Securing your identity in the clouds

We've gone beyond a cloud-enabled world – today organisations big and small operate in a multi-cloud world, maintaining different and disparate environments across providers with accounts data here, CRM records there and product development pipelines somewhere else again.

It's no secret security is one of the most important elements to get right when you're a multi-cloud user, and you'd be forgiven for thinking everything's fine because of the protections and protocols the major cloud services offer.

Think again. Even though they do a great job within their own architectures, today we migrate between clouds, on premise environments and everything in between, and your information might be far less protected in transit.

End-to-end security is the data protection science of tomorrow that you need today.

Prashant Tyagi, Cloud Security Executive of identity and access management provider CyberArk, says that plenty of customers tell him they're covered because they only use one cloud service.

But many – especially larger corporations – have so many far flung divisions, departments, affiliates and acquisitions, they're shocked when he points out they're actually a multi-cloud user without even realising.

"Sometimes it's not by choice, it just happens by default because of growth," he says.

The main drivers causing organisations to become multi-cloud users (whether they know it or not) are varied and might surprise you. The most common is regulatory compliance. "A lot of companies have to do it because governments mandate that they shouldn't put all their data in one cloud provider in a given region."

In other examples, it might be too expensive and time consuming to embark on a disruptive migration program if you acquire a company that uses a competing service.

And sometimes you need to integrate closely with the environment of a supplier or partner who uses a different service, having to become (as Tyagi puts it) 'a multi cloud provider to support other services or companies.'

All of which means migrating everything you control to just one environment or provider might not even be possible, let alone worth it.

Multi cloud threats

A bad actor might hijack credentials for a low level employee through social engineering and get a door inside, but a skilled one might then move laterally, finding and hijacking credentials with elevated privileges and causing damage at the highest access level.

In fact, that's exactly what happened to a major rideshare provider in 2022. As outlined in a CyberArk whitepaper about the incident, a cybercriminal used a stolen login to penetrate the company's data repository of company-wide access credentials.

That let them easily choose another account with admin access to the company's cloud service, letting them steal and leak personal information on more than 77,000 drivers.

Tyagi says the best defence against scenarios like the one above is managing your identity lifecycle throughout your cloud ecosystem – fortified from testing and development to production and launch across whatever providers and architectures you maintain. "Azure will give you great Azure security, AWS will give you great AWS security, but you need to end to end identity security," he says.

Identity security is the science of detecting methods that create attack paths. It secures not just users but systems and applications that maintain access credentials.

It keeps tabs on the privileged access of identities from admins, workers in the office or remotely, third parties, devices and the ever-burgeoning number of machine identities because of emerging frameworks like the Internet of Things, monitoring them all throughout the access cycle where they connect to sensitive or critical business information.

Outsourcing identity security to a trusted partner might also be crucial because while the security frameworks of the major cloud providers are similar at what Tyagi calls the 'conceptual' level, their architectures differ more the deeper you go, making it challenging to be a multi-cloud company.

Above all, identity security is about securing your access to the cloud in all its forms no matter how you use it.

Trust no one

The lynchpin of identity security is zero trust, both a philosophy and a technical framework that uses three central tenets to connect to any service outside your domain – including the cloud.

First is risk awareness. Second is least privilege access, which ensures that every connection request by a person, device or software agent can only access the information necessary for the specific purpose of the connection and no more.

Third – and one often overlooked – is the element of time. If a user is logged in but there's no activity for a predetermined period, the system engages periodical or continuous verification of access. The best credential security and two factor authentication is useless if a process has standing access carelessly left open for anyone else to come along and exploit.

That all adds up to one thing. Enabling zero standing privileges and just-in-time access with privileges to only what's required (and no more) is the best security posture to adopt in business today. Do so, and you've achieved zero trust.

To learn more about how end to end identity security can help make your multi-cloud journey smoother and safer, download the free white paper '2024 Playbook: Identity Security and Cloud Compliance'