Even if your cloud workloads are complex and data is privileged – it’s still on the customer to secure

Another day, another example of misunderstanding shared responsibility when it comes to cloud security. Or is it?

A new report from identity and access management (IAM) provider Centrify has argued that while many organisations understand the basics of shared responsibility, the increasing complexity of workloads means that confusion occurs when it comes to privileged access.

The study, titled ‘Reducing Risk in Cloud Migrations: Controlling Privileged Access to Hybrid and Multi-Cloud Environments’, polled more than 700 respondents across the UK, US, and Canada. Three in five (60%) respondents said security was the leading challenge when it came to cloud migration generally, while more than half (51%) affirmed they were taking different approaches to securing cloud workloads compared with on-premises.

Yet the responses begin to unravel after this. 60% of those polled said they believed cloud providers were responsible for securing privileged access. This goes to show that while some data may be more privileged than others, it all falls under the same bucket.

Cloud providers, as they frequently note, are responsible for the security of the cloud – infrastructure and uptimes et al – while the onus is on the user for security in the cloud; applications and data. While not being able to cut the cord completely, vendors have gradually taken more proactive steps; none more so than Amazon Web Services, who this time last year launched a new offering to help mitigate against open bucket misunderstandings – which are frequently an open goal for criminals.

For Centrify, the company’s focus on privileged access management (PAM) can be seen in other survey responses. More than two thirds (68%) of those polled said they were not implementing PAM best practices for cloud environments, while more than three quarters (76%) said they use more than one identity directory for their cloud strategy, putting them at risk of ‘identity sprawl’ attacks.

Organisations predominantly saw applying privileged access controls as a way to secure access to cloud service management – cited by 71% - while secure access to cloud workloads and containers was cited by more than half (53%). The report notes how that the more specific the privilege is, the interest diminishes in securing it.

In terms of best practices companies utilise, unsurprisingly the most popular was multi-factor authentication across all privileged access accounts – albeit only cited by 60% of those polled. The remaining factors were used by less than half of respondents, from operating a ‘least privileged access’ model (43%), to privileged session monitoring (38%). It must be noted that many of these questions come down to how many clients have an ‘all-in-one’ security offering, compared with a more bits-and-pieces strategy.

Centrify argues there are five key actions organisations should take; understanding privileged access to cloud environments was the company’s responsibility; reducing risk associated with identity sprawl; enforce a least privilege model; employ a common security model; and modernise your security approach, focusing on cloud-native PAM.

“We know that 80% of data breaches involved privileged access abuse, so it’s critical that organisations understand what they are responsible for when it comes to cloud security, and take a least privilege approach to controlling privileged access to cloud environments,” said Centrify CEO Tim Steinkopf. “Too much access and privilege puts their workloads and data at risk.”

You can read the full report here (email required).

https://www.cybersecuritycloudexpo.com/wp-content/uploads/2018/09/cyber-security-world-series-1.pngInterested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Related Stories

Leave a comment

Alternatively

This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.