As more companies transition to the cloud, their sensitive corporate- and compliance-related data are no longer stored and used behind multiple layers of perimeter security. Instead, security teams are faced with multiple cloud services, each with its own type of privileges and actions and where each user has multiple identities across those different services. This is creating new challenges for security teams responsible for protecting their organizations from external cyberattacks while monitoring for internal human errors, including both intentional data leakage and inadvertent misconfigurations and oversharing. A prime example is when a Box leak exposed data from dozens of companies due to a misconfiguration in the sharing settings.
Today, companies make their best effort to secure their cloud environments. But the fact is their security teams lack cloud experience and the proper identity management tools to make informed decisions around permissions, identities and resources. This, in turn, makes it difficult for security teams to respond quickly to potential threats.
In addition, security teams need to constantly reaffirm their security posture with regard to user privileges, resource permissions and cloud usage in ways that don’t disrupt business operations. This includes determining where to step in, when to re-evaluate access privileges and how to intervene when there’s a potential security threat. Striking this balance presents a significant challenge for security teams who must continually add expertise to stay current with every service and remain fully equipped to identify risky privileges and actions, as well as assess user privileges.
Even though supplementing your internally managed cloud infrastructure with externally managed SaaS and IaaS services can reduce management costs and misconfigurations, it can also significantly increase your organization’s attack surface. This played out dramatically in April 2019 when a former AWS employee posted Capital One credit application data that she leaked most likely by using an SSRF attack and a misconfigured role. Capital One determined that one of their roles, which probably belonged to a web application firewall, was compromised by this former AWS employee.
Fully securing your cloud environment means knowing your infrastructure across cloud services; being able to define and identify strong permissions and risky actions cross-service; managing all of your entities across each cloud service; and staying up to date with the latest security guidelines and tools offered by your cloud providers.
To manage users in the cloud from a single interface, SecOps teams commonly use an external authentication service. They give it credentials to an account that can create temporary roles or manage accounts on each other cloud service their organization’s employees use. By taking this approach, users and identities can be defined on a single platform.
Single sign-on solutions have made great progress in helping organizations securely manage the initial authentication process. But that’s just one piece of the puzzle. These solutions still require you to monitor the activity of the users and roles on each cloud application separately. That’s because they can leave blind spots where a single role is used by multiple users, making it difficult to identify where a breach started. Each employee must know what keys to provide and to whom. A shared link can suddenly make confidential information public, and exposing the token provided to any IDaaS can potentially compromise your entire cloud infrastructure.
The bottom line is that to be secure in a public cloud environment, many security teams may be tempted to deploy the latest security tools provided by each cloud service, then hire experts in the bigger services used by their organization. A better solution is to invest in authorization platforms that can help manage and monitor cloud permissions and entities more efficiently and, if possible, consistently across their most-used cloud services.
— Nati Hazut