The rapidly expanding multitude of cloud services creates a never-ending and extraordinarily rapid cycle of change for enterprise IT and security teams. Many teams are scrambling to protect data in the public cloud, and most organizations are using outdated security strategies that fail when applied to cloud environments like AWS, Azure and Google Cloud.
Jay Gazlay, a technical strategist at the Cybersecurity and Infrastructure Security Agency (CISA), recently told the National Institute of Standards and Technology’s (NIST) Information Security and Privacy Advisory Board: “Identity is everything now. We can talk about our network defenses, we can talk about the importance of firewalls and network segmentation, but really, identity has become the boundary and we need to start readdressing our infrastructures in that manner.”
Understanding the Importance of Identities
Gazlay’s assessment brings to light that identities are the new perimeter. Security teams are used to thinking about creating boundaries using networks, placing security stacks where those boundaries meet and configuring them based on known and locked-down data paths. This simply doesn’t work as a holistic security solution in the cloud. Instead, cloud security teams must think about what identities they control, what those identities can be used for and what resources they have access to.
The modern attack cycle starts with identity. Attackers seek to gain access via an identity, then pivot between resources, discovering credentials and other people and non-people identities that give them greater access to critical data and lead to data breaches. It’s important to understand that identity extends security beyond the traditional walls of the enterprise, which is why we are seeing data breaches a failure in applying old network security strategies to the cloud.
Security teams should ask themselves the following when assessing their cloud security positions:
- Are we managing identities as our perimeter? If your team is still managing an old network perimeter, you’re putting your company at risk. Your organization must manage person and non-person identities.
- Have we identified our security risks in the cloud? Cloud security risk and drift can happen quickly. Identity, resource and service misconfigurations can lead to significant data breaches. Organizations can minimize risks by first identifying unauthorized identities and excessive privileges. Data owners and cloud operations, security and audit teams must continuously assess risk to maximize control management, security and governance of data.
- Are data exposures inadequate indicators? Transparent cloud data storage alone is insufficient in risk assessment strategies. While data owners may trust their DevOps to manage the storage of data objects, this does not reveal the full extent of external party accessibility and privileges. Cloud users must be fully aware of where their data truly exists, which identities have access to it, how it is being accessed and where it is moving to and from.
- What are our coordination issues? The outdated paradigm of sending security alerts to a single team to triage and manage simply isn’t feasible. In the cloud operating model, disparate groups simultaneously use the environment, including Audit, DevOps and Security teams. Here, the outdated paradigm breaks down. The solution is to get the issues to the team(s) that created them, as they are best positioned to address them.
- Have we addressed our cloud security employees’ skills gap? Many developers are not inherently security experts, and should be trained in best cybersecurity practices. Organizations that don’t want to add more duties to existing dev staff may need a new type of operations person that combines operations with security (DevSecOps). Failure to upskill staff means they don’t have the skills and knowledge necessary to secure today’s organization.
It’s Time to Improve Your Enterprise Strategy
The cloud involves multiple accounts, trust relationships and permission inheritances, making it extremely challenging for data owners to keep close tabs on it. Here are some areas you can use to improve your strategy:
As part of a zero trust strategy, organizations should take steps to move to least privilege, identify activities that will have the most immediate security impact and include a schedule to implement them. This means investing in a solution that meets your zero trust strategy by continuously monitoring every permission, access and identity to determine its effective permissions, what it can do and what data it can access.
Prevent data risk before it causes damage. Treat remediation and prevention bots like a person. A spotted issue should be escalated to the right team or bot (the team tracks and audits). This results in a high-performance compliance structure for your environment. Put prevention rules in place and make sure the rules are continuously met.
An enterprise that doesn’t fully understand its role in securing its identities and data in the public cloud takes unnecessary risks with outdated strategies that can lead to disastrous consequences.