Last updated: 15 July 2018
The growing popularity of Cloud services (IaaS, PaaS, and SaaS) solutions in global organizations probably comes as no surprise— enterprises can purchase the features and services their developers need, and scale up or down as the organization evolves – and they can deliver numerous applications quite easily from the cloud. Although some cloud services offer enterprises predictable expenses, the security of these cloud services is less predictable. Such a diverse cloud estate has become a challenge for risk officers, CISOs and IT teams managing different groups of users. These range from remote workers and contractors, administrators of privileged accounts, to standard, in-house employees. Fortunately, you can adopt cloud access management measures for an effective digital transformation strategy, as Part 2 of this 3-part blog series addresses.
Missed Part 1? Catch up now: ‘Things to Consider in Your IAM Strategy: Secure Multi-Cloud Services’
Part 2: Why do cybercriminals prefer privileged cloud users?
Web-based applications are the most vulnerable in terms of cybersecurity. The fact that access to PaaS and IaaS consoles is web-based make privileged accounts a prime target for cybercriminals. Cybercriminals know that hacking privileged, administrator consoles is an express lane to identity theft. The Gemalto’s Breach Level Index reported that 74% of data incidents by type were identity theft breaches. That’s why it’s so important for enterprises to ensure higher levels of access security for these administrators.
According to another Gemalto survey, web portals and unprotected infrastructure are the biggest targets for cyber-attacks. In one of the most famous data breach attacks, on Deloitte, sources say that the hacker reached the company’s global email server through an ‘administrator’s account’, that gave access to privileged and unrestricted areas. “The account required only a single password and did not have ‘two-step’ verification.”
Remote cloud access
When organizations move their servers and applications to the cloud, inherent security becomes more of an issue. This is because the IT administrators are no longer going down the hall to log onto a specific machine – they are accessing a range of applications through a web-based admin console, which is also accessed by several other administrators.
New security measures needed
Given the frequent and sheer number of cloud-based cyber-attacks occurring consistently, organizations need to implement new security measures to protect these online web-based admin consoles. With this factor in mind, security officers need to adopt a dedicated access security approach for users and admins who routinely have access to privileged cloud-based accounts.
In Part 1 of this blog series, I discussed the security concerns involving IaaS. However, companies can have admin consoles at various points in the enterprise’s network, opening up vulnerabilities in multiple clouds, on-premises or remotely.
Here are some of the ways an effective solution will help prevent criminals from getting ahold of the privileged users’ web consoles who may hold the keys to massive and valuable digital assets, often for multiple departments and organizations:
- Eliminate the use of passwords
Keeping track of many passwords needed for administrators can be cumbersome to maintain and risky if lost. Using a smart single sign-on for privileged accounts will discourage administrators from writing their passwords down on paper or storing them in an unencrypted digital file. Smart single sign-on maintains single sign-on to apps governed by a specific policy and will trigger a request for elevated access security for specific business cases or groups of users. This is in contrast to regular single sign-on, which is less secure and is based on a ‘keys to the kingdom’ approach, which provides a single credential for all applications. If the single credential is compromised, all the apps to which the user has access will be vulnerable.
- Use strong authentication
Due to the high risk involved with privileged accounts, administrators should be subject to strong, multi-factor authentication to add more layers of protection to the login process. These multiple factors could be one-time passwords generated by hardware tokens, PKI-based certificate authentication, biometric authentication or a combination.
- Establish conditional access
Set up policies that limit the access to administrators, use role-based access policies and augment strong authentication with contextual factors such as time of session, location of access, IP address, geographical location, etc.
Privileged accounts are the most dangerous and important to protect in an enterprise. To prevent reputational, financial and privacy damages caused by identity theft, it’s best to consider a solution that will support all your cloud computing services and integrate with other solutions such as Privileged Access Management (PAM) solutions. In other words, don’t let your superuser accounts turn into super loser accounts.
However, not all enterprise users need access to all areas of cloud enterprises. Read Part 3 of this blog series: Things to Consider in Your IAM Strategy: Cloud Security or Easy Access? to learn about why enterprises often struggle with convenience vs. security for their employee access to cloud services.