Companies are embracing hybrid cloud deployments like never before, mixing and matching on-premises IT systems with off-premises cloud services.
To accomplish this, they must grant and manage access privileges to human identities: remote employees, third-party suppliers and far-flung customers.
Arguably even more vital is the granting of access privileges to thousands more non-human identities – the service accounts that connect modular coding components, like the microservices, software containers and APIs that make up the stretchable fabric of cloud services.
Without this provisioning of access privileges to human and non-human identities, hybrid cloud commerce would not be possible. And yet, somehow, hybrid deployments have gained wide adoption without fully accounting for an entire new tier of identity risks.
This exposure extends from companies losing track of identities and overprovisioning privileges. CloudKnox Security, a Sunnyvale, CA-based security vendor, launched last October, specifically to help companies more effectively manage human and non-human identity privileges in the brave new world of hybrid networks.
I had a chance at RSA 2019 to visit with company founder and CEO Balaji Parimi. For a drill down, give a listen to our full interview via the accompanying podcast. A few key takeaways:
Remember the old problem of Microsoft shipping Windows server software with weak administrator passwords as the default? Take that systemic security weakness, put it on steroids, and you get a sense of the exposure lurking in identities today.
For instance, on the human side of things, Parimi informed me that there are 7,800 distinct privileges, or unique actions—granted to administrators across Amazon Web Services, Microsoft Azure, Google Cloud and VMware vSphere.
And then there are magnitudes of order more non-human identities to worry about. “With DevOps, when you check-in your code, it automatically gets built and created into production. All of this is done with a service account, which is a non-human identity with some set of privileges,” said Parimi. “And right now there is no accountability for non-human identities, so nobody is watching that continuously.”
Agility, speed and scalability are the hallmarks of hybrid cloud deployments. To help that along, non-human identities today are routinely assigned a “static role,” with extensive privileges. This optimizes flexibility, which contributes to velocity.
However, it also tilts toward the over-provisioning of privileges to non-human identities. “When you assign static roles, there are thousands of privileges that are given, and also the cloud providers keep on adding more and more services, and keep on making these roles richer and more powerful,” Parimi said. “It’s like giving superpowers to identities.”
The problem, from a security standpoint, is that each identity, be it human or non-human, represents a potential foothold for a threat actor. And the richer the privileges, the deeper and wider an unauthorized party, who gains control of that identity, can go.
A hack that involved the leveraging of a high privileged identity recently devasted VMEmail, a provider of free and paid email services. In February, an intruder obtained high enough access to delete 18 years works of customers emails, along with of the all backup copies.
“Every VM is lost. Every file server is lost, every backup server is lost,” the company Tweeted at the time.
So how do you reign in the over-provisioning of privileges to human and non-human identities? When I asked Parimi this question, his answer was concise and made a lot of sense.
“Proper accounting and attribution,” he told me. “Basically, you look at every identity, no matter what kind it is, or how it comes in, and keep track of what that identity can do, and what the identity is actually is doing.”
Given the velocity and scalability of cloud computing, the use of automation and machine learning must be brought to bear. And that’s what CloudKnox is bringing to the table.
“It appears very simple, but you’re looking at tens of thousands of operations and privileges; you’re looking at human and non-human identities, coming from multiple different directions — local identities, enterprise-directed identities, federated identities, machine identities, API keys — so just accounting itself is a big problem to solve,” he said.
CloudKnox is going beyond accounting, of course. Its innovations include a “privileged creep index,” a type of risk heat map for every identity, in context of specific cloud services. There is also a controller called JEP, for “just enough privilege.”
“Our JEP controller gives you the ability to mitigate risk by right-sizing privileges and putting identities in the proper roles with a dynamically-created set of privileges,” Parimi told me.
It’s encouraging that someone, at this juncture, has begun paying granular attention to all of the identities exploding out of hybrid cloud deployments — and making it possible to start adding security into mix. Better now than later. Talk more soon.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/new-tech-cloudknox-takes-aim-at-securing-identity-privileges-for-humans-and-non-humans/