​Protecting privileged accounts in the cloud

by Matthew Brazier, ANZ Regional Director, CyberArk

Cloud platforms offer new and exciting options for Australian businesses, but they also create some significant security challenges. No longer able to simply ring-fence their core IT systems and data stores, businesses must find ways to secure infrastructures that combine both on-premise and cloud-based resources.

The security challenge this creates is very real. Criminals are increasingly turning their attention from trying to gain access to core systems to attacking cloud platforms. They see these as being softer targets that potentially lack the levels of security surrounding on-premise infrastructures.

Recent history shows that business losses from attacks against cloud platforms can be very significant. They range from reputation damage if services are disrupted to large financial losses if sensitive data or systems are compromised. In some cases, the damage can be so significant an organisation is put out of business altogether.

For Australian organisations, feelings of unease can be further heightened because many of the larger cloud platform providers make use of data centres in other parts of the world. They need to be sure their data and applications can be secured regardless of their geographic location.

The issue of privileged accounts

At the heart of the security challenge is the issue of privileged accounts. These are accounts used to access sensitive parts of an organisation's infrastructure where significant damage can occur if the associated credentials are compromised. These could include SSH keys, API keys or user name and password combinations.

Privileged accounts become more important when making use of cloud-based resources as they are used to establish and manage them. Each time an organisation's IT team provisions a new cloud resource, this is done using a privileged account. If the details of that account are not held securely, a potential security risk is created.

Essentially, privileged accounts create a huge attack surface because they exist at multiple layers within the IT infrastructure. They are accessed by users as well as applications and scripts, and often provide access to the most sensitive assets an organisation has in place.

The software-defined nature of cloud resources and the networks used to access them makes privileged account security even more critical. Software defined techniques require multiple interactions between different components and each requires some level of privileged access. Any lapses in security create potential areas for a breach to occur.

In the past, attackers would typically try to gain a foothold in a target infrastructure by gaining access to a server and then move laterally through the network. Today, with the management layer increasingly on a cloud platform, if an attacker gains access to it they then have access to everything within the cloud. The entire attack vector has changed.

The bottom line is that privileged accounts are critical to link on-premise systems with cloud platforms. However it must be remembered that the dynamic nature of cloud can lead to large numbers of unmanaged privileged accounts that could be compromised.

Securing credentials in the cloud

When approaching the challenges caused by increasing use of cloud resources, it's important to start from a point of zero trust. Assume there is no effective security in place at all and then work diligently to improve this situation.

A first step is to create a comprehensive list of all the privileged accounts that exist across both internal and cloud-based resources. These should include all cloud-based resources and software-as-a-service (SaaS) providers such as, NetSuite and others. You should also consider social media services such as Facebook and Twitter if they are used as part of the organisation's marketing efforts.

The next step is to lock down all the credentials that are in use. They must all be stored in a secure, central location where they can be tightly managed and rotated on a regular basis through changes to passwords.

One that is completed, the IT team should work to isolate and control the sessions in which the credentials are used. Known as 'separation of duties' this ensures that users can only access the areas they require for their particular role.

Constant monitoring

Finally, use of the secured credentials needs to be continuously monitored, creating an audit of what is being done with them to ensure it is authorised.

It is also worthwhile including an ability to record each usage session so that, should a breach later occur, all the activity that took place can be checked.

Having usage time limits set, or one-time access credentials provided, can also assist and is particularly important with cloud-based systems. It ensures users can't walk away with privileged credentials and use them again later or have them compromised by a criminal.

Clear business benefits

Taking a structured and comprehensive approach to security of privileged accounts and associated credentials is increasingly important as organisations make more use of cloud-based resources. It also streamlines the management task by allowing the same approach to be taken whether resources are on-premise or in the cloud.

The cloud offers significant benefits to Australian organisations who want to improve efficiencies, boost agility and reduce operational costs. By ensuring a robust approach is taken to the security of critical privileged accounts, these benefits can be realised without reducing overall infrastructure security.