The following article first appeared in eWeek.
Automation through digital transformation initiatives that rely on cloud-based applications is driving a surge in the use of machine identities (IDs).
Indeed, machine identities outnumber human identities by at least 3-to-1. And while machine IDs drive productivity by completing tasks quickly and without error, such widespread use – across disparate cloud applications – makes it difficult to gain visibility and enforce least privilege access. That’s why it’s critical to secure machine IDs and implement secrets governance cross-cloud. Failure to do so increases an organization’s attack surface and jeopardizes business operations.
In multi-cloud environments, organizations rely on over-privileged IDs for various tasks – from running scripts to patching holes – because they are fast, cost-effective, and commit fewer errors than humans.
The widespread adoption of automation in the cloud means the number of IDs is growing twice as fast as human users. What’s troubling is that, in many cases, the IDs and privileges are static, and at times hard-coded into applications, resulting in standing privileges that are often unnecessary, outdated, and cannot be rotated.
Connected devices spread across numerous cloud environments leads to an increase in service accounts, bots, and robotic processes. These require consistent access, exchange privileged information constantly, and typically occur independently of human oversight. What’s more, IDs are routinely tasked with advanced responsibilities as they become more deeply embedded in autonomous and automated processes.
The proliferation of machine IDs requires security teams to enhance monitoring and management efforts because it’s essential to understand which privileges are used, how often, and under what circumstances.
Successfully managing identities and access is imperative if organizations intend to fully capitalize on the benefits of cross-cloud automation. This is specifically true among CloudOps teams whose job it is to build and deliver products at breakneck speeds. When an organization’s mandate is development at the speed of automation, cloud builders teams strive to maintain a cycle that does not slow production. As a result, new IDs are created for new tasks such as application testing on the fly, which can obfuscate management visibility and user accountability.
When granting access, security controls that may have been sufficient on-prem lack the automated, privileged access management capabilities that cross-cloud operations require. But too often, organizations fail to perceive the serious risks associated with machine IDs in the cloud. If excessive privilege access among machine IDs is widespread and unmanaged, it expands an organization’s attack surface and exposure to risk. Therefore, when an attacker hijacks an overly permissioned identity, they can move laterally and access the entire environment.
The New Cron Job
Access privileges for robots have been integrated into computerized processes for decades. As a result, they have become more efficient than humans at completing repetitive tasks.
In fact, as far back as the late 1990s, engineers employed service IDs on Linux to run cron jobs, which entailed such batch tasks as running scripts, updating reports, and more. To this day, humans still rely on robots to complete these types of tasks.
The problem is that managing the robots that complete these jobs is infinitely more complicated within modern multi-cloud environments: numerous platforms using thousands of machine IDs breeds a lack of visibility and control; security teams may not know which IDs do which jobs because they were put in place by cloud builders. Rather than potentially disrupting operations by removing essential privileges, the robots get a pass and thus continue to set the organization at risk.
From a behavioral perspective, predicting activities associated with machine IDs can be difficult. After all, robots occasionally appear to behave randomly, completing tasks that fall outside of their usual purview. But when a security leader attempts to audit ID user permissions, they discover an unwieldy list of incomprehensible IDs that may or may not be necessary.
This leads to a dangerous stasis. Too many machine IDs with an unknown amount of privilege access – operating outside of human intervention – leads to an expanded threat landscape.
Organizations should seek ways to gain visibility and control privileged access for machine IDs across all cloud platforms – IaaS, DaaS, PaaS, and SaaS. Ideally, it’s from a single pane of glass where granting and revoking privileges is as simple as clicking a button.
As far as permissions, teams should treat machine IDs just like humans and adopt a Zero Standing Permissions (ZSP) policy. ZSP is the baseline for multi-cloud security. That means doing away with static privileges or secrets, revoking over-privileged accounts, and eliminating outdated or extraneous accounts.
It may sound like a complicated, daunting task, but it’s a necessary step in securing cloud environments. Fortunately, several solutions are available now that can help organizations gain visibility, implement control, and not interrupt business operations.
Five techniques to mitigate the risk of over-privileged machine IDs in a multi-cloud environment
1. Use Just In Time (JIT) privilege access for all users, human and non-human
Users and machine IDs can quickly check out a role-based elevated privilege profile for a specific cloud service, either for the duration of a session or task, for a set amount of time, or until the user checks the profile back in manually. Once the task is complete, those privileges are automatically revoked.
2. Maintain Zero Standing Privileges
Dynamically adding and removing privileges enables your CloudOps team to maintain a Zero Standing Privilege (ZSP) security posture. It works on the concept of Zero Trust, which means no one and nothing are trusted with standing access to your cloud accounts and data, by default.
3. Centralize and scale privilege management
Minimizing sprawl is a critical challenge when using static identities, with many CloudOps teams today struggling to manage IDs and privileges manually using Excel spreadsheets. Centralized provisioning can automate this process across all cloud resources, dramatically reducing the likelihood of errors that can place accounts and data at greater risk.
4. Gain unified access visibility with Advanced Data Analytics (ADA)
ADA empowers teams to monitor the entire environment across all platforms from a single pane of glass. This ability identifies privilege access problems specific to each organization and brings clarity and peace of mind for teams responsible for managing thousands of user IDs.
5. Build secrets governance into CI/CD processes
JIT secrets can be granted and revoked on the fly, which is ideal when CloudOps needs to spin up temporary services. Automate a shared secret rotation that is invoked via policy and secures and streamlines the on-boarding and off-boarding process.
Limited visibility hamstrings security teams and exacerbates an already complex situation. Too many machine IDs with over-privileged access means organizations face a significant challenge when securing multi-cloud environments.
But by defining who uses privileged accounts under which permissions, revoking unnecessary access, and applying Just In Time privilege access, organizations can secure multi-cloud environments and deploy automation processes confidently.
Nobody has an exact number of how many machine IDs are used in the cloud today. We do know that the number is increasing quickly. And while such accelerated growth signals improved business operations, it also demonstrates the need for dynamic and robust security solutions.
Teams operating in multi-cloud environments should work with security partners that can provide cross-cloud coverage without disrupting operations. It is essential for maintaining the safety and functionality of critical infrastructure.