The rapidly expanding multitude of cloud services create an endless and extraordinarily rapid cycle of change for enterprise IT and security teams. Many teams scramble to protect data in the public cloud, and most organizations use outdated security policies that fail when applied to cloud environments like AWS, Azure, and Google Cloud.
Jay Gazlay, technical strategist at the Cybersecurity and Infrastructure Security Agency (CISA), recently told the National Institute of Standards and Technology (NIST) Information Security and Privacy Advisory Board: “Identity is everything now . We can talk about our network defenses, we can talk about the importance of firewalls and network segmentation, but really identity has become the border and we need to start reorienting our infrastructure in that way.
Understanding the importance of identities
Gazlay’s assessment highlights that identities are the new perimeter. Security teams are used to thinking about creating limits using networks, placing security stacks where those limits meet, and configuring them based on known and locked data paths. It just doesn’t work as a comprehensive cloud security solution. Instead, cloud security teams need to think about what identities they control, what those identities can be used for, and what resources they have access to.
The modern attack cycle begins with identity. Attackers seek access through an identity, then pivot between resources, uncovering the credentials and identities of other people and non-people that give them better access to critical data and lead to data breaches. It’s important to understand that identity extends security beyond traditional corporate walls, which is why we’re seeing data breaches fail in applying old network security policies to the cloud.
Security teams should ask themselves the following questions when assessing their cloud security positions:
- Do we manage identities as our perimeter? If your team is still managing an old network perimeter, you are putting your business at risk. Your organization must manage the identities of people and non-people.
- Have we identified our security risks in the cloud? The risk and drift of cloud security can arise quickly. Misconfigurations of identity, resources, and services can lead to significant data breaches. Organizations can minimize risk by first identifying unauthorized identities and excessive privileges. Data owners and cloud operations, security, and audit teams must continually assess risk to maximize control management, security, and data governance.
- Are data exposures inadequate indicators? Transparent storage of data in the cloud alone is insufficient in risk assessment strategies. While data owners can trust their DevOps to manage the storage of data objects, this does not reveal the full extent of accessibility and privileges of external parties. Cloud users need to be fully aware of where their data is actually located, who has access to it, how it is accessed, and where and where it comes from.
- What are our coordination problems? The outdated paradigm of sending security alerts to a single team to sort and manage is simply not feasible. In the cloud operating model, disparate groups simultaneously use the environment, including audit, DevOps, and security teams. Here, the outdated paradigm collapses. The solution is to pass the issues on to the teams that created them, because they are in the best position to solve them.
- Have we addressed our employees’ skills gap in cloud security? Many developers are not inherently security experts and should be trained in cybersecurity best practices. Organizations that don’t want to add more tasks to existing development staff may need a new type of operations person who combines operations with security (DevSecOps). Failure to improve the skills of staff means they lack the skills and knowledge to secure today’s organization.
It’s time to improve your business strategy
The cloud involves multiple accounts, trust relationships, and permission inheritances, making it extremely difficult for data owners to keep a close eye on them. Here are some areas you can use to improve your strategy:
As part of a zero trust strategy, organizations should take steps to move to least privilege, identify the activities that will have the most immediate impact on security, and include a timeline for implementing them. This means investing in a solution that meets your zero trust strategy by continuously monitoring every authorization, access, and identity to determine its effective permissions, what it can do, and what data it can access.
Prevent data risks before they cause damage. Treat remediation and prevention robots like a person. A detected problem must be reported to the right team or bot (the team follows and audits). The result is a high performance compliance framework for your environment. Establish prevention rules and make sure they are followed at all times.
A business that does not fully understand its role in securing its identities and data in the public cloud is taking unnecessary risks with outdated strategies that can have dire consequences.