In a cloud environment so many different identities are active for users, machines and applications that it is hardly manageable. Many of these identities are often unknowingly configured with far more permissions than necessary. This results in unnecessary access to systems. The first step in a zero-trust approach to cloud security is to apply the least privilege principle.
With identity and access management tools, access rights can be divided based on roles or groups, however in reality many accounts still receive extensive privileges. This presents a major challenge for businesses implementing zero trust frameworks. Every identity that requests access to company resources must be verified and access must be limited in a clever way.
Accounts with (too) many permissions are the most common misconfiguration in cloud computing services. This has also been noticed by malicious users: abuse of abundant privileges is the most popular attack tactic in cloud applications. This leads to cyber criminals being able to access data and documents without being noticed or even worse they disable entire cloud applications.
To prevent this the least privilege tactic must be applied. All identities must be given a minimum of necessary rights. It is a crucial element in zero trust and transitions to the cloud. Least privilege also reduces the ability for someone to grant permissions, so an attacker cannot simply extend permissions for themselves.
Article continues under image
Practical examples why least privilege is important
Data theft linked to identity theft
Data theft is often linked to cloud identities. When a business moves to the cloud attackers will be moving as well. Although attackers target new environments, they stick to proven tactics. Users identities remain the weakest link. More than three-quarters of successful attacks responsible for theft of account data are linked to stolen identity.
A least privilege model offers more protection. A stolen identity cannot immediately initiate all kinds of usage rights. This significantly reduces the attacker’s freedom of movement, saving valuable time to detect and stop the attack.
More cloud use means more attack possibilities
More cloud services means more identities and as a result more risk. Several aspects of cloud environments make proper configuration of privileges more difficult. In order not to get in the way of developers, roles are sometimes intentionally configured broadly for some services. Many companies also forget to remove outdated permissions, such as developer access after a project has ended. In both cases, it creates danger and opportunities for attackers to gain advantage in a network. The implementation and continuous validation of least privilege is a crucial step in reducing the attack surface.
Misconfigurations grow with the number of cloud services
The three major cloud platforms (AWS, Azure and Google Cloud Platform) are constantly introducing new services. It distinguishes them from each other, and it supports the innovation drive of users with all kinds of tools. Of course there is a price tag attached to it. Not only the costs, but also the risks because a misconfiguration is easily made with so many and so rapidly changing cloud services. Twenty percent of data thefts are the result of cloud misconfiguration.
Least privilege can identify such misconfigurations by looking at permissions, blocking unnecessary access and thereby mitigating risk, while still allowing necessary access to workloads.
Least privilege is a starting point by cloud providers
AWS, Azure and GCP recognize the dangers of over-privileged identities and the challenges of securely configuring services in large cloud environments. They therefore all formulate least privilege as best practice. Consortia such as the Cloud Security Alliance’s Cloud Control Matrix also emphasise the importance of continuous control of access rights. Organisations subject to strict legislation can even be fined if least privilege is not implemented.
Least privilege is therefore useful, but should not be at the expense of the productivity of users or IT teams. A balance must be struck between effective rights management and security enforcement on the one hand, and operational needs on the other.
Tech-Wales cloud computing services
At Tech-Wales we offer professional and reliable cloud computing services for your business. Tech-Wales will set up a secure cloud computing system for your business and will help you maintain the cloud environment to a safe and secure standard. We also proud ourselves in offering excellent customer services. Contact us today to transform your business flexibility and start working from the cloud or increase and improve your current cloud based IT infrastructure.