If there were any lingering doubts that digital identities and privilege access management have become the critical elements to security in the cloud era, two recent survey reports have conclusively put that debate to rest.

In Top Threats to Cloud Computing, published by the Cloud Security Alliance in June, more than 700 industry experts named insufficient identity, credentials, access, and key management as the top threats facing them today. Identity issues was identified as a top threat over other well-known vulnerabilities like insecure interfaces and APIs, insecure software development systems and practices — and even malicious attacks. 

Meanwhile, the second report published by Dimensional Research and sponsored by the Identity Defined Security Alliance (IDSA), 84% of responding organizations reported being impacted by an identity-related breach in the past 12 months, up from 79% from the previous year. Published in June, 2022 Trends in Securing Digital Identities surveyed more than 500 individuals responsible for IT security or identity and access management (IAM) at companies with more than 1,000 employees. Taking a broader look at digital identity, the IDSA report provides several rich data points that contextualize the security landscape that cloud IT decision makers need to confront:

• 98% said the number of identities is increasing, primarily driven by cloud adoption, third-party relationships, and machine identities.
• Of the organizations suffering breaches, 96% reported that they could have prevented or minimized the breach by implementing identity-focused security outcomes.
• 97% will be investing in identity-focused security outcomes.

Security implications of the race to the cloud

How exactly did identity management rocket to the top of security concerns in recent years? In a word: the cloud. But there is more to it than that; how IAM functions in the cloud is fundamentally different than how it works in legacy on-premises IT environments. The longstanding approach in on-premises environments included ringfencing users and assets — that is, firewalls that prevent unwanted network traffic. Conversely, in cloud environments, it is not possible to ringfence every application, resource, device, or user. 

Because of these realities, digital identity defines the new perimeter in the cloud. The problem is that the new perimeter-less environment has made managing access privileges magnitudes more critical than ever before. At the same time, with so many organizations rushing to transition their DevOps-oriented software pipelines to the cloud, the actual day-to-day management of identities and privileges now often falls to the developers. 

A decade or more ago, IAM systems were a somewhat arcane piece of the overall IT security equation. Generally, IT security administrators managed identities using solutions such as Microsoft Active Directory, or one of the more specialized commercial offerings such as Okta, Ping or ForgeRock. New hires would be granted access to internal systems — email, HR, developer resources — via a login and password when they joined the company, and privileges would be revoked when they departed. It was mostly a closed system where best practices were well understood and tightly managed. 

In a multicloud DevOps environment in 2022 — when identities and privileges are often managed at the developer level — the likelihood of over privileging or granting inappropriate standing access is very high. We see that reality reflected in the numbers from the surveys above. We also see the IT community developing a keen understanding of the vulnerabilities presented by weak IAM practices in cloud environments.

Let’s consider some of the steps security decision makers are taking to mitigate these vulnerabilities and risks. 

Active measures: Techniques for securing digital identities

Asked to name the areas where they will be investing in identity-focused security outcomes in the months and years ahead, IT security professionals surveyed by IDSA pointed to multifactor authentication (MFA) as their top choice. Roughly one-third of respondents named MFA — and deservedly so, as it is low hanging fruit that can deliver powerful security improvements in short timeframes.

The following two security measures identified: (A) continuous discovery of all user access rights, and (B) more timely review of access to sensitive data — named by 28% of respondents — are highly encouraging responses, as these issues get to the heart of what makes securing digital identities in the cloud so difficult. 

Continuous discovery is important because it enables organizations to gain visibility into all their human and machine identities and privileges — especially those that are over-privileged. Ideally, organizations that are active in the cloud should have the ability to quickly gain insights into high-risk identities, privileges, and activities from a unified cross-cloud access model. This is the most effective way to uncover shadow privileges and security blind spots — a highly valuable capability as an organization’s attack surface grows along with its use of APIs and third-party engagements. 

Ephemeral permissions

More timely review of access to sensitive data is such a key capability because privileges can drift, and many cloud accounts become over-privileged over time.

Continuous discovery plays a role here, but even more beneficial would be planned or time-based granting and revocation of access rights. The notion of “more timely review” is that security admins would monitor access rights on a regular schedule — good idea. But what if rights grants and revocations happened automatically? Better idea.

The concept of ephemeral or just-in-time permissioning is relatively new but gaining traction within the industry because it significantly reduces credential exposure. This zero-standing privileges approach would not only eliminate the risks posed by permanent hard-coded secrets, but also eliminate the major issue of “orphan” access rights that linger after employees get moved to a different team or leave the organization altogether.

The scourge of breach events resulting from poor IAM practices will not disappear overnight, but the cloud IT security community is moving in the right direction. 

Art Poghosyan is the CEO of Britive.