Post-pandemic approaches to IAM for cloud security
Cloud technology may have saved businesses from catastrophe during the pandemic, but it has also introduced additional challenges around identity and access management. Here’s why IAM policies are crucial in the new normal
Cloud technologies have played a vital role in businesses across all sectors during the Covid-19 coronavirus pandemic. Without them, firms would have struggled to enable their teams to work remotely and ultimately follow lockdown measures.
Research from IT company Centrify shows that over half of businesses dodged the risk of collapsing by adopting cloud technology. Consequently, 60% of enterprises have plans to expand cloud usage during and after coronavirus.
But while cloud technology is helping businesses cope with the challenges of coronavirus, it is also resulting in a huge increase in users they must manage. As a result, identity and access management (IAM) has become more critical than ever.
For many businesses, IAM will be completely new. A range of policies must be implemented if they are to track, monitor and control cloud identities effectively. What are these and how do businesses put them in place?
Saj Huq, director of innovation hub the London Office for Rapid Cybersecurity Advancement (Lorca), says: “With much of the working population using personal devices for professional means, the risks usually associated with BYOD [bring your own device] are significantly multiplied.
“This is particularly prevalent in companies that weren’t equipped for remote working at scale, but have ended up with a complex array of trusted, known devices and a significant amount of unknown assets within their networks. Such a range of endpoints not subject to the same network security or corporate policies make it extremely difficult to securely manage access to digital assets.”
Huq says that because the rise of remote working has fundamentally changed the way people work, traditional security measures have become less effective. “For instance, it has required employees – some of whom have lower levels of cyber hygiene – to use new cloud-based collaboration tools, potentially re-using corporate user credentials to access less secure services,” he adds.
“Additionally, enterprise-level protection traditionally offered by corporate firewalls and controls may not be as effective when using home networks for remote access, rendering perimeter-based approaches to protecting corporate networks less relevant.”
Zero trust to the rescue
With these various challenges in mind, organisations have had to look for new solutions to better manage users’ identity and access – and zero-trust principles are one of them.
“Beyond introducing specific cyber security products, businesses are increasingly adopting broader zero-trust principles to mitigate the risks associated with the widespread, distributed enterprise,” Huq tells Computer Weekly.
“These principles are enabled by many of the more advanced products in the market, allowing continuous verification of every interaction between anything and anyone wishing to connect to corporate systems and access a company’s data.
“This requires a matrix model to micro-segment the network, making it harder for attackers to move laterally through a company’s infrastructure once it’s been infiltrated. Businesses are also increasingly using advanced behavioural analytics to greater identify atypical user behaviour, to better detect both insider threats and advanced attacks,” says Huq.
But even though zero-trust principles are highly effective for identity and access management, they can be challenging for businesses to implement. Huq says they require a fundamentally different security mindset, particularly for large and complex organisations that may operate mission-critical processes on heavily customised or proprietary, legacy technologies.
“A combination of archaic technologies, diminished holistic network visibility and deeply entrenched security policies that don’t lend themselves to automation and continuous verification makes zero trust extremely difficult to implement,” he adds.
Making identity a new perimeter
Some experts believe that when lockdown restrictions were announced earlier this year, many organisations rushed to move their teams to remote working without thinking about the cyber security implications.
“In the scramble to enable users to work remotely, many security professionals paid little attention to the strength and weaknesses of network permissions. Their efforts to ease the transition resulted in many organisations over-provisioning users,” says Todd Peterson, IAM evangelist at One Identity.
When different security issues became apparent, organisations realised the importance of IAM processes in a post-pandemic world. “Due to this inefficiency, 50% of IT security professionals stated that they’re now placing a higher priority on access request technologies compared to a year ago,” says Peterson.
“Additionally, over half of security professionals have increased their prioritisation of identity and access lifecycle management and identity processes and workflows. These technologies are the key to creating a holistic cyber security strategy that not only secures an organisation’s endpoints, but factors in how an employee’s access could allow a cyber criminal to infiltrate the network.”
Peterson believes the coronavirus pandemic has drastically changed the concept of perimeter security. “With everyone working remotely, firewalls and VPNs [virtual private networks] can’t defend an organisation’s corporate network, but employees can, meaning that companies need to make identity their new perimeter,” he says. “As a section of the network that remains consistent, no matter where employees are working from, identities are now the root of cyber security.”
“Even after we transition back into the office, there’s going to be another disruptive change to the way we work”
Todd Peterson, One Identity
At the same time, governance has become an even more pressing issue, according to Peterson. “To place the concept of identity at the centre of organisations’ security strategies, they need to make governance an essential element of every task,” he says.
“Governance is focused on the why behind the task versus how the task is done. With a deeper understanding of why security procedures are in place, security professionals are better positioned to maintain security, regardless of the amount of changes in business strategy.”
However, given that the future of work is still uncertain, businesses need to be prepared for further change from a cyber security perspective. “I predict that even after we transition back into the office, there’s going to be another disruptive change to the way we work,” says Peterson.
“Knowing this, I recommend that security professionals have a plan in place to deal with another drastic change so they don't have to sacrifice security to address another unexpected event.”
Good IAM hygiene is key
As organisations continue to rely on cloud technologies for remote working, it is crucial that they take steps to improve user identity and access management. Anna Chung, principal researcher at Palo Alto Networks’ Unit 42, believes good IAM hygiene is key to reducing risk.
“There are a number of things that organisations can do to improve IAM security, but first and foremost organisations must ensure accounts are configured on principles of least privilege, limiting the damage that can be done if an account is compromised. This is an ongoing task for security teams and so is best automated for the sake of cost and ease,” she says.
If organisations fail to take IAM seriously, they will end up leaving themselves open to the risk of security breaches. “Even without administrator privileges, if IAM roles are not configured properly hackers can still move laterally,” says Chung.
“During a recent red team exercise, we were able to leverage a misconfigured IAM role, escalate the privileges to gain persistence and hijack an admin account. Such an exploit could give hackers the opportunity to steal data, wipe out infrastructure or deliver a ransomware attack.
“There are a number of things that organisations can do to improve IAM security, but first and foremost organisations must ensure accounts are configured on principles of least privilege, limiting the damage that can be done if an account is compromised”
Anna Chung, Palo Alto Networks
“During the red team exercise, we were also able to exploit an overly permissive IAM role trust policy relating to ‘AssumeRole’. The misconfiguration meant any AWS user not in the account to assume the role and obtain an access token, opening the door for ransomware attacks or even advanced persistent threat [APT] actors.
“Organisations must monitor their CloudTrail logs for AssumeRole events such as this to ensure that only approved accounts are undertaking these actions in their environment.”
She advises organisations to make use of the IAM solutions offered by the major cloud providers. “These services can identify abnormal activities, such as brute-force attacks, but monitoring can break down as cloud adoption scales across multiple environments. For this reason, organisations need to leverage the APIs [application programming interfaces] offered by these services to consolidate monitoring,” says Chung.
“Constantly staying on top of a large number of privileged users and managing their access to an ever-expanding set of sensitive resources is incredibly challenging. Organisations need to adopt cloud-native security platforms to enforce security policies and ensure secure user behaviour across multiple cloud environments.”
Kristian Alsing, digital identity lead for Accenture in Europe, describes increased cloud adoption as a “perfect storm” for cyber criminals. He says it has provided them with new attack vectors and vulnerabilities to exploit.
“Right at the eye of this storm is IAM as the shift to remote working has extended the business perimeter into homes, where the environment is less controlled. For example, security teams now have the challenge of visibility to threats in the ‘last mile’ on the network, due to split tunnelling being leveraged on VPNs,” he says.
Alsing says the implementation of strong identity and access policies is crucial because of these increased threats. “Strict policies for both privileged and business access are critical components of risk management in sprawling environments and sets the foundation for both preventative and detective controls,” he says.
In particular, he advises businesses to deploy zero-trust frameworks to control remote identities and avoid relying solely on VPNs. “This should include multifactor authentication, adaptive authentication using factors of the device and wider environment, behavioural analytics, and biometrics,” adds Alsing.
He says privileged account management is another area of importance. “Organisations should make sure that privileged accounts are controlled through vaulting, multifactor authentication, password rotation, session recording, as well as logging and security analytics,” he says.
“Although the rapid shift to cloud may present a new challenge for security teams, a defence-in-depth approach means security leaders can achieve strong controls without impeding employees. Cloud-based solutions can meet the increased demand for fast, frictionless remote access to enterprise data and applications, despite the additional controls in place.”
It is difficult to imagine how businesses would have managed without cloud technologies during the coronavirus pandemic. However, while cloud solutions have helped businesses, they have also brought about new challenges around identity and access management. With cloud adoption likely to grow even more over the next few months, companies need to take IAM seriously.
