks in the cloud ecosystem are key to achieve compliance and stay compliant. Organizations typically have multiple Amazon Web Services (AWS) Accounts, Microsoft Azure Subscriptions or Google Cloud Platform (GCP) accounts. Having visibility across the entire ecosystem requires inspection and integration across all these accounts and subscriptions.
2 – Privilege Access and Assignment Management
Privilege Access Management in Cloud needs to be elastic. Start with clean-ups and training programs where not only the existing high privileged policies/roles are cleaned but also IAM admins could be trained to effectively design policies/roles with least privileged access. Periodic attestation of high privileged policies/roles is essential.
Access assignment in Cloud needs to be Elastic. Access between infrastructure objects and their consoles or APIs is provided by IAM Policies and Roles. Access assignments are long-term, so policy clean-up is recommended. In addition, future privileges should be duration-based or just-in-time access elevation as a principle.
3 – Infrastructure and Identity Lifecycle Governance
With identity being the new perimeter, its governance and administration are paramount. For cloud, securing IaaS services by implementing granular delegation of roles and policy changes to an authorized set of owners/users can perform Create/Update/Delete or Role/Policy/Permissions assignment operations. This should be paired with periodic, owner or event based attestation of IAM policies and roles.
Automate the access lifecycle of users, groups, roles and federated access points. As users join, move across departments, ensure appropriate access on target systems changes accordingly. Access Request system should be intelligent allowing for self-service as well as automated identity and access provisioning/de-provisioning rules. And, finally, segregation of duty management across enterprise systems and cloud is imperative.
4 – Secure DevOps
With infrastructure being represented as “code templates” and “not as physical entities” it becomes imperative to integrate least privilege frameworks with the CI/CD and DevOps systems to secure cloud infrastructure.
Infrastructure code configurations could reside in multiple repositories and in various forms with access governance to these critical assets performed periodically.
5 – Key Management
IaaS security requires a special focus on securing and managing access keys/oauth tokens. Encourage developers and application owners to make use of short term keys. OAuth tokens should involve gaining only the required authorization scope with least privileged access. Rotate API Access keys on a periodic basis and implement continuous controls monitoring. Automate the creation and distribution of SSH key key pairs used for workloads/servers. Use SSL or client-side encrypting for data at rest or during transit. Providers managed keys implement the necessary best practices including periodic rotation, revocation and using strong encryption algorithms. Gaining visibility or real-time alerting on deleted Keys is essential.
Saviynt is one of the few that integrates with AWS Config to secure DevOps and offer near real-time preventive controls. This allows organizations to enforce infrastructure security policies such as stop launch of vulnerable EC2 instances or notify when unauthorized changes are made to privileged AWS IAM Policy or Roles.” Learn more at AWS Config.
