Risk of excessive cloud access premissions

The Risk of Excessive Cloud Access Permissions

The Risk of Excessive Cloud Access Permissions

So, what’s keeping CISOs up at night? Misconfigurations and an inability to detect excessive access to sensitive information. Ermetic recently enlisted market research firm International Data Corporation (IDC) to conduct an independent survey of CISOs across the US which highlighted the risks and concerns for enterprises regarding excessive access permissions in their cloud infrastructures. Among the results, 80% of participants were not able to identify excessive access to sensitive data in their cloud production environments — a first step on an organization’s journey to least privilege. In addition, 73% cited the implementation of least privilege as their top challenge, demonstrating that least privilege is considered a best practice by many CISOs.

As enterprises have moved data and applications off-prem and into the cloud, concerns for public cloud security have gradually given way to the understanding that public clouds are at least as protected as any on-premise data center. Either way, though, the human factor means that cybersecurity postures are only as strong as their weakest link: a typical public cloud deployment can quickly turn into a vast maze of interconnected machines, users, applications, services, containers and microservices that have to be monitored.

According to the shared responsibility model for public cloud security, it is up to the enterprise to protect their own identities and data in the cloud, and define the access to and configuration of their cloud services. While public cloud providers may offer security tools and advanced automations as part of their core offerings, they still cannot provide visibility into each and every workload that customers deploy and run on their infrastructure. 

And this is what keeps CISOs up at night. More than 63% of the survey respondents cited “lack of adequate visibility of access to/in cloud production environments” as either a very significant or extremely significant security threat to their cloud environments.

So it is clear that least privilege as a best practice in securing access to public cloud IaaS and PaaS environments has become increasingly important. The results also communicate the difficulty of effectively implementing least privilege access permissions using existing security solutions and approaches.

Enterprises need a different approach when implementing least privilege access to cloud production environments and minimizing the exposure to excessive access permissions. IaaS and PaaS environments provide scale and flexibility but also require integrated, centralized management and automation so enterprises can reduce the possibility of human mistakes while compensating for a growing lack of adequate personnel and expertise.

Entitlement size and complexity across cloud infrastructure are exploding as more native-cloud service provider (CSP) offerings and services enter the market, and we see that traditional (i.e. manual) methods for determining least-privilege access are not scalable. A new and essential area of cloud security protection has emerged, as defined by Gartner and Forrester, for mitigating the access risks that threaten cloud environments and that enable organizations to truly achieve least privilege at scale: Cloud Infrastructure Entitlement Management (CIEM). 

CIEM solutions are designed to continuously monitor and analyze cloud identities and their access entitlements, identify and provide contextual insight into excessive and risky permissions, and anomalies, automate their remediation and enable effective, cloud-scale governance of all access privileges. 

Check out the rest of the findings:

The Risk of Excessive Cloud Access Permissions

About the author

Arick Goomanovsky

Arick Goomanovsky

Co-founder and Chief Business Officer, Ermetic Arick is a tenured business leader with two decades of experience in strategy, technology, research, and leadership in government and the private sector. Prior to founding Ermetic, Arick was a co-founder of Sygnia Consulting, a cyber consulting and incident response firm which was acquired by Temasek Holdings for $250M. Before Sygnia, Arick worked at McKinsey & Company in London, where he focused on strategy and operations. He served for 15 years in the IDF Intelligence Corps Unit 8200, where he held senior leadership positions from research to leading hundreds of cyber R&D experts. He received several awards for his unique contributions to national security. Arick earned a BSc in exact sciences (Talpiot program, cum laude), an MSc in mathematics from Hebrew University, and an MBA (cum laude) from INSEAD.