InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
The pandemic has meant that the pace of change in businesses has sped up dramatically, and you've probably seen a fundamental shift in the way you are doing business, too. This is evidenced by the widespread migration of workloads from self-hosted datacentres to third-party hosted public clouds, and the rapid growth of born-in-the-cloud companies. In these hybrid, multi-cloud IaaS environments, there has also been a change in the nature of privileged access risk to administrator accounts. There are many organisations looking for new ways to safeguard human and machine identities when accessing critical cloud resources, permissions and entitlements. Learn how this is done in this blog post.
Attackers are always trying to extend their privileges to become full cloud administrators. What's more, they can easily use these privileges to conceal clandestine shadow entities that stay hidden and can be used as backdoors into the cloud environment. This is why you should regularly scan your environment to discover privileged users, groups and roles and expose clandestine cloud shadow administrators.
The shift to DevOps and the recent growth in attacks on the digital supply chain have also led to a new need for advanced privileged access management solutions. It is essential to secure the development pipeline and build-time and run environments without creating a burden for software developers.
One option is to use DevOps pipelines to extend your cloud initiatives in order to increase business agility, or maybe you are looking for on-demand computing and storage solutions to save on costs. Wherever you are on your cloud journey privileged access and identity policies need to be enforced consistently across your organisation to reduce your exposure and protect your critical assets.
Cloud management consoles and portals facilitate complete control over a company's cloud resources, so every time they are accessed, they need to be secured and monitored because they are a prime target for cyber-attackers. This is particularly true of high-performance root accounts – meaning accounts with irrevocable administrative rights such as the AWS root user account, the Azure global administrator role and the Google Cloud Platform (GCP) super-user account. Therefore, you need to be aware of the following recommendations:
1. Treat all access to the Cloud Management Console as privileged:
Identify the permissions a user or application/machine needs to perform the task at hand. Create roles for each user persona and only give them access to what they need. Implement controls for managing privileged access.
2. Implement Just-in-Time access:
Providing just-in-time access to the Cloud Management Console grants permissions at session start-up, ensuring that only the correct users have access to the correct resources at the correct time and only for a specified time period. This way you significantly reduce the attack surface.
3. Go for SSO and MFA:
Irrespective of whether access to the cloud console is permanent or temporary, human access should be protected by single sign-on (SSO) and multifactor authentication (MFA). SSO makes it easier for users to access their work applications in a single place without having to remember multiple passwords.
4. Secure API and automated access to the cloud management console:
Cloud management consoles and portals can be accessed by automated scripts via API access keys. These API keys are highly privileged and very powerful – for example, they can allow a script or user to stop or start a virtual server, copy a database or even delete entire workloads. API keys are crucial to securing your cloud workloads.
5. Control and monitor administrator access:
A single compromised administrator is enough to wipe out your entire cloud environment configuration. Strict monitoring of privileged access is vital for security and auditing purposes. Record admin activities, monitor active sessions and assign them appropriate risk scores based on predefined high-risk behaviours and activities, such as access to the console outside of working hours.
Our partner CyberArk offers a comprehensive portfolio of SaaS and advanced on-premises solutions for privileged account and identity management. Incidentally, CyberArk has been ranked as a leader in the “2021 Gartner® Magic Quadrant™ for Privileged Access Management”.
In the course of the past year, CyberArk has been driving key product innovations and making it even easier for any size of global business to make security a top priority in order to protect the growing number of identities and identity types wherever they are used, be it in the cloud, DevOps workflows or increasingly fragile supply chains.
CyberArk was awarded the highest mark for the Secrets Management use case in the “2021 Gartner® Critical Capabilities for Privileged Access Management” report. The DevOps solutions for Secrets Management enable applications and automation tools to securely access sensitive resources on a large scale.
We would be pleased to hear from you if you would like to find out more about CyberArk's solutions. Our CyberArk experts will be glad to advise you!