Moving workloads to the cloud has led organizations (and IT administrators) to lose control over workloads and relinquish many critical aspects of cybersecurity. As a result, what is considered “inside” in an on-premise based world is suddenly “outside” in a publicly-hosted cloud infrastructure. Hackers can have similar access to publicly hosted workloads as IT administrators using standard connection methods, protocols and public APIs. As a result, the whole world becomes an insider threat. Workload security, therefore, is defined by the people who can access those workloads and the permissions they have.
The problem lies with the practicality and flexibility associated with cloud environments. Cloud administrators frequently grant extensive permissions to groups of users to enable them to accomplish tasks seamlessly. In practice, most users use only a small portion of the permissions granted to them and have no business need for all of them. This represents a serious security gap since if these user credentials were ever to fall into malicious hands, attackers would have extensive access to sensitive data and resources. According to Gartner’s Managing Privileged Access in Cloud Infrastructure report, by 2023, 75% of cloud security failures will be attributable to inadequate management of identities, access, and privileges.
#1 Not Understanding The Difference Between USED and GRANTED Permissions
Eighty percent of excessive permissions are based on roles. In a cloud environment where the resources are hosted “outside” of the organization, the access permissions to the network define the organization’s threat surface.
Unnecessary permissions stem from the gap between what users need to get their job done and what they have in terms of permissions. Put differently, it is the gap between defined and used permissions. The difference between these two is your organization’s attack surface.
Understanding the difference between USED and GRANTED permissions is one of the biggest blind spots that lead to a data breach. This is why it is important to constantly monitor and analyze this gap to make sure that it is as small as possible, and consequently, that your attack surface is equally small.
#2 Your Problem Isn’t Detection. It’s Correlation
Cybersecurity alerts have become the proverbial “boy who cried wolf.” According to a multitude of third-party reports, the average security operations center handles approximately 10,000 alerts per day.
Alert overload is one of the leading causes of alerts being overlooked, and as a result, indicative alerts of potentially malicious activity are lost in the sea of warnings, thereby leading to a data breach.
Focusing on the alerts that matter the most is one of the biggest cloud security blind spots organizations currently have. Its critical security teams have a unified view across multiple cloud environments and accounts with built-in alert scoring for efficient prioritization.
#3 An Inability to Connect The Dots
Data breaches don’t happen instantly; they unfold over time. They’re a long process of trial and error by the attacker, comprising numerous small steps and activities as the attacker attempts to gain access to sensitive data.
These small steps and activities, many of which are low or medium-priority events, are frequently overlooked. Making matters worse, the average time for a data breach is six months. Therefore, even if individual events are detected, they are frequently forgotten about when the next related event is detected; the “dots” never get detected.
The ability to correlate individual events/alerts over time into an attack “storyline” is one of the biggest cloud security blind spots organizations have and is critical to stopping a data breach before it happens.