Effectively managing your cloud risks and controls is a critical part of keeping your network safe from harm, but multi-cloud environments and a changing workforce can make protecting your cloud resources challenging. Using the Gartner Peer Community platform, we surveyed 100 security leaders to get a feel for today's biggest concerns and risks in cloud security access management.
In This Article
- What Is Cloud Security Access Management?
- Risks and Concerns in Cloud Security Access Management
- Download Our Free Report
What Is Cloud Security Access Management?
Cloud security access management refers to the tools and policies your organization uses to control access to your cloud tools and applications. Essentially, it's how you manage who can access what cloud-based resources and when.
With the average cost of a data breach rising to $4.35 million in 2022, it should come as no surprise that creating and maintaining a robust cloud security system can help protect your organization from significant losses in the future. This system can also save your IT department time and effort by making it easier to identify and resolve threats as soon as they arise, such as rogue accounts.
An Identity and Access Management (IAM) framework is a great example of a cloud access management strategy. IAM combines multiple different technological solutions to manage access to company resources, including cloud systems and administrative functions.
Some common IAM features include:
- Enterprise Password Management (EPM): Enterprise password provides tools and processes to securely manage and store passwords. These systems ensure that employees use strong, unique passwords across different services, and they provide centralized control to prevent unauthorized access, reduce the risks of password-related breaches, and streamline the process of password resets and recoveries.
- Identity Lifecycle Management or Joiner-Mover-Leaver Process: The critical Joiner-Mover-Leaver process, often known as Identity Lifecycle Management, delineates the lifecycle of user identities within an organization. "Joiners" are new employees or users who are onboarded and granted initial access rights. "Movers" are existing employees whose roles, and therefore access rights, change due to internal transitions like promotions, departmental shifts, or other role modifications. "Leavers" are those who exit the organization, necessitating the revocation of their access to prevent potential security risks.
- Just-In-Time Access: Just-In-Time access is the dynamic provisioning of access rights to users only when it's needed and for a limited duration. Instead of providing persistent, wide-ranging access, JIT ensures that users obtain privileges on-the-fly, typically after undergoing additional verification or approval processes. Once the specific task or session is completed, the elevated access is automatically revoked. This approach minimizes the exposure of sensitive resources and reduces the attack surface by ensuring that users don't have unnecessary or prolonged access, thereby enhancing the organization's security posture and reducing the risk of insider threats or external breaches exploiting lingering privileges.
- Single Sign-On (SSO): SSO streamlines the user experience by verifying user identity with only one set of credentials.
- Multi-Factor Authentication (MFA): MFA requires two or more identifying factors to verify a user's identity. For example, you may need to answer a push notification on your phone after entering your username to gain access to the resources you need.
- Built-in audit trail to streamline compliance: IAM provides a complete audit trail of history of permissions, authorization, removal, delegation and access, making compliance easier.
One of the greatest benefits of using an IAM solution for cloud security is that it creates a centralized control hub where your admins can manage access and authorization controls uniformly across your entire infrastructure.
Risks and Concerns in Cloud Security Access Management
Inadequate password management procedures and policies put privileged identities at risk. Many companies face the same challenges when it comes to protecting their cloud resources. Here are the top risks associated with cloud security access management today.
1. Old-School Password Management
Nearly half (49%) of our respondents said they use spreadsheets to store their cloud infrastructure passwords — perhaps worse, 75% said they used spreadsheets for managing application passwords.
Using programs like Microsoft Excel or Google Sheets to manage password spreadsheets leaves your passwords wide open. Hackers can easily gain access to your information, and anyone who uses your computer can find and steal your credentials.
That's not to say personal password managers like LastPass and KeePass are much better, even though most respondents said they use a manager to protect company credentials. In August of 2022, LastPass users learned of a massive data breach that left company passwords, encrypted password vaults and other private data completely exposed.
No reputable company will have a policy that secrets can be stored in spreadsheets or documents. Most will have an enterprise password management strategy that covers identities, passwords, SSO, privileges and beyond. Yet IT Security leaders responsible for ensuring adherence to corporate policy report their organizations are storing critical infrastructure and application passwords within insecure methods. Why? Likely due to poor usability and enablement. Organizations need to ensure the tools they adopt have good user experiences for employees so that instead of insecurely creating or reusing passwords they are encouraged to create, save, and use them properly each and every time. While choosing the right tool is essential, equally as important is a thoughtful enablement strategy that includes coaching and enforcement. Enablement needs to ensure suitable motivational incentives exist, so employees want to do the right thing.
Using an enterprise password manager is a critical step in setting a baseline of acceptable organizational behaviour. A simple and easy to use tool can drastically reduce circumvention of policies. But the tool needs to be always easily available to empower and enable employees in the day-to-day work, making it a frictionless experience.
Employees also need to be incentivised to use the tool. A simple and effective way to do this is by introducing security to an employee’s performance review process. When reviewing employee performance, organizations could look at how employees are participating in the company’s security such as using the enterprise password manager. Are they storing a reasonable number of items? Are they logging in a reasonable number of times? If yes, this is a great opportunity to provide positive feedback and if not, then it provides a natural opportunity to investigate why they are not using the tools that keep the organization’s data and assets secure.
While SSO is a great way to improve usability and avoid policy circumvention, real life in a business encounters many cases that do not fit nicely in the SSO capability set. This is why an enterprise strategy needs to be designed to handle the unexpected and unknown with an acceptable baseline of security.
2. Enforcing Password Policies
Although 85% of respondents said they can enforce company password policies on cloud infrastructure, 70% said they cannot remediate compromised or non-compliant passwords in under 24 hours.
This is rapidly becoming a real problem in modern enterprises. If an adversary can gain access to your central identity directories you could be looking at outages of days, weeks, and in exceptional cases months to recover your business operations if you do not have processes in place that can rotate passwords in under 24 hours' notice.
Adopting passwordless or SSO technology without a full understanding can make this situation worse by creating a false sense of security. Often people adopt passwordless or SSO technologies and leave password-based authentication on in case of emergency or to handle edge cases needed by users. This is a good step since it can drastically reduce your risk of phishing attacks, but it doesn’t eliminate the risk of password disclosure and compromise in attacks such as the above where people compromise your user directories.
This is why organizations need to have a holistic view of both primary user experiences and secondary or emergency user experiences. Disaster recovery and business continuity planning need to evaluate these worse case threats of centralized directory compromises. To handle these risks properly you need to weave your story using the capabilities of enterprise password management, SSO, and passwordless experiences.
3. Identifying and Revoking Rogue Access
A rogue account is one that is not authorized by your IT department. For example, if you forget to revoke a former employee's access to your network, they will have a rogue account — and that's a serious security risk.
There is a significant gap between an organization’s Service Level Agreements (SLAs) and reality when it comes to discovering and removing rogue accounts within cloud infrastructure. More than three-quarters of respondents say they can do so within three days, but only 12% of them said they use automated technology for this purpose.
Without an automated technology your only approach to identify these is with Quarterly or Yearly access reviews. An astounding 77% of our respondents identified depending on quarterly or yearly access reviews as their primary way to identify rogue accounts, which does little to prevent damage.
The disconnect between SLA and actual policy is astounding. A key element of setting enterprise security policies is to “say what you do and do what you say”. A three-day SLA when organizations report detecting rogue accounts in 45 days is not following this principal. If companies need to enforce a 3-day SLA (and in our opinion, they should), then this highlights a significant gap in the Joiner-Mover-Leaver practices in organizations between what they can currently do and what they need to do.
4. Unclear Identity Lifecycle Management Plans
Navigating the Identity Lifecycle Management (ILM) or Joiner-Mover-Leaver landscape is one of the major challenges both IT and HR professionals face today while managing the constantly changing identities within the organization. When the company grows, you must onboard lots of new hires at the same time — which can lead to certain users falling through the cracks.
That said, our data suggest the organizations that have been able to identify JML gaps are using the wrong tools to resolve these issues. Rather than focusing all your attention and resources on the joiners, you need to find a solution that allows you to give the same consideration to all points of the user identity lifecycle.
In most modern organizations, it is not cost-effective or realistic to fully automate Joiner-Mover-Leaver with all applications. Companies need to do an assessment of their business-critical infrastructure and invest resources in ensuring SLAs on mission critical infrastructure can be met while setting realistic and accurate SLAs for non-mission critical assets. For less critical systems, it might be perfectly acceptable to have a 3-month SLA. This is a decision that can only be made by the organization about the level of protection they are willing to invest for. It is critical that an organization is honest and “say what you do and do what you say” about the protections being offered.
A comprehensive Joiner-Mover-Leaver solution that is based on zero-trust architecture lets all your employees get the job done while increasing your network security.
Download Our Free Report
Don't let poor password management put your organization in danger. Take advantage of Bravura Security's comprehensive JML management solution for identity lifecycle management. With enterprise solutions for privileged, end-user and decentralized credentials, our software allows you to speed up password policy enforcement and prevent damaging situations you'd only discover during periodic audits.
For more on the current state of cloud security access management, download our free infographic. And if you're considering implementing zero trust or IAM solutions in your organization, contact us to request a free demo of our security solutions. We'll show you how the Bravura Security Fabric can improve your company's cybersecurity posture and enhance employee productivity.