Identity access management has become a critical element of security in the cloud era. Data shows that identity security concerns are becoming increasingly relevant as enterprises race to cloud infrastructure. Anyone questioning whether issues of identity are indeed paramount in the cloud landscape need only look to these two survey reports recently published in the cloud security space.
Identity Access Management Highlighted in Recent Reports
In Top Threats to Cloud Computing, published by the Cloud Security Alliance in June, more than 700 industry experts named insufficient identity, credentials, access, and key management as the top threats facing them today. Identity issues were identified as high-importance threats over other well-known vulnerabilities including insecure interfaces and APIs, insecure software development systems and practices — and even malicious attacks.
In the second report, published by Dimensional Research and sponsored by the Identity Defined Security Alliance (IDSA), 84% of responding organizations reported being impacted by an identity-related breach in the past 12 months, which is a 79% increase from the previous year. Published in June, 2022 Trends in Securing Digital Identities surveyed more than 500 individuals responsible for IT security or identity and access management (IAM) at companies with more than 1,000 employees. Taking a broader look at digital identity, the IDSA report provides several critical data points that cloud IT decision makers and security professionals need to address:
- 98% said the number of identities is increasing, primarily driven by cloud adoption, third-party relationships, and machine identities.
- Of the organizations suffering breaches, 96% reported that they could have prevented or minimized the breach by implementing identity-focused security outcomes.
- 97% will be investing in identity-focused security outcomes.
Security Impact of the Mass Cloud Migration
Why has identity management skyrocketed to the top of cybersecurity priorities in such a short period of time? The answer is quite simple: the cloud. Identity access management functions in a fundamentally different way for cloud-native environments than it did in legacy on-premises structures. Ringfencing users and assets in on-premises environments, a method involving firewalls to prevent unwanted network traffic, used to be the gold standard approach. However, it isn’t possible to ringfence every application, resource, device, or user in cloud environment.
Digital identity has become the cornerstone of security in cloud-native environments that require new approaches to protection. Digital identity defines the new perimeter in the cloud, and this new perimeter-less environment has made managing access privileges magnitudes more critical than ever before. With so many organizations rushing to transition their DevOps to the cloud, the actual day-to-day management of identities and privileges often falls to the developers.
A decade or more ago, identity access management systems were a somewhat arcane piece of the overall IT security equation. Generally, IT security administrators managed identities using solutions such as Microsoft Active Directory, or one of the more specialized commercial offerings such as Okta, Ping or ForgeRock. New hires would be granted access to internal systems — email, HR, or developer resources — via a login and password when they joined the company, and privileges would be revoked when they departed. It was mostly a closed system where best practices were well understood and tightly managed.
In the modern multicloud environment of 2022, identities and privileges are often managed at a developer level. This shift has caused a high likelihood of over-privileged or inappropriately granted standing access. As privileges and standing accesses come to the forefront, we see the IT community developing a keen understanding of how weak identity access management practices lead to security vulnerabilities in cloud environments.
Next Steps: Techniques to Securing Digital Identities
When asked to name what areas of identity-focused security for which they will be investing in the near future, one-third of security professionals surveyed by IDSA pointed to multifactor authentication (MFA) as a top choice. Next highest named security measures were continuous discovery or all user access rights and more timely review of access to sensitive data. These are encouraging responses because they get to the heart of what is challenging about securing digital identities in the cloud.
Continuous discovery is important because it enables organizations to gain visibility into all their human and machine identities and privileg, and it allows them to zero in on those that are over-privileged. Ideally, cloud-based organizations should have the ability to gain quick insights into high-risk identities, privileges, and activities from a unified cross-cloud access model. This is the most effective way to uncover shadow privileges and security blind spots — a highly valuable capability as an organization’s attack surface grows along with its use of APIs and third-party engagements.
Faster review of access to sensitive data is a key capability because privileges can drift, and many cloud accounts become over-privileged as time passes. Continuous discovery plays a role here, but even more beneficial would be planned or time-based granting and revocation of access rights. Just-in-time permissioning allows time-specific access to be granted and then revoked, reducing credential exposure and eliminating standing privilege.
The concept of ephemeral or just-in-time permissioning is relatively new, but gaining traction within the industry because it significantly aligns with the central security concerns of cloud-native identity and privilege access management. This zero-standing privileges approach not only eliminates the risks posed by permanent hard-coded secrets, but also eliminates the major issue of “orphan” access rights that linger after employees move teams or leave the organization.
The scourge of breach events resulting from poor identity access management practices will not disappear overnight, but the cloud IT security community is moving in the right direction.