While broad adoption of Infrastructure as a Service and cloud applications have accelerated IT operations and application development, privileged access has been difficult to secure in the cloud from the very beginning. The dynamic nature of the cloud brings changes to administration and configuration tools daily. With each change comes another set of features and functionality that needs to be understood and integrated into existing security tools. Ultimately, administrators and auditors lack adequate visibility into who has what level of access for each platform.
The cloud has complicated identity and access management, traditionally used to protect organizations from privilege misuse and abuse with on-premise systems. Complex, custom permission controls and access models hinder administrators confidently deploying access rules and policies. It has been difficult to find the right balance between security and administrator productivity for each service.
Without a deep understanding of each cloud service, administrators inadvertently or unintentionally grant privileges that leave an organization exposed to breaches or insider threats. The complexity involved with configuration and maintenance also prevents administrators from automating many of the required tasks. Requests to update administrative access, add or remove users can take days or weeks to complete.
At Britive, we help our customers by following six best practices for securing privileged access with cloud applications while still enabling business, IT operations and software development.
1. Deploy Just in Time Privilege Grants
The first step to strengthening privileged access with the cloud requires Just-In-Time privilege grants. The Britive platform achieves the Principle of Least Privilege by granting privileges on demand based on need or request. Just-In-Time privilege grants give users the exact privilege when they need it for a specific task.
Users quickly request privileges to their account through the Britive platform. The Britive platform responds in seconds by adding the grants directly to their account in the cloud application. When the task is complete, Britive removes the privilege from their cloud account.
Directly adding and removing privileges from a user account minimizes risk from standing privileges. If that account is stolen, it can’t be used to access information or disrupt infrastructure because it lacks standing privileges to those critical systems.
Just-In-Time privilege grants reduce the value of powerful accounts to bad actors and improve organization risk for privilege misuse or abuse.
2. Assign Privileges Based on Policy
Next, organizations must assign privileges based on policy. Policies should award privilege grants based on contextual information, including location, activity, and time of day as well as role and group membership.
Our customers have learned that assigning access level to users is often complex and difficult for administrators to manage. Assigning privileges based solely on roles and groups often results in users having more access to cloud services than they should. Couple that with the unique access model each cloud application has, and that results in complexity that can’t be managed by groups and roles alone. In many cases, privilege assignment for a single cloud application is based on a matrix managed in a spreadsheet. This complexity masks user privilege assignment.
Using the Britive platform, administrators create policies that grant appropriate access to users. Policies are created based on group, role, location, time of day, user authentication level and required access level for the type of activity. When policy requirements are met, users will be granted specific privileges within a cloud application. The privileges are assigned to the user with the Just-In-Time model only for the duration of the activity.
Since Britive understands the access systems of each of our supported cloud applications, creating policies focused on specific kinds of activities in each cloud service is easy. Administrators no longer need to worry about over-provisioning privileges for a specific task. Users request the required access grants and get their work done.
Britive also provides additional visibility for governance. Because Britive has a deep understanding of available privileges, the catalog of the policies for acquiring them, and the user activity associated with the privileges, organizations get the complete picture of activity and risk associated with cloud application privileges and their use.
Moving to a policy-based privilege assignment system reduces company risk by tightly managing policies assigned to users. Security administrators can quickly survey use and adjust policies as necessary.
3. Embrace Zero Standing Privilege
Ultimately, companies must remove all standing privileges from users. When Just-In-Time privilege grants based on access policies have been deployed, standing privileges are no longer needed by users. The Britive platform quickly surveys assigned privileges and, with security oversight, removes them from all users.
Moving to zero standing privilege reverses the trends of the last decade of cloud privilege user administration. Typically, when users were created in a system, they were given a set of standing privileges that were assumed to be used daily. Over time, standing privileges were added to users when they change roles and responsibility. Privileges very rarely were removed from users. Each additional privilege increases the value of the privilege user to a bad actor.
When zero standing privileges (ZSP) has been implemented, each user will request necessary privileges when they are needed for only as long as they are needed. Britive records requests and activity associated to the privilege grants. Security administrators get complete visibility into activity.
The Britive platform provides visibility into user standing privileges. With the oversight of security administrators, Britive will remove the standing privileges from users. When standing privileges are removed, organization’s risk to user abuse or misuse is removed. Administrators also see significant productivity improvements. They are no long responsible for responding to requests for additional privileges required by IT or developers.
4. Integrate Single Sign-On and Multi-Factor Authentication
Prevent the proliferation of user credentials and accounts by connecting cloud applications through Single-Sign On into your existing IAM infrastructure. With centralized control over all identities interacting with cloud services, several key problems are solved. First, users have a single corporate account that is used to access all connected cloud applications. Using a single account reduces the opportunity for lost or stolen credentials. Additionally, if a credential is stolen, it can be reset in a single place, keeping the user from having to reset their password at each cloud application they use.
When combined with modern Multi-Factor Authentication offerings, administrators easily configure contextual authentication. Users are required to verify their identity based on policy and their activity. For example, if an administrator is working in a coffee shop and needs to administer Salesforce.com to change access rules in a production environment, that administrator will be forced to re-authenticate, provide a one-time passcode delivered by email or confirm their authentication with a swipe on their mobile device.
Administrators can also enforce password policies like password complexity or how frequently passwords are reset.
Integration with SSO and MFA also controls access when an account is disabled. The user immediately loses access to all connected cloud services when the account is disabled. As users leave, organizations can be assured that they will no longer have unauthorized access to connected cloud applications.
Single Sign-On and MFA effectively protect users and organization from lost and stolen cloud credentials.
5. Extend Identity Governance and Administration (IGA)
Provisioning and governance are two of the most overlooked functions of cloud applications. Administrators spend hours every week managing users within a single cloud application. As organizations grow and become more complex, the task of managing user lifecycles consume IT administrator hours. Connecting cloud applications with an IGA solution offloads the user lifecycle management and frees administrators to focus on other critical work.
Additionally, an IGA solution will remove “zombie” accounts from cloud applications. The overall risk of account takeover is greatly reduced, and the organization will save money when paying per-user fees to a cloud application.
IGA solutions also provide visibility into who has accounts within a cloud application to satisfy security audit requirements. Audit information gives administrators the information necessary to ensure account lists are up to date and compliant with security policies.
The Britive platform provides additional visibility for IGA platforms through sharing cloud application privilege policy configuration and access data accumulated from privileged users interacting with the systems.
6. Feed UEBA/SIEM with privileged and cloud activity
The rise of User and Entity Behavioral Analytics and advanced SIEM engines make integration of cloud application events critical to get a complete picture of user activity and to identify threatening user behavior to which security teams must respond.
A UEBA/SIEM tool will provide the necessary cloud application monitoring while freeing administrators from scanning activity logs from cloud applications.When the UEBA/SIEM solution detects critical events, administrators can respond quickly and take action to protect critical information and infrastructure from breaches.
Britive has enhanced logs and access events that feed UEBA/SIEM solutions. These events accelerate threat detection and identify activities circumventing cloud privilege security.
Over the last decade, we have all struggled with managing identities in the cloud. Single Sign-On and MFA have emerged as strong protection against lost or stolen credentials. However, these technologies by themselves don’t protect organizations against insider threats or the misuse of privileges. On-Premise Privileged Access and Identity Governance solutions continue to struggle extending into the cloud.
Implementing all six of these best practices provides visibility and control for the cloud without impeding user productivity. Security administrators can easily monitor, review and update access policies to better support the business. Organizations will have a robust set of controls that protect against lost or stolen accounts and reduces the risk of information loss or infrastructure disruption.
Britive provides the platform to grant privileges in real time to users based on access policies. Those privileges are granted automatically within the cloud application for the duration of the activity and are then automatically removed. Moving to Zero Standing Privileges (as recommended by Gartner) reduces organizational risk to privilege abuse and misuse.