By Byron V. Acohido
Managing permissions is proving to be a huge security blind spot for many companies.
Related: President Biden’s cybersecurity order sets the stage
What’s happening is that businesses are scaling up their adoption of multi-cloud and hybrid-cloud infrastructures. And in doing so, they’re embracing agile software deployments, which requires authentication and access privileges to be dispensed, on the fly, for each human-to-machine and machine-to-machine coding connection.
This frenetic activity brings us cool new digital services, alright. But the flip side is that companies have conceded to a dramatic expansion of their cloud attack surface – and left it wide open to threat actors.
“The explosion in the number of human and non-human identities in the public cloud has become a security risk that businesses simply can’t ignore,” observes Eric Kedrosky, CISO at Sonrai Security.
I’ve had a couple of deep discussions with Kedrosky about this. Based in New York City, Sonrai is a leading innovator in a nascent security discipline, referred to as Cloud Infrastructure Entitlement Management (CIEM,) not to be confused with Security Information and Event Management (SIEM,) something else altogether.
Here are the key takeaways from my interviews with Kedrosky in which we delved into the increasingly vital role CIEM technologies seem sure to play, going forward.
Rise of agile software
One way to think of CIEM is that it puts a fine point on the efforts enterprises are making to adapt their legacy Identity and Access Management (IAM) and Privileged Access Management (PAM) tools to be effective in multi-cloud and hybrid-cloud environments. CIEM tools are designed to granularly manage access in modern networks. Thus, CIEM aligns quite nicely with a couple of other new security frameworks rapidly gaining traction: Zero Trust Network Access (ZTNA) and Secure Access Services Edge (SASE.)
All these cloud-centric security advancements boil down to keeping closer track of Identity and Data connections. Human-to-machine connections comprise one level of the digital hook-ups fueling digital transformation. But thanks to advances in automation, the lion’s share of fresh digital connections take place machine-to-machine.
Consider that the raw number of non-human identities is rising faster than human identities. Cisco recently projected that the number of network-connected devices will climb to 29.3 billion by 2023, up from 18.4 billion in 2018. That breaks down to 3.6 networked devices per capita, or three times the number of human beings on the planet.
This is all part of “agile” replacing “waterfall” style of software development. Agile software is all about continual iteration in a wide-open cloud environment. It’s a world where virtual machines and serverless computing have become de rigueur. For instance, it’s common, Kedrosky says, for an enterprise to tap into 1,000 or more virtual machines, each one requiring tiers of connections, by human and non-human identities, to deliver services.
“Connected devices range from smartphones and tablets to industrial sensors, robots, and connected cameras, among other objects,” Kedrosky says. “These devices regularly interact with enterprise resources and can be owned by the employee or the company itself, and with the emergence of the remote workforce as the new norm, the attack surface for connected devices has increased substantially.”
Connection monitoring
This ascension of agile software has pushed security teams far out of their comfort zones. Many veteran security leaders don’t know where to begin accounting for thousands of cloud resources continuously making millions of intermittent connections.
It’s not surprising that abjectly poor security practices have taken hold. For instance, it has become a common practice to assign each human and non-human identity a variety of “roles,” with each role carrying different levels of access rights, Kedrosky told me. Enterprises also routinely issue temporary chains of elevated privileges for certain types of projects – chains that get forgotten and left lingering in the system once the project is completed, he says.
Attackers can easily usurp loosely protected human or machine identities and then seek to jump from one role to the next — or onto a chain that carries elevated access privileges, Kedrosky says. “Given the ephemeral nature of the cloud, this type of privileged access abuse can be completely concealed from traditional monitoring services that a company might set up to check things intermittently,” he says.
Quite clearly the fundamental task of monitoring connections and managing access needs to catch up to the dynamic nature of cloud-centric networking. And the solution seems obvious: Big Data.
This is not anything new. Financial markets and air traffic control are examples of highly dynamic global platforms that deliver complex services in real time; they leverage machine learning and advanced analytics to keep things running smoothly and securely.
Enterprises at large need to hit the pause button, conduct top-to-bottom risk assessments, and shore up cloud security accordingly. “Stakeholders need to understand that identity is the new perimeter,” Kedosky says. “It’s a big mistake to think of the cloud as a source of infinite scalability that ultimately keeps assets safe. Organizations need to know who has access to critical systems, and what they are doing with that access, at all times; with current tooling you just can’t do that. You get a false sense of security.”
Enhanced access visibility
CIEM, then, applies leading-edge data analytics and machine learning to granularly managing the permissions granted to all the human and non-human identities that underpin cloud infrastructure and agile software. This includes maintaining an inventory of all identities, tracking the accumulation of access privileges, enforcing least privileges rules, detecting suspicious connections, and, when called for, providing remediation, according to technology research firm Gartner.
In principle, CIEM is a subspecialty that plays across old and new approaches to network identity management. It can enhance access management, identity governance, privileged access rights and user authentication. “CIEM enables the active discovery and enhanced visibility of all cloud Identities and their entitlements,” Kedrosky says. “Rather than granting broad system access, CIEM sets clear limits on access privileges, based on the least privilege principle.”
For its part, Sonrai leverages state-of-the art graph database technology to assemble detailed breakouts of all human and non-human identities. This comprehensive list of user identities can then be cross-referenced endless ways. For instance, each human or non-human identity can be correlated to all direct and indirect paths to each important company asset. Interactive graphic illustrations can then be conjured to visually highlight all access paths to sensitive data — from a variety of perspectives.
Kedrosky believes that all businesses residing partially or entirely in the public cloud will eventually become much more secure than legacy on-premises data centers ever were, at any time during the first two decades of this century.
“In the public cloud, defense-in-depth won’t be achieved with multiple layers of network firewalls and similar controls, but rather by placing identity at the center of the security strategy and having multiple access controls – with least privileges being enforced and robust, continuous monitoring to ensure Zero Trust access,” he opines.
Makes sense. It’s encouraging that the cybersecurity industry is advancing on several fronts – CIEM being one important piece of the puzzle. It’s going to take all these new technologies and frameworks coming to full fruition to adequately secure cloud networks and agile software. The trick will be to improve security without stifling innovation. I’ll keep watch and keep reporting.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
