Secure Access to Cloud Workloads
Organizations are increasingly moving their workloads to the cloud to achieve greater agility, flexibility, and cost savings. That’s a major reason why worldwide spending on public cloud services and infrastructure is projected to increase by more than 100% over the next five years, from $229 billion in 2019 to nearly $500 billion in 2023, according to IDC.
As big as these numbers seem, the reality is cloud adoption could be even bigger if more organizations were less hesitant to embark on the cloud journey because of security concerns.
These fears are understandable. With so many organizations now pouring so much data into their cloud environments, the bad guys have made the cloud a top priority and are targeting cloud workloads and infrastructure to get their hands on all that data.
Cyber adversaries have long moved beyond the network layer when mapping out their attack vectors. The easiest way for an attacker to gain access to data is by compromising an end user’s identity and credentials. The holy grail for bad actors are privileged credentials, which have broad access to systems and therefore provide the intruder with “the keys to the kingdom,” allowing them to potentially gain access to the entire network and sensitive data.
By leveraging a “trusted” identity, a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that most of today’s cyber-attacks are front ended by credential harvesting campaigns that leverage the use of password sniffers, phishing campaigns, and malware attacks. In short: cyber-attackers no longer “hack” in, they log in.
To limit exposure to attacks, organizations need to rethink their enterprise security strategies and consider moving to an identity-centric approach based on a Zero Trust model: never trust, always verify, employ least privilege. This approach should be implemented throughout the organization, as well as extended to the organization’s partners, and outsourced IT.
Zero Trust delivers more than hard benefits. It also gives businesses the confidence to enhance customer and partner experiences, empower the mobile workforce, and secure DevOps environments. The bottom line is that Zero Trust gives organizations the ability to embrace the cloud while reducing risk across the modern, hybrid enterprise.
Here are five Zero Trust best practices for protecting your cloud environments and stopping privileged access abuse, today’s leading cause of data breaches.
1. Don’t reinvent the wheel
Yes, the public cloud resides outside the traditional network perimeter, but it does not require a unique security model. It’s time to debunk the myth that the public cloud demands a brand-new security approach. The reality is that conventional security and compliance concepts that you’ve traditionally applied to your on-premises environment are still perfectly valid in the cloud.
For instance, roles and responsibilities remain the same whether your data resides on-premises or in the cloud, so extend your existing directory to the cloud. Implement a common security infrastructure that covers both on-premises and cloud resources.
2. Learn to love multi-factor authentication
To better protect your cloud environment and thwart in-progress attacks, it’s necessary to implement and enforce multi-factor authentication (MFA) during the credential check-out process. Additionally, configure MFA to prompt for an authentication code after entering the checked-out password on the cloud service provider login page. “MFA Everywhere” is a best practice to defend against brute force attacks directly at the cloud service provider management console.
3. Avoid identity sprawl that expands your attack surface
Rather than relying on the access keys of your local cloud provider, use centralized identities and enable federated login. Federation allows you to grant an existing user within your enterprise directory the appropriate access rights to any cloud service provider. With identity federation, you avoid identity sprawl, having to provision and manage disparate identity silos, and dealing with identity duplication or synchronization that can leave holes open to exploitation.
Also, since shared accounts are highly privileged accounts, the best practice is simply not to share them, or to use them sparingly. Ensure 100% accountability by having users log in with their individual accounts and elevate privilege as required. Manage entitlements from a central directory, mapping roles and groups to cloud provider roles. You can further ensure accountability by using administrator accounts for emergency access only, vaulting the account password and rotating the password frequently.
4. Restrict access rights and always monitor user sessions
Grant users just enough privilege to complete the task at hand. Determine what users need to do and then create roles that let them perform only those tasks. To take it a step further, enable the configuration of dynamic privileges based on context (such as an IT trouble ticket) to enforce “just enough, just in time” privilege, while still leaving “break glass” capabilities in place for emergencies.
Another key step is to log and monitor both authorized and unauthorized user sessions on your cloud provider instances. With a documented record (including a DVR-like recording) of all actions performed, audit logs can not only be used in forensic analysis to find exactly the issue, but also to attribute specific actions to a specific user.
5. Don’t rely solely on your cloud service provider for protection
It’s you, the customer, who has the main responsibility for protecting privileged access to data in the cloud, not the service provider. A large financial institution recently learned this lesson the hard way. When moving to the cloud, organizations need to appreciate the fact that cloud security is a responsibility they share with their cloud service provider.
Leading providers like AWS, Microsoft Azure, and Google Cloud Platform are typically securing the core infrastructure and services as part of their shared responsibilities. But, when it comes to securing operating systems, platforms, and data, that responsibility lies squarely in the hands of customers.
Organizations that overlook this simple fact face a much higher likelihood of succumbing to cyber-attacks. Take control of your organization’s cloud future with Zero Trust.
By Torsten George
I am currently serving as product evangelist at Centrify, a leading provider of cloud-ready Zero Trust Privilege solutions. I am a marketing leader with more than 20 years of global experience in promoting software and network equipment products. I am a visionary with superb technology and market foresight as well as a pragmatic strategist with a passion for implementation.