This article originally appeared in Security Boulevard.

Offboard Cloud Users Securely

One of the most fundamental challenges of securing the identity-defined perimeter is efficiently managing and securing the cloud identity life cycle.

This priority comes into sharpest focus with offboarding users—or, more accurately, the failure of so many organizations to revoke standing access privileges to DevOps environments and other sensitive IT resources.

Companies today use hundreds or thousands of cloud services, and a typical DevSecOps operation can easily generate thousands of data access events every day. The result is that each human and machine user has multiple identities and standing privilege sets sitting vulnerable to exploitation. If those privileges are not revoked or expired when an employee or contractor leaves the organization, that massive attack surface remains in place indefinitely.

The most effective way to manage the identity life cycle is by maintaining least-privilege access (LPA) and zero standing privileges (ZSP) for those privileged users while working in the cloud. In today’s dynamic work environment where employees and contractors frequently join and leave your organization, accounts and access should be revoked automatically upon their departure.

Automate Onboarding Processes
Automated onboarding lets organizations quickly and easily grant dymanic role-based access control (RBAC) to new users, manage their permissions while working for your organization and wholly and promptly offboard them when they leave. Cloud-forward organizations should look for a solution that operates on a standalone basis–or integrates via API with an existing identity governance and administration (IGA) system, identity directory or human resources management system.

The objective is to develop an integrated directory for managing employee access privileges. You can define attributes by job role—for instance, full-time employee, contractor, senior executive—that will determine what kind of access privileges are granted, how long those privileges will last and, most importantly, when authorizations will expire.

Offboarding Users Upon Termination
When an employee or contractor leaves your organization, all access to operation-critical cloud services must get terminated to protect your data and the account itself. This includes expiring API keys, tokens and secrets stored in frequented cloud repositories, i.e., command-line credential files stored locally on desktops. For instance, you can manually remove a user from their RBAC group to automatically terminate their access to profiles, effectively revoking their access to the associated cloud services. Additionally, for contract employees or internal employees assigned to a given project, access rights can be tied to the length of the contract or project.

A cloud-native security solution built for the most demanding cloud-forward enterprises is ideal. With such a solution, you can empower teams across cloud infrastructure, DevOps and security functions with dynamic and intelligent privileged access administration solutions for multi-cloud environments. Organizations that implement cloud security best practices like just-in-time (JIT) access and zero standing privileges (ZSP) to prevent security breaches and operational disruptions increase efficiency and user productivity.

Role Right-Sizing
Organizations should practice role right-sizing based on policy to ensure users have only the necessary privileges to perform their jobs. Policies should award privilege grants to specific roles based on contextual information including location, activity and time of day. Such policies should include onboarding and offboarding processes that follow the recommendations described in this article.

When policy requirements are met, users will be granted specific privileges within a cloud application. These privileges should be assigned to the user using the JIT model mentioned above and only for the duration of the activity.

Organizations should adopt an automated security solution, given that each cloud service has different permission logic to learn before policies focused on specific kinds of activities in each cloud service can be built. Manually doing this is time-consuming and often prone to over-provisioning privileges for a particular task or creating privilege sprawl.

An automated dynamic permissioning platform also provides additional visibility for governance. Such a platform should have a deep understanding of available roles, the catalog of the policies for acquiring them and the user activity associated with the privileges to provide your SecOps and DevOps teams with the complete picture of activity and risk associated with cloud application privileges and their use.

Cross-Cloud Visibility
Advanced visibility into privileges and risky privilege-related behavior is essential when conducting the internal audits that support policies and ensure appropriate onboarding and offboarding processes.

If your organization uses a multi-cloud environment, you know how important it is to grant the permissions your team needs to complete tasks efficiently and effectively. But it is also critical to continuously manage those users, to know at-a-glance who has access to what and have a reliable process for granting and revoking privileges on the fly.

The problem is many teams lack a solution that can do this across a multi-cloud environment. As more users enter an organization’s environment, administrators often grant elevated permissions because they do not have a systematic way to right-size permissions without impeding productivity.

What’s more, once permissions are granted, it is a significant challenge to know which permissions are being used and by whom. This leads to excessive standing privileges that put your organization at risk.

Organizations need to look for ways to proactively monitor users across multi-cloud environments, automatically enforce permission and role right-sizing and quickly achieve a least-privilege model cross-cloud.

The power to see in one place which users need permissions revoked or refined empowers admins with the authorization and confidence to act swiftly. As a result, greater visibility moves privilege access management in multi-cloud from a state of uncertainty and risk to a state of accuracy and control.

Admins can quickly see how roles are being used and determine if they should revoke or grant new permissions. The more visibility you have, the better your right-sizing process becomes; your attack surface shrinks and your least privileged model strengthens and refines.

Overcoming Onboarding and Offboarding Challenges
Over time, both standing and dynamic privileges can drift as roles and responsibilities change—resulting in over-privileged users. Moreover, when contractors or employees leave an organization, they often retain up to 75% of their access credentials due to incomplete offboarding. That is why onboarding and offboarding users in multi-cloud environments is so important. Organizations must be vigilant and possess tools to effectively manage privileged user access.

In some cases, an organization may be tempted to overcome these challenges by building an in-house DIY solution. But the cost and overhead for developing the solution, not to mention the need to have security expertise for each cloud service, must be considered. Most organizations that go this route end up overwhelmed and experience a drawn-out time-to-value process.

However, by working with a vendor that enforces strict policies, role right sizing and advanced visibility, organizations can protect the keys to their kingdom and prevent current or former team members from placing the entire organization at risk.