Enterprise Cloud IAM Strategy
Updated: Aug 31, 2020
The growing popularity of Cloud IAM services (IaaS, PaaS, and SaaS) in global organizations probably comes as no surprise— enterprises can purchase the features and services their developers need, and scale up or down as the organization evolves – and they can deliver numerous applications quite easily from the cloud. Although some cloud services offer enterprises predictable expenses, the security of these cloud services is less predictable. Such a diverse cloud estate has become a challenge for risk officers, CISOs and IT teams managing different groups of users. These range from remote workers and contractors, administrators of privileged accounts, to standard, in-house employees. Fortunately, you can adopt cloud access management measures for an effective digital transformation strategy
CISOs need to keep their eyes on security for Infrastructure as a Service (IaaS), with Microsoft Azure and Amazon AWS featured significantly. Gemalto’s Breach Level Index reports that identity theft has been the most common mode of attack used in data breaches in 2016 and the first half of 2017.
Poor password management
Azure and AWS are leading the market for hosting custom-developed applications and have also been prone to identity thefts. According to Microsoft’s Security Intelligence report, there has been a 300% rise in cyber attacks, many resulting from compromised passwords. The report said: “A large majority of these compromises are the result of weak, guessable passwords and poor password management, followed by targeted phishing attacks and breaches of third-party services.”
Holes in the IaaS buckets
As for Amazon, many breaches occurred on S3 buckets, the servers used for storing databases for organizations including tech giants and government. Although made known to the media recently, many of the stories state that the cloud networks were open for weeks and months, giving ample time for cybercriminals to take advantage of the security holes. One leak involved a third-party contractor (un-named by any of the affected organizations) who misconfigured an Amazon S3 server and leaked 50,000 records of Australian employees. In another media story, Accenture misconfigured an Amazon server, accidentally exposing more than 137 gigabytes of data, including databases of numerous credentials. And we’re not talking about one or two sensitive records: Nearly 40,000 stored passwords were found in one of the database backups!
Security per single service is not sufficient
You could argue that securing one IaaS alone would be enough to reduce security breaches, but according to the 2018 Global Cloud Data Security Study, (conducted by the Ponemon Institute and sponsored by Gemalto) cloud infrastructure applications such as online backup, virtual desktops and other tools have grown significantly during the past three years. The type of enterprise data stored in the cloud is also the data most at risk, including emails, customer information, consumer data, employee records, and payments.
With such risk in mind, how can you manage multiple cloud applications effectively?
Use multi-factor authentication Employ an access management solution that can support different methods of authentication and different assurance levels. With this approach, you can match the level of assurance to the types of users accessing a resource, and require more than one factor of authentication for different groups. Users who need access to third-party servers may require stricter policies as their activities pose a higher risk to the enterprise.
Limit access to third-party servers Ensure that the access management solution you use can support flexible policy configuration. This way you’ll be able to set policies that are in line with the specific business needs of your organization: For example, create policies for privileged users, for PCI data access, or for contractors configuring third-party servers. Each policy can be tailored to the security and access needs of your organization.
Migrate painlessly Use an access management solution that can handle existing MFA methods that may already be used in your organization. For example, passwords, OTP, SMS or certificate-based authentication (PKI). This will allow you to leverage your existing investment without having to rip and replace a new solution, and scale to secure access for cloud applications.
Use a future-ready solution Proprietary access control features offered by IaaS services may not interoperate with other cloud services. As you diversify your IaaS and PaaS environment, you will be better served by an access management solution that can support all your cloud access needs and provide a central pane of glass for setting policies for groups of users and applications – regardless of which service provider is being used to deliver apps.
One size doesn’t have to fit all
Due to the wide range of approaches to cloud application deployment, it is hard for security professionals to apply a one-solution-fits-all for all company applications, as they can be hosted in public or private clouds, or on-premises. Special training would be needed for personnel to configure each console, group of users and assurance level.
Web-based applications are the most vulnerable in terms of cybersecurity. The fact that access to PaaS and IaaS consoles is web-based make privileged accounts a prime target for cybercriminals. Cybercriminals know that hacking privileged, administrator consoles is an express lane to identity theft. The Gemalto’s Breach Level Index reported that 74% of data incidents by type were identity theft breaches. That’s why it’s so important for enterprises to ensure higher levels of access security for these administrators.
According to another Gemalto survey, web portals and unprotected infrastructure are the biggest targets for cyber-attacks. In one of the most famous data breach attacks, on Deloitte, sources say that the hacker reached the company’s global email server through an ‘administrator’s account’, that gave access to privileged and unrestricted areas. “The account required only a single password and did not have ‘two-step’ verification.”
Remote cloud access
When organizations move their servers and applications to the cloud, inherent security becomes more of an issue. This is because the IT administrators are no longer going down the hall to log onto a specific machine – they are accessing a range of applications through a web-based admin console, which is also accessed by several other administrators.
New security measures needed
Given the frequent and sheer number of cloud-based cyber-attacks occurring consistently, organizations need to implement new security measures to protect these online web-based admin consoles. With this factor in mind, security officers need to adopt a dedicated access security approach for users and admins who routinely have access to privileged cloud-based accounts.
Companies can have admin consoles at various points in the enterprise’s network, opening up vulnerabilities in multiple clouds, on-premises or remotely.
Here are some of the ways an effective solution will help prevent criminals from getting ahold of the privileged users’ web consoles who may hold the keys to massive and valuable digital assets, often for multiple departments and organizations:
Eliminate the use of passwords Keeping track of many passwords needed for administrators can be cumbersome to maintain and risky if lost. Using a smart single sign-on for privileged accounts will discourage administrators from writing their passwords down on paper or storing them in an unencrypted digital file. Smart single sign-on maintains single sign-on to apps governed by a specific policy and will trigger a request for elevated access security for specific business cases or groups of users. This is in contrast to regular single sign-on, which is less secure and is based on a ‘keys to the kingdom’ approach, which provides a single credential for all applications. If the single credential is compromised, all the apps to which the user has access will be vulnerable.
Use strong authentication Due to the high risk involved with privileged accounts, administrators should be subject to strong, multi-factor authentication to add more layers of protection to the login process. These multiple factors could be one-time passwords generated by hardware tokens, PKI-based certificate authentication, biometric authentication or a combination.
Establish conditional access
Set up policies that limit the access to administrators, use role-based access policies and augment strong authentication with contextual factors such as time of session, location of access, IP address, geographical location, etc.
Privileged accounts are the most dangerous and important to protect in an enterprise. To prevent reputational, financial and privacy damages caused by identity theft, it’s best to consider a solution that will support all your cloud computing services and integrate with other solutions such as Privileged Access Management (PAM) solutions. In other words, don’t let your superuser accounts turn into super loser accounts.
It’s not fake news that companies are using more and more services in the cloud, as part of their digital transformation strategy. As enterprises adopt cloud applications, users experience password fatigue – the seemingly endless hassle of creating and maintaining separate identities and passwords for the many cloud and web apps that they need to access daily. As well, standard employees often have to validate their identities with strong multi-factor authentication, hindering their access even more.
Standard users subject to password fatigues and lockouts
Whereas enterprise security officers are concerned with employees working beyond the traditional safe confines of the corporate, on-premises network, it’s a different scenario for standard employees: when low risk end users log into cloud apps, they do not require access to the same information as privileged users, such as Human Resource managers, financial, IT or C-suite level executives. These standard users need to work easily and productively, without wasting time on system lockouts or forgotten passwords.
Cheaper to build; easier to adopt
According to a KPCB report from the Internet Trends Code Conference, May 2017, cloud-enabled applications have risen because they are cheaper to build and easier to adopt. But the report states that these have ‘serious security and compliance implications’ and that 94% of all cloud apps used are ‘not enterprise ready’.
In response to their concerns, some security policies have set up strict guidelines regarding passwords, causing some employees to write them down on sticky notes!
Obviously, not safe, some enterprises offer lighter access policies for their applications secured on-premises, but require stricter access to applications located remotely or in the cloud. However, management and configuration of these policies can be complicated and time-consuming. How can IT teams adopt a seamless, yet secure cloud access management system?
• Offer convenience without compromising on productivity
Instead of requiring end users to keep track of multiple passwords and adhere to strict regulations, IT managers can use a cloud single sign-on and provision users with long session times and limited access to areas or applications reserved to privileged users.
• Allow flexible access policies
Whereas cloud single sign-on provides convenience to standard users, you can establish flexible access policies that require stronger authentication as users step up to higher risk situations. Adding contextual information and session-based management will provide the extra layer of cloud security needed, allowing both standard users and IT teams a relief of identity and access management messes.
• Keep track of user access and monitor activity
A centralized access management system will keep track of the applications end users are accessing, when and from where. Failed attempts will provide IT teams with important information as to the device, location or other contextual information that caused the user to fail or succeed.
• Quickly onboard and deprovision low-risk contractors and employees
An effective system will onboard employees quickly and deprovision them if they change position complete their contracts. In this way, end users can work focus on their core responsibility and leave authentication and access execution to the enterprise IT systems.
Resource Round-Up
When choosing your which cloud access management solution to implement in your organization, your IT team may want to assess the following factors:
1. Does your enterprise use multiple cloud services such as IaaS, PaaS or SaaS? 2. Does your organization have sufficient resources, both human and financial to manage access for each cloud service? 3. Does your IT team have enough time to configure each cloud service? 4. Is your IT team versed in legacy security systems or does it need to be trained or certified to configure cloud services such as Microsoft Azure or Amazon AWS? 5. How many users or groups of users in the organization need admin or privileged access? Does the IT team have enough time to define and manage privileged accounts and define policies affecting different groups of users? 6. How many contractors need to access cloud applications, and when do their contracts end? 7. How many in-house employees need a limited access to applications, and what means are they using to validate their credentials to enter these services?
Read more of our Blogs at http://www.woodsllp.com
Licensed from the ThalesGroup