Current Filter: Network>>>>>Opinion>

   

Every cloud infrastructure can be home to potentially hundreds of thousands of vulnerable privileged accounts. The presence of automated hacking tools means improperly secured privileged logins are almost certain to give hackers free reign on the network and in turn, access to customers' private data; often within minutes of an incursion.

Until now privileged accounts and other file-based secrets have proven difficult to secure within large-scale, dynamic Cloud Service Provider (CSP) networks, and many still use humans and first-generation software tools to manage the task. As a result, improperly secured privileged accounts provide an easily exploited attack surface for hackers and malicious insiders.

SECURITY CONCERNS FOR CLOUD SERVICE PROVIDERS
The problem with improperly secured privileged accounts is a particular concern for cloud providers. They face significant problems from any data loss incidents, including direct remediation and legal costs, along with the loss of business resulting from the public disclosure of a data breach. These service providers also face a daunting challenge to secure constantly changing physical and virtual IT assets using security methodologies that, in some cases, were never intended to scale to address the scale, dynamism and complexity of today's cloud services networks.

In general, privileged identities aren't managed by conventional Identity and Access Management (IAM) systems because, unlike conventional user logins, privileged accounts aren't typically provisioned. Instead, privileged accounts frequently appear on the network whenever physical and virtual IT assets are deployed and changed.

As a result, privileged credentials must be discovered and continuously tracked by software that's separate from IAM. Because every shared, static, or cryptographically weak privileged identity represents a potential attack surface, IT regulatory mandates, including PCI-DSS, SOX and HIPAA, require that these credentials be frequently changed and cryptographically complex. Access to these privileged accounts must also be attributed to named individuals and then audited.

However, this can prove to be an overwhelming challenge when access lists, and even the assets themselves, change more rapidly than human intervention can realistically keep track of.

MANAGING THE PRIVILEGED ACCOUNT PROBLEM
CSPs are faced with significant security challenges when managing privileged identities, certificates and other file-based secrets on a massive scale in large elastic environments. In the world's largest multi-tenant organisations, the number of systems that need to be managed can extend into the hundreds of thousands. A truly secure environment requires all identities, on all systems, to be discovered and managed.

In order to accomplish this, cloud providers and other large enterprise deployments require a solution that can discover, audit and control access to privileged accounts entirely by machines using an automated and programmatic approach, and thus removing the current default for direct human intervention and dependence. Only by deploying automated security solutions can these organisations locate and remediate weaknesses faster than nation-state attackers and other professional criminal hackers can find and exploit them.

With automated and programmatic controls over privileged identities, cloud service providers can achieve the following advantages:

• Privileged account discovery and tracking that is both broad in platform scope and deep in account discovery. This includes process and service interdependencies to enable safe, automated changes of any interdependent accounts without disruptions
• Password changes, as needed to comply with regulatory mandates
• Rules for human and machine access to privileged accounts
• Ongoing detection and decommissioning of inactive privileged accounts as they are removed.

CONCLUSION
Now that next generation security solutions exist that meet cloud service provider requirements for managing privileged identities, certificates and other file-based secrets in large elastic environments, a significant operational roadblock is removed. This once prevented the largest CSPs from complying with industry and regulatory requirements, but now there is no excuse. NC