The Cloud Perimeter and Non-Human Identities
NOTE: The following was written by Ben Canner for Solutions Review and originally published February 4, 2019. It is re-published here for the convenience of our customers and readers. Here you can find the original article.
Cybersecurity experts across the globe proclaim identity as the new enterprise digital perimeter. What exactly does that mean though? How should enterprises incorporate identity into their perimeter security? How should enterprises fortify their human and non-human identities to prepare for the new age?
To find out, we spoke with Balaji Parimi, CloudKnox Founder and CEO. CloudKnox provides identity privileged lifecycle management for the cloud and private environments.
Solutions Review: You mentioned in our first communications about shadow infrastructures taking center stage in the enterprise network. What is shadow infrastructure? Does it pose a security risk to enterprises evolving to the cloud?
Balaji Parimi: Shadow infrastructure is a subset of Shadow IT—referring to the infrastructure that is being managed and utilized without the knowledge of the enterprise IT’s knowledge. While many security experts are familiar with the need to share security responsibilities in infrastructure-as-a-service (IaaS) environments, business teams who are experimenting with cloud services for one-off projects assume that everything is taken care of by the provider.
As new projects spin up and leave basic security requirements unaddressed, these IaaS environments can unintentionally expose data or be hijacked by attackers for nefarious purposes.
SR: Has identity become the new digital perimeter already? How much more does it need to evolve and adapt to become enterprise’ official digital perimeter in 2019?
BP: I think it is safe to say “identity” has become the new digital perimeter and there is no turning back.
As more enterprises evolve their cloud strategies, they will be faced with legacy identity tools that were never meant to exist outside the enterprise. They’re realizing secure access and authorization to hybrid cloud environments is a significant impediment to execution.
For example, many companies who are trying to employ the Principle of Least Privilege (POLP) in their hybrid cloud are leveraging solutions that still use Role-based Access Controls (RBAC)—a 30-year-old mechanism created in the pre-cloud era. The problem with this practice is traditional RBAC only works in a static environment.
This means a typical privileged identity today has authority to perform many high-risk actions on a wide swath of critical infrastructure despite the fact that they only use and need a fraction of those privileges to perform their day-to-day jobs. This practice creates a significant, completely avoidable risk and grossly violates the best practice of POLP which clearly states the following:
“The Principle of Least Privilege (POLP) is a fundamental guideline for secure computing that restricts privileged identities to only the permissions they need to perform their authorized tasks.”
Therefore, enterprises will need to evaluate tools that will enable them to implement the principle of least privilege at a granular level across their hybrid cloud environments and prevent—or at least significantly minimize—the risks associated with incorrectly or overprovisioned human and non-human identities.
SR: How will cloud adoption change identity as the digital perimeter?
BP: Cloud infrastructure (e.g. compute, storage, network, etc.) has seen unprecedented levels of automation. While this automation has given enterprises the ability to scale to new heights in efficiency, it’s also introduced a new set of cloud-related cyber threats.
Just as the infrastructure has evolved, so have the attackers. They’re quickly learning to take advantage of this automation to get their hands on the “keys to the kingdom”—a trend indicating an attack strategy targeted at the cloud infrastructure itself as opposed to specific identities or data sets.
CloudKnox believes enterprises need to be watching out for human and non-human identities with incorrectly or overprovisioned high-risk privileges; if identity is the new perimeter and the new entry point for attackers, then high-risk privileges will quickly become one of the most menacing threat vectors to cloud infrastructure for years to come.
Enterprise security and infrastructure teams need to recognize how vulnerable their critical workloads are in today’s modern infrastructure. They need to always remember a one-line script or a click of a button by a human or non-human identity can result in the most catastrophic damage, whether through simple negligence (e.g. typo error) or malevolence (e.g. compromised credential or malicious insider). A holistic understanding of who or what can cause such damage must be front and center of any cybersecurity strategy going forward.
CloudKnox recommends every company operate under the assumption that the #1 risk to their hybrid cloud infrastructure is a trusted identity with excessive privileges and the only way to manage that risk is to implement the principle of least privilege. If not, they run the risk of compromising every security system, policy, and procedure they’ve worked to put in place.
SR: How have non-human identities evolved for enterprise cybersecurity?
BP: A few years back, the average ratio of non-human identities to human identities was less than one to one. Today, there’s an average of six non-human identities (e.g. service accounts, bots, servers, API Keys, applications etc.) for every human identity. We believe this ratio will continue to increase exponentially.
We already see enterprises struggling to understand basic information like “who are the identities that can touch their infrastructure,” “what privileges do those identities have” and “what actions have they performed over a specific time period.” The continued rise in nonhuman identities will make these questions—and most importantly, the risk these identities introduce—more crucial and exceedingly more difficult to identify and manage.
SR: How should enterprises prepare for non-human identities entering and interacting on their network?
BP: Non-human identities require much more regular oversight than human identities do, but unfortunately the opposite usually happens; they often tend to get ignored or forgotten. The reason they need more frequent attention is
Therefore, if a non-human identity suddenly performs an action that they have never performed on a resource that they have never accessed—there is a very good chance that credential misuse has occurred.
What security and risk management teams should expect to see during a review are non-human identities performing repetitive tasks with a small number of fixed privileges. Any variance or anomaly signals a potential problem or danger.
CloudKnox believes that in the era of cloud computing, enterprises need to recognize the complexity of managing identities and identity privileges will increase exponentially over time. They should consider the various arrangements of identities (human and non-human)— in addition to privilege types and resources—across multiple cloud platforms will run into the millions and make it virtually impossible to administer manually.
In order for enterprises to get ahead of this, there are a couple of recommendations we typically like to share:
1. Get a true understanding of your enterprise’s risk posture by gaining the right level of insight and visibility into the surrounding environment,
– Which identities (both human and non-human) can touch my infrastructure?
– What privileges do they have?
– What actions can they perform with
– What privileges are they actually using?
– Which resources are they performing actions on?
2. Based on these findings, enterprises should implement a risk mitigation plan by identifying identity privilege right-sizing opportunities and enforcing it.
3. Continuously monitor and assess the activity and behavior of both human and non-human identities across your infrastructure to assess your risk profile on a regular basis.
4. Have the ability to quickly produce a forensic tail of all privileged identity activity and resources impacted. This will empower your security organizations to quickly detect and remediate incidents and help you put preventive measures in place.
5. Manage the identity privilege lifecycle from a position of trust. It should never be about restricting privileges and inhibiting productivity but about giving identities the authority to use the privileges they need—when they need it—to do their day-to-day jobs.
Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and