CloudKnox Q&A with Help Net Security

Blog Jan 31, 2019 By CloudKnox Team

Enterprises around the world love the advantages a cloud infrastructure brings to their computing, storage, network, and more; and many employee multiple cloud platforms, both private and public. But all the benefits of the cloud are not without risk. CloudKnox CEO, Balaji Parimi, discusses those risks and how to protect against them.

Q: Given the fast-paced threat landscape, what are the most significant challenges related to safeguarding a hybrid-cloud infrastructure?

A: Cloud infrastructure (e.g. compute, storage, network etc.) has seen unprecedented levels of automation and while this automation has given enterprises the ability to scale to new heights in efficiency, it has also introduced new risks.

Regardless of your cloud deployment model – consider that a one-line script by an authorized identity1 can result in the most catastrophic damage whether it is through simple negligence (e.g. typo error) or malevolence (e.g. compromised credential or malicious insider).

The best example of this – is the AWS outage of 2017 whereby one incorrect command knocked dozens of websites and applications offline, impacting hundreds of thousands of business and causing millions of dollars in lost revenue.

There is no doubt that as organizations start embracing multiple cloud platforms – the probability of an incident, whether intentional or not, is going to increase exponentially. And the most significant challenge facing enterprises will be the loss of overall visibility and the associate lack of control over critical aspects of their environment.

Q: How has an enterprise’s approach to protecting their cloud environments changed over the years, and how do you see it evolving in the near future?

A: Enterprise security is always evolving not by choice but because organizations are constantly facing new security risks. As cloud services take over from on-premise hardware and software, enterprises are embracing cloud-based solutions as the foundation of their cyber security strategy.

They are beginning to understand that managing security in the cloud is much different than securing a traditional IT environment with well-defined perimeters. Where traditional, corporate network perimeters extended to physical firewalls that were easy to establish and maintain, the cloud perimeter is disappearing, as different public cloud services and software as a service (SaaS) solutions stretch the edges of the network to the point where any device or end user becomes the edge. This will only get more complex as we move to containers and serverless computing.

Enterprises are also moving away from labor intensive, manual practices to automation for better security.

Q: What are the often-overlooked issues involved with identity privilege authorization across all private and public clouds, especially with rapidly expanding enterprises featuring a highly mobile, global workforce?

A: There are three often overlooked issues as follows:

1. While the concept of least privilege is simple to understand, it can be very complex to effectively implement especially when you consider the many variables such as diverse computing environments (e.g. virtual, private cloud, hybrid cloud, multi-cloud), the different types of workloads (e.g. servers, virtual machines, containers, serverless etc.), the unique flavors of identities (e.g. employee, third party, bot, service account, API keys, resource, role, group) and the growing number of privileges across all the private and public cloud platforms (e.g. AWS has over 3600 privileges).

2. Most trusted identities use only a fraction (less than 1%) of their privileges to perform their day-to-day jobs. The other 99% of unused privileges expose enterprises to avoidable risk. Moreover, ~50% of those unused privileges are considered high-risk (e.g. destroy instance, export instance). Any misuse of a high-risk privilege (accidental or malicious) can cause service disruption, service degradation, data leakage or a complete business shut down.

3. Implementing a solution that leverages a Role-Based Access Control (RBAC) model will not work if you are trying to achieve the principal of least privilege (POLP)2. With RBAC, the identity belongs to a static role (e.g. system administrator) and that role comes by default with a pre-determined set of privileges that will never be completely used by that identity.

For example – let’s assume that Bob and Fred have been assigned the system administrator role, which is tied to the enterprise’s Active Directory. This role includes one hundred privileges, fifty of which are highrisk, but Bob only uses/needs 5 privileges and Fred only uses/needs four completely different privileges. Both Bob and Fred are now considered over-privileged identities and pose a significant risk to their organization.

Q: What approach to managing risks would you recommend to a newly appointed CISO of a Fortune 500? What should he/she do in order to stay ahead of the complex threats targeting the cloud environment?

A: Recognize that the complexity of managing your environment will increase exponentially over time. Consider that the various permutations of identities, privilege types, and resources across multiple cloud platforms will run into the millions and will make it virtually impossible to administer manually.

In order for you get ahead of this, we recommend that you:

1. Get a true understanding of your risk posture by gaining the right level of visibility and insight into your environment such as:

– How many identities have access to the infrastructure?
– What privileges do they have?
– What can they do with those privileges?
– What privileges are they actually using? Not using?
– Which resources are they performing actions on?

2. Based on your findings, implement a risk mitigation plan by identifying identity privilege right-sizing opportunities

3. Continuously monitor and assess your identities’ activity and behavior across your infrastructure to assess your risk profile on a regular basis.

4. Have the ability to quickly produce a forensic tail of all privileged identity activity and resources impacted. This is not only mandatory for compliance and auditing requirements, but it also empowers your security organization to swiftly detect and remediate incidents and put preventive measures in place.

5. Finally, managing identity privileges should never be about restricting privileges and inhibiting productivity but about always giving identities whether human or non-human the authority to use the privileges they need – when they need it – to do their jobs.

This blog entry was used in part for the “Safeguarding hybrid-cloud infrastructures through identity privilege management” article available on Help Net at

WordPress Lightbox