Andras Cser of Forrester recently joined Jonathan Sander of Lieberman Software on a cloud security webinar titled Securing the Cloud Inside and Out. You can watch a replay of the webinar at https://liebsoft.com/news-events/events/securing-cloud-inside-guest-speaker-forrester-research/.
We asked Mr. Cser for his impressions about the future of cloud security and the particular challenges of managing privileged identities in the cloud. Here is the Q&A:
1. What new types of privileged identities does the cloud introduce and how are they different from on premises (if they are)?
In addition to employee and outsourced administrators, cloud service provider privileged users emerge. As the data center becomes distributed, a new administrator population emerges: administrators of the cloud service provider (CSP). While firms have always had outsourcer business partners’ employees performing systems administration tasks with privileged identities, CSP employees often need to have privileged access to a) hardware, b) hypervisors, c) guest operating systems and even to d) applications in guest operating systems. CSP administrators are different from employee and outsourcer administrator populations as they usually a) have a lower level understanding of the client’s environment and b) require a higher level of automation and greater efficiency of administrative tasks than employee administrators.
2. Does the move to IaaS and PaaS specifically increase the need for Privileged Identity Management (PIM) and, if so, how?
The move to IaaS and PaaS has two major implications:
- Increasing the automation of initial security configuration. Setting up new guest operating system instances has to require much less work and automation. Companies should build in privileged identity management practices into guest operating system build and initial configuration processes.
- Simplifying the management of ongoing security configuration. Ongoing (security) configuration file management and integrity monitoring is much more automated, tighter and more robust than with on premises environments. This is because unlike on premises environments, IaaS and PaaS cloud platforms usually are not patched and iteratively and manually secured but instead are built-to-suit with templatized configurations.
3. What are the top 3 pieces of advice you would give to someone building a PIM program today if you knew that cloud was a big component of their target infrastructure?
We see Forrester’s clients follow the below best practices:
- Understand all aspects of scalability. The cloud is all about scaling up and down: when the load increases, the number of workloads increases; when the load decreases, the number of workloads decreases. This inevitably results in having to deal with sudden spikes and drops in the number of production server instances on the IaaS and PaaS cloud platform. Beyond Operating System (OS), network, file integrity, business continuity and disaster recovery (BCDR), and data protection, companies have to be able to respond to a sudden increase of administration activities on newly spun up workloads. Similarly, when the number of workloads suddenly drops, the company (along with its privileged administrator workforce, business partners, etc.) needs to be able to quickly reduce the security threat surface of the workloads on the cloud platform by shutting down stale instances and adjusting security configurations on the remaining servers.
- Get a grip on how you will monitor privileged user activity. Internal and external threats very often involve the use of privileged credentials. Checking out the password from a vault is not enough: you have to monitor all channels that allow administrators to use the privileged credentials (passwords, SSH keys, PKI certificates, etc.). The privileged identity management solution should be able to not only record all system administration activity (both command line and graphical user interface based), but also be able to flag anomalies and terminate sessions if it detects suspicious activity.
- Keep tight control of App2App and API use. The cloud is a predominantly headless and automated environment: applications connect to other applications using SDKs, RESTful API calls, web services and using many other means. What’s common about these types of access methods is that they all require the caller application to use a credential (typically username and password pairs or PKI certificates) when connecting and authenticating to the called application. In addition, CSPs all provide API-based methods to configure, spin up and stop server instances and other workloads. Keeping these credentials in easy-to-read, clear text configuration files is not an option – it inevitably leads to data breaches. You have to centrally manage these App2App credentials with the same care and precautions you manage those credentials that human privileged users use.
4. How would you advise people to look at the timing of their PIM deployment, especially when cloud is involved?
We see Forrester’s clients prioritize phases of their PIM deployment in a cloud environment in the following way:
- Establishing a governance process. Without understanding who has privileged access to what (on-premises and cloud) workload(s), under what circumstances (normal operations, production emergencies, etc.) you cannot establish an effective and repeatable PIM process. Good governance of PIM involves a periodic review of privileged users’ access, making sure that terminated employees have no access to the environment, etc. This process also involves defining clear and enforceable boundaries between employee, business partner (outsourcer) and CSP privileged users and system administrators: who can manage what layer of the environment (hardware, hypervisor, guest operating system, application, database, etc.)
- Setting up and continually enforcing secure network segmentation. Privileged systems should always be on a separate (logical or virtual) privileged server network to which the company tightly controls ingress points, i.e. IP addresses that can access the privileged server network. Software Defined Networking (SDN) greatly helps with creating dynamic, but still secure, network segmentation and compartmentalization.
- Managing credentials centrally. It goes without saying that keeping sensitive passwords printed out on a piece of paper or in a static Excel spreadsheet, etc. is not secure and scalable. A solid privileged credential platform should enforce tight access controls to credentials and change privileged passwords on endpoints regularly or after each use.
- Monitoring and enforcing policies on privileged sessions. After the privileged user checked out the credentials from the PIM solution, the PIM solution needs to monitor the actions of the user and be able to notify the supervisor of the admin or terminate the session if it detects suspicious activity. This greatly helps to avoid data loss.
You can learn more about all of these topics in the Securing the Cloud Inside and Out webinar.