A typical cloud infrastructure can be home to hundreds of thousands of vulnerable privileged accounts. The presence of automated hacking tools means improperly secured privileged logins can give hackers free reign on the network and access to private data hosted in the cloud.
Until now privileged accounts have proven difficult to secure within large-scale, dynamic Cloud Service Provider (CSP) networks. In fact, many still use humans and first-generation software tools to manage the task.
As a result, improperly secured privileged accounts provide an easily exploited attack surface for hackers and malicious insiders.
Key Cloud Security Concerns
The problem with unsecured privileged accounts is a particular concern in the cloud.
CSPs face significant problems from any data loss incidents. Problems include direct remediation and legal costs. The potential loss of business resulting from public disclosure of data breaches also looms. These service providers also face a daunting challenge when securing changing physical and virtual IT assets. Especially if they’re using security methodologies that were never intended to scale to the size of today’s cloud services networks.
In general, privileged identities aren’t managed by standard Identity and Access Management (IAM) systems. Unlike conventional user logins, privileged accounts aren’t typically provisioned. Instead, privileged accounts appear on the network whenever physical and virtual IT assets get deployed or changed.
As a result, it’s necessary to discover and track privileged identities with software that’s separate from IAM. And, because every shared, static, or cryptographically weak privileged credential represents a potential attack surface, IT regulatory mandates – including PCI-DSS, HIPAA and others – require frequent changes to these credentials. You must also attribute access to these privileged accounts to named and audited individuals.
However, this can seem an overwhelming challenge when access lists, and even the assets themselves, change more rapidly than human intervention can manage.
How to Manage the Privileged Account Problem
Cloud Service Providers face significant security challenges when managing privileged identities on a massive scale in large and elastic environments. In multi-tenant organizations, the number of systems under management can extend into the hundreds of thousands. A secure environment requires discovering and managing all identities on all systems.
Accomplishing cloud identity security requires a solution that can discover, audit and control access to privileged accounts entirely by machines in an automated and programmatic manner. Not through direct human intervention. Only by deploying automated security solutions can these organizations locate and remediate weaknesses faster than nation-state attackers and criminal hackers can exploit them.
With automated and programmatic controls over privileged identities, cloud service providers can achieve:
- Privileged account discovery and tracking that is both broad in platform scope and deep in account discovery
- Credential changes, as needed to comply with regulatory mandates
- Rules for human and machine access to privileged accounts
- Ongoing detection and decommissioning of inactive privileged accounts
Next-generation security solutions exist that meet requirements for managing privileged identities in large cloud environments. This removes a significant operational roadblock that once prevented large cloud providers from complying with regulatory requirements and IT security best practices.
Want to learn more? Download the free white paper, Securing the Cloud Inside and Out.