Triage Your Cloud Security: Risk Prioritization Methods

It’s a familiar post-disaster scene in seemingly every television medical drama. A ferry has crashed, or a train has derailed. Patients flood into the ER, each requiring urgent medical attention. The impossibly attractive medical staff must quickly assess and prioritize patients based on the severity of their injuries and the likelihood of survival. Someone with great hair likely says an inspiring quote and jumps immediately into action.

To carry the plot, the medical staff often struggles to make decisions under pressure, leading to confusion and delays in treatment. As the chaos intensifies, the absurdly well-lit ER becomes overwhelmed, with patients and their families increasingly anxious and frustrated. The risk of medical errors and adverse outcomes rises, further compounding the crisis. And then your favorite character probably gets killed off. All thanks to one element the writers left out of the scene: triage. Great TV – terrible medicine.

While the chaos of a TV trauma center may seem far removed from the world of cybersecurity, the concept of triage is just as relevant when it comes to prioritizing and addressing cyberthreats. Just as medical staff must quickly assess and prioritize patients based on the severity of their injuries, organizations must also assess and prioritize cyberthreats to maintain order, efficiency and safety in any environment. With a multitude of identities possessing varying levels of privilege and access, the challenge lies in effectively prioritizing security measures.

Defining Risk: A Common Lens

Before delving into the prioritization strategies, a quick note about establishing a common understanding of risk. Organizations may define risk differently, but in our experience mitigating identity-related threats, we define risk as a combination of three fundamental factors:

1. Level of privilege refers to the type of privilege granted to an identity, ranging from read-only access to full administrative control, including the ability to modify other identities’ permissions.
2. Scope of influence, also known as the blast radius, describes the extent to which an identity can access systems and resources. This can range from access to a single cloud-native service to multiple services with access to elastic workloads to full access to every resource and service.
3. Ease of compromise refers to the level of difficulty for a malicious actor to compromise access. This includes the existence of technical vulnerabilities and the level of controls applied to protect the identity.

Building on this definition of risk, let’s examine two effective risk-based prioritization methods that can provide a framework for triaging your cloud security priorities.

Method No. 1: Security Control-Based Risk Prioritization

Our first method for triaging cloud security priorities is based on the understanding that not all organizations can deploy all security controls simultaneously. Therefore, priorities are determined by assessing the risk impact and the effort required for mitigation. In this approach, organizations implement security controls iteratively, focusing on specific control families. If we look back at the triage scene, this would be like simultaneously treating patients with similar injuries.

The recommended prioritization for this control-based method follows these steps:

1. Progress toward zero standing privileges (ZSP). You can work toward achieving this by implementing role-based access, multi-factor authentication (MFA), session protection and audit functionalities. ZSP helps to ensure that users only have access to resources when needed and for the duration necessary to perform their tasks. Controls facilitating ZSP are prioritized to mitigate the sprawl of excessive access. This step will have the most significant impact on minimizing risk.
2. Implement standing privileged access controls. This can be done through credential vaulting, password management, MFA and session monitoring. Prioritize root and registration account security, minimize freestanding access and use robust credential management for necessary cases. Continuously refine non-emergency account privileges to enforce least privilege.
3. Deploy secrets management controls. This includes secrets vaulting, rotation, complex policies, removal of hard-coded secrets and just-in-time (JIT) delivery to applications. Focus on refining privileges for machine workloads and apply these controls to machine passwords and keys to mitigate credential theft and privilege abuse.
4. Establish identity governance controls. Focus on lifecycle management and compliance mechanisms. Start by rolling out lifecycle management to IT admin roles, followed by developers and other privileged roles. Ensure roles are explicitly defined and implement identity compliance across all human users to certify and adjust access as needed periodically.

Method No. 2: Identity/Persona-Based Risk Prioritization

In contrast to security control-based prioritization, the second method for triaging cloud security priorities focuses on securing identities based on their roles or personas, assuming simultaneous application of all security control families. The ideal prioritization hierarchy, which would be akin to treating women and children first in our triage scenario, typically follows this sequence:

1. Secure root and registration accounts. Start by securing high-privileged accounts, such as those with Global Administrator access, with measures like MFA.
2. Prioritize IT administrators. Focus on roles with extensive administrative access across cloud service provider (CSP) accounts, as they have the potential for the most significant impact.
3. Tailor security controls for developers and service administrators. Apply tailored security controls to individuals with privileged access to specific services or resources within CSPs.
4. Address other application and audit teams. Secure users with lesser privileges, including read-only access.
5. Safeguard machine workloads and cloud-native services. Protect automation and orchestration workloads, often with sensitive permissions, using secrets management and least privilege controls.

A Note on Regulatory Compliance

Regulatory compliance is a critical factor to consider when prioritizing security measures. Adhering to frameworks such as GDPR, HIPAA or SOC 2 is essential for ensuring data protection and privacy. To align your risk prioritization efforts with regulatory mandates, consider the following steps:

1. Implement Data Protection Requirements. Take steps to safeguard sensitive data and comply with data protection regulations by implementing new or additional security controls.
2. Establish Auditing and Reporting Mechanisms. Set up mechanisms for auditing and reporting to demonstrate compliance with regulatory requirements.
3. Develop Incident Response Preparedness. Create incident response plans and procedures to address data breaches and security incidents in compliance with regulatory guidelines.

Streamlining Your Cloud Security Risk Prioritization

Just like in a TV medical drama, effective prioritization is essential when dealing with many threats, including cyberthreats. The coiffed chief of surgery has aligned the triage strategy with standard Hollywood hospital protocol. Each staff member has a clearly defined role; every patient is cared for when needed. Someone with great hair still probably says an inspiring quote.

By addressing the common challenges and considerations outlined in this blog, organizations can more effectively navigate the complexities of risk prioritization, enhance their cloud security posture and ensure compliance with regulatory mandates.

Effective risk prioritization requires a nuanced understanding of risk dynamics and a strategic, adaptive approach. Organizations can use a combination of security control-based and identity/persona-based approaches to enhance their resilience against evolving cyberthreats while optimizing resource allocation and effort.

The bottom line is that cutting the drama in your cloud security requires risk prioritization. A clear strategy and well-defined priorities can help maintain order, efficiency and safety in your cloud environment.

To dive deeper into cloud security fundamentals and learn how it plays into compliance, check out our whitepaper 2024 Playbook: Identity Security and Cloud Compliance.

Alyssa Miles is a product marketing manager at CyberArk.