Least Privilege in The Cloud (and Everywhere Else)

June 9, 2021 Sam Flaster

Least Privilege Endpoint Cloud

Mark Twain once wrote that “History never repeats itself, but it often rhymes.” This is especially true in the world of cybersecurity. By examining some of the major breaches over the past decade, a repetitive attack chain is clear: external adversaries or internal threat actors target and compromise an identity to launch their attack, then escalate privileges, move laterally, and manipulate privileged access to reach sensitive data. And today, as cloud adoption surges, this pattern is seen acutely in cloud environments.

A Recent History of Identity-Centric Attacks

2013: A privileged insider used legitimate access to leak highly classified government information. The need to minimize standing and unnecessary privileged access to critical systems became a top-of-mind issue for both public and private sectors.

2014: An attack chain involving privileged credential abuse and escalation nearly crippled a leading entertainment company — prompting some organizations to take a closer look at Zero Trust frameworks.

2015: A country’s power grid was attacked when threat actors compromised valid credentials from an employee workstation, escalated privileges and moved laterally to gain control of SCADA systems. More than 225,000 people were left in the dark. 

2016: By abusing privileged credentials, attackers were able to reach SWIFT systems and illegally transfer $81 million in this international bank heist.  

2016-2017: Millions of sensitive customer and personnel records were exposed inadvertently in a string of separate breaches after third parties misconfigured cloud storage databases to allow public access. This highlighted the critical need to protect cloud credentials with strong privileged access controls and improve overall visibility of misconfigurations.

2017: A massive ransomware attack encrypted hundreds of thousands of computers across more than 150 countries. Subsequent research demonstrated that a combination of least privilege enforcement —via removal of local admin rights —and restricting applications were 100 percent effective in preventing ransomware from encrypting files.

2019: By way of a misconfigured firewall, an attacker entered a financial services organization’s cloud provider network and accessed a cloud virtual machine (VM). By assuming an over-permissioned role, the attacker obtained temporary privileged credentials to the company’s cloud database, exposing troves of personal data and costing the organization millions of dollars in regulatory fines.

 2020: This digital supply chain attack was unprecedented in sophistication and scale, but one aspect was all-too-familiar: the compromise of identities and privileged access on-premises and in the cloud. In a post-breach U.S. Senate hearing and numerous briefings, the message was clear: In our mobile, cloud world, identity is the new security battleground and the only practical control plane.

2021: Advanced persistent threat actors found vulnerabilities in a leading employee productivity suite, allowing the unauthenticated attackers to elevate privileges and control infrastructure, whether hosted on-premises or in the cloud. At least 30,000 U.S. organizations were impacted.

Now More than Ever: The Imperative for Least Privilege

Identity-related attacks are clearly nothing new, but they’re happening with alarming frequency in cloud environments, and often targeting cloud-hosted workloads. This makes sense, since 90% of organizations have accelerated their consumption of cloud services since COVID-19, according to a recent Flexera report.

In this era of security uncertainty, organizations are revisiting foundational practices like least privilege — when identities have their privileges and permissions restricted to bare minimum access — to mitigate risk and defend their growing cloud estates.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued an analysis report to provide guidance on this front with specific recommendations such as eliminating access from employee personal devices, securing privileged access to cloud services, strengthening access controls with multi-factor authentication (MFA), and adopting a  “Zero Trust mindset.”

Zero Trust = Zero Excessive Privileges

In a Zero Trust cybersecurity model, organizations recognize that as they store their data, applications and infrastructure in the cloud and embrace remote work models, their IT environments are no longer defined by a physical perimeter. Zero Trust architectures reflect this shift away from a static perimeter toward individual users, assets and resources — or, simply, identities. By “assuming breach,” organizations grant no implicit trust to human or machine identities; all must all be continuously authenticated and authorized.

Least privilege access is a core authorization tenant of Zero Trust, recommended by both the U.S. National Security Agency and U.S. National Institute of Standards and Technology (NIST).

By granting identities the minimum necessary privileges and permissions, a compromised identity can be stopped from gaining the privileges needed to progress an attack. In other words, if — or rather, when — a breach occurs, least privilege prevents access to mission-critical infrastructure, minimizing the “blast radius” of an attack. Establishing least privilege also limits the number of entities that can grant or configure new permissions, making it more difficult for attackers to reach their goals.

Least Privilege: Easier Said than Done?

Of course, organizations face notable challenges when implementing least privilege in the cloud. Visibility across distinct environments is one hurdle: Just as organizations must remove excessive privileges for myriad types of endpoints and servers, they must also manage entitlements to access unique varieties of cloud-hosted infrastructure, containers and Kubernetes clusters. This can be even more difficult in cloud environments, where any human or machine identity can be configured (or misconfigured) with permissions to access privileged information. In fact, 19% of all data breaches can be attributed to misconfigured cloud infrastructure, according to IBM research.

And when organizations embrace a multi-cloud strategy — as 92% of them do — the potential for identity and access management (IAM) misconfigurations grows. Based on CyberArk data, we estimate there are more than 23,000 potential permissions that must be properly configured and securely managed across leading IaaS providers.

New CyberArk AWS Marketplace Offerings Accelerate Least Privilege Control and Risk Reduction

Today, we’re proud to announce the availability of CyberArk Cloud Entitlements Manager, CyberArk Endpoint Privilege Manager, and CyberArk Workforce Identity on Amazon Web Services Marketplace. These new offerings underscore our commitment to helping enterprises adapt a risk-based strategy for defending against identity-based attacks as they embrace the cloud, remote work, and other digital transformation initiatives.

Together, Cloud Entitlements Manager, Endpoint Privilege Manager, and Workforce Identity allow organizations to remove excessive privileges and permissions on endpoint devices, macOS platforms, servers, and VMs and throughout their cloud environments, deliver a frictionless user experience and enforce least privilege everywhere. Removing unnecessary privileges helps organizations limit lateral movement and stop privilege escalation to defend against attacks compromising identities.

Learn from History. Lead with Least Privilege

Attackers are zeroing in on identities to compromise cloud environments. For this reason, modern identities deserve Zero Trust. Don’t become part of history’s rhyme. Learn from it and change the verse by embracing a holistic strategy that starts with least privilege. Get started with a CyberArk Cloud Entitlements Manager free trial, a CyberArk Endpoint Privilege Manager free trial, a CyberArk Workforce Identity free trial or visit CyberArk on AWS Marketplace.

Previous Video
Ransomware Exposed: Key Learnings from Examining 3 Million Samples: A CyberArk Labs Webinar
Ransomware Exposed: Key Learnings from Examining 3 Million Samples: A CyberArk Labs Webinar

Ransomware has managed to become the fastest growing type of cybercrime. In this webinar, Cyberark labs exp...

Next Article
Better Together: CyberArk Endpoint Privilege Manager + EDR/NGAV Solutions
Better Together: CyberArk Endpoint Privilege Manager + EDR/NGAV Solutions

Learn why to deploy CyberArk Endpoint Privilege Manager in combination with Endpoint Detection & Response a...