Lacework Adds Ability to Manage and Secure Cloud Identities

Lacework today added cloud infrastructure entitlement management (CIEM) capabilities to its cloud-native application protection platform (CNAPP). The CIEM addition provides cybersecurity teams visibility into who within an organization has permission to access a specific cloud service.

Adam Leftik, vice president of product for Lacework, said the goal is to make it simpler for cybersecurity teams to identify identity and access management (IAM) misconfigurations and exposed secrets and continuously discover other identity-related threats as well as surfacing recommendations to improve cloud security posture management (CSPM).

CIEM is especially problematic because many cloud services are provisioned by developers that give themselves privileged access, noted Leftik. Once those credentials are stolen, cybercriminals gain access to a wide range of services and often further escalate those privileges to gain access to additional services, he noted.

It’s no longer possible to effectively manage identity manually in the cloud era. Each machine that makes up a cloud service has its own identity, so the average organization can quickly find itself trying to track thousands of machine identities in addition to users and applications.

Lacework can dynamically discover all cloud users, resource, groups and roles and their permissions, said Leftik. It then automatically correlates granted versus used permissions to determine identities with excessive privileges. The platform also calculates a risk score for each identity, determines the riskiest identities based on attack path analysis and auto-generates recommendations for right-sizing permissions based on historical observations.

That approach provides the added benefit of enabling IT teams to maintain an approach to managing identities based on least privileges that limits the blast radius of compromised cloud accounts, noted Leftik.

The CIEM capabilities added to the Lacework cloud are arriving at a time when there is more focus than ever on implementing zero-trust IT policies. The challenge is finding a way to enforce those policies that doesn’t break the IT budget. Lacework has been making a case for a CNAPP for cloud computing environments through which it delivers CSPM and cloud workload protection capabilities via a single platform. At the core of the Lacework platform is Polygraph, a self-learning engine that identifies optimal configurations for cloud environments and then uses that information to identify any behavioral anomalies.

There is no doubt the overall size of the defensible attack surface has increased dramatically in the cloud era. Less clear is whether application development, IT operations or cybersecurity professionals within organizations will be responsible for securing those platforms but, as cybersecurity continues to evolve, it is becoming much more of a team sport.

In the meantime, however, cybersecurity teams should assume that cloud computing credentials have been compromised by one or more phishing attacks aimed at developers. The goal is to not only determine which credentials have been compromised but also put a strategy in place that ensures any future breach is limited to the narrowest range of cloud computing services possible.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 747 posts and counting.See all posts by mike-vizard