Cloud infrastructure entitlement management (CIEM) poses a new set of challenges for organizations. Once you move applications and services to the cloud, role-based privileges aren’t as simple as they seem. In addition to users who have access to the cloud, there could be hundreds of applications and machine identities that also have access to data and resources. Fortunately, CIEM solutions are designed to help manage the permissions and privileges of both people and things in the complex and interconnected cloud environment.
You might be wondering why you need to approach cloud access and identity any differently than your on-premises IAM solution. The reason is more and more. Cloud infrastructure has more connected resources (e.g., databases, containers) as well as more things connected to them, such as virtual machines and serverless functions, each with their own access privileges. And there are more identities that can potentially access the resources–identities that belong to people, machines, APIs, and services. Quite literally, the cloud opens up Pandora’s box of privileges and permissions.
In a private network, managing identity and access is simpler. A directory such as Microsoft Active Directory provides an identity source, every application has its user accounts and permissions, and network security safeguards prevent third parties from impersonating users. However, once you move to the cloud that changes. User identity is now federated and machines and APIs have identities too. It becomes much harder to track and review permissions and privileges between people, things, and infrastructure. While cloud providers such as Amazon and Google provide some level of visibility into access privileges, it’s a limited view that requires security teams to manually create and collate a composite picture. Few do. So, the result is a partial (and inaccurate) view of who or what is accessing which cloud resources.
For example, you may only have four accounts visible through AWS, but there may be 400 additional users who can access those AWS resources as part of a federated user group in your identity platform. Because AWS doesn’t list those users, without a CIEM solution it’s challenging for security teams to get a complete picture of who has access to their AWS resources.
The concept of least privilege is an accepted security best practice. In a nutshell, it refers to limiting access privileges to only those applications, services, and data that users need to perform their jobs. Limiting access also limits the amount of damage that can be done if login credentials are compromised. While enforcing least privilege sounds simple enough, it’s difficult to implement effectively in the cloud due to constant change, limited visibility, and lax review processes.
As users shift roles and work on new projects, they tend to accumulate more access privileges over time without losing their old privileges. This problem, known as privilege creep, is best countered by frequent access reviews. Unfortunately, access reviews take time and require deep visibility across all environments, both on premises and in the cloud. Security teams not only need to track and enforce least privilege manually in most cases, but they also run the risk of slowing down DevOps processes in doing so. Developers, for their part, are more likely to look for access shortcuts, such as allowing everyone in the Engineering group in Azure Active Directory or Okta to have the same access privileges to cloud resources.
Not all clouds require the same access security measures. A developer’s sandbox in the cloud, for example, might not contain any sensitive data and could be open to anyone who registers. Or the marketing department might have a cloud storage service with 100GB of files that can only be accessed by certain users but offers general access after that. At the more complex end, an organization may have a cloud application containing terabytes of sensitive customer data that not only requires identity verification but also role-based permissions to access specific data.
Each of these different cloud environments requires its own identity and access strategy. But how do organizations know which strategy is best when they can’t even see the problem? That’s where Zilla can help. We offer the only solution on the market today that provides a complete view of roles and permissions across on-prem applications, public and private cloud environments, and SaaS applications. Zilla automates the collection of identity and access data using built-in APIs for AWS, GCP, and other environments, then automates the review process so that organizations can ensure that everyone (and every group) has the right set of privileges.
When access sprawl meets cloud sprawl, it creates a perfect storm for privilege abuses. The best way for organizations to address this is to first get above the storm and see the big picture, then have the ability to dig down into groups, roles, and entitlements so they can create a consistent (and consistently updated) set of access policies on-prem and in the cloud. With Zilla CIEM, you get the cloud without the storm.
Interested in learning more about how Zilla helps companies achieve cloud identity security? Contact us today.