Alert icon Keyboard navigation enabled.
Alert icon TAB or Shift+TAB to navigate across. Down ↓ to open menu. ESC to close menu.
Alert icon Down ↓ to select section. Right → to activate. Up ↑ / Down ↓ / Tab to traverse all. ESC to exit.
BeyondTrust
Skip to content Use space or enter to skip.

What can we help you find today?

Instant Results
  • Website Results
  • Technical Documentation

Filter Options

Focus your search

Filtering by

Your recent searches:

Contact Us Chat with Sales Get Support
  • English
  • Deutsch
  • français
  • español
  • 한국어
  • português
  • Home
  • Resources
  • Blog
  • Addressing Identity and Privilege Management Issues in the Cloud current page
Link copied

Addressing Identity and Privilege Management Issues in the Cloud

Oct 25, 2017
Author:
Morey Haber Headshot 2024
Morey J. Haber
Chief Security Advisor
Blog banner default
Addressing Identity and Privilege Management Issues in the Cloud
Morey Haber Headshot 2024
Morey J. Haber
Chief Security Advisor

Cloud Security

Ponder this question for a moment. How many distinct passwords do you remember?

The average user relies on dozens of passwords for home and business. Hopefully there is no password re-use between any of the credentials... And, hopefully, the passwords are not so simple that they would fall victim to a dictionary attack.

Now consider findings by Skyhigh Networks in their Cloud Adoption and Risk Report. The average user within an organization uses no less than 36 cloud applications, equating to, perhaps, another 36 passwords (varying based on factors such as single sign on or password management solutions) to remember as well.

These cloud resources are subject to the same problems of password complexity, reuse, and basic management as an on-premise directory services and authentication system, like Active Directory, except setting up policy needs to be done individually or distributed using solutions like AD Federated Services. Unfortunately, both on-premise and cloud solutions have their own security risks from not being able to enforce current password policy to having one master password for all user resources - that represents the same risk as password re-use.

Reducing Identity Risk in Cloud Environments

To mitigate these threats, organizations typically apply a layered security approach (with yet another solution) to enforce multi-factor authentication. This hardens access by requiring two or more pieces of evidence to validate you are who you say you are. While multi-factor solutions can come in a variety of forms—from trusted devices to pin codes and biometrics—the outcome is a higher confidence of your identity. Ultimately, you still need a password per site unless you are leveraging a centralized directory store (or something worse, like Facebook or Google) to authenticate you. Then, we are back to one password for everything and, hopefully, multi-factor identification (if supported by the cloud resource) can keep you safe. This brings us to our next problem…

Stale or Default Passwords in Cloud Environments

How often do you change your passwords on cloud resources if they are not centrally connected via an authentication service? Probably nearly never – right? Yes, we are forced to change them for work assets, but we normally do not change them for home resources, or non-corporate managed cloud resources like Twitter, Facebook, LinkedIn, etc.

Yes, solutions like ADP and Salesforce require periodic password changes, but that policy must be set up by your IT security or operations teams. There is no centralized enforcement, and definitely no way to verify password history or re-use between resources. It just does not exist – yet.

Addressing Legacy Attack Vectors in Cloud Environments via Improved Password Management Hygiene

So why are these findings from Skyhigh so important? It identifies legacy attack vectors that we have been struggling to close for years, but still cannot seem to mitigate:

  • Password Re-use – There is no way to determine between cloud resources if the same account password is reused across applications. The risk of one password being compromised represents an attack vector for every resource that shares that password. Trying to remember 36 additional passwords, plus your traditional on-premise credentials, proves impossible for most humans. This is an opportunity for password management solutions.
  • Password Policy – Many cloud resources lack the maturity to enforce password policies for complexity, duration, and even multi-factor authentication. To reduce risk, avoid working with vendors who lack these capabilities and who do not have some form of integrated authentication services.
  • Rogue Accounts – Provisioning and Identity Access Management (IAM) solutions provides a frontline offense for managing entitlements. Unfortunately, they can only manage what they can see. Cloud resources are typically beyond their control. Yes, IAM solutions can provision an Office 365 user with WorkDay, but they cannot control a rogue user, resource, or account. Just look at how many fake Twitter accounts exist representing the President of the United States. Nothing stops a rogue account from impersonating your business, only the data they may have access to. The more cloud resources your company empowers, the higher the risk for some form of impersonation; especially if accounts are not managed when employee turnover occurs.
  • Vulnerability Management – This problem is a little more obscure than most people may assume. When you trust a cloud resource to access your data and business operations, you implicitly trust that the provider is conscientiously doing everything possible to ensure that no exploitable vulnerabilities are present in their solution. You, as an end user, typically lack the rights to perform a web application scan, vulnerability assessment, or penetration test and demand remediation. This is a risk. The more vendors you have, the higher the likelihood that one of them is not doing something right. As a vendor, I have recently seen more clients requesting hardening guidelines, results of security testing, and vulnerability reports attesting that we are doing the right things. You should make these requests of your vendors too. Your partners’ vulnerability management programs need to be an extension of yours and incorporate a way to trust and verify their results as well as to secure your users and your information.
  • Management and Session Tools – Cloud resources simply lack the tool sets we take for granted in on premise environments. It is a maturity factor. There are few network management (availability or service level agreement) solutions or session recording and auditing products to monitor third-party cloud resources. Again, we are at the mercy of the provider. We have seen all new markets develop around Cloud Access Service Brokers (CASB) to solve some of these problems, but nothing really stops a user with permissions from dumping data out to a file or to another cloud service. If these technologies are on premise, mature products like data loss prevention (DLP) and personally identifiable information (PII) discovery can assist with information classification. In the cloud, authorized and unauthorized users present an elevated risk as it is more difficult, or impossible, to monitor things we had control over before.

The cloud provides a more flexible, cost-effective, and distributed method to promote business and extend functionality out to the marketplace. With this model, there are risks. Everything from the accounts and passwords we use to secure these resources, to the tools and management functions we perform everyday on premise need an appropriate translation. As cloud adoption and usage continues to expand, organizations need to get on top of privileged and non-privileged account access to better manage risk, before cloud security issues erode confidence in the cloud.

Interested in learning more about our cloud security capabilities? Request a personalized demo today.

Latest Posts
  • Hooked on Identity: Abusing SAML Assertion Inline Hooks in Okta
    Jun 9, 2026 Hooked on Identity: Abusing SAML Assertion Inline Hooks in Okta
    Blog
    6m
  • Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Jun 8, 2026 Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Blog
    5m
  • The Most Common & Most Dangerous Types of Shadow IT
    Jun 5, 2026 The Most Common & Most Dangerous Types of Shadow IT
    Blog
    19m
  • 14 Password Management Best Practices
    May 28, 2026 14 Password Management Best Practices
    Blog
    12m
  • A Security Researcher’s Guide to Understanding Copilot Studio AI Agents
    May 26, 2026 A Security Researcher’s Guide to Understanding Copilot Studio AI Agents
    Blog
    3m
Related
  • My Privileged Password & the Implications for Human Interface Devices
    Sep 23, 2019 My Privileged Password & the Implications for Human Interface Devices
    Blog
    1m
  • Oracle's Java Hates Least-Privilege
    Mar 9, 2013 Oracle's Java Hates Least-Privilege
    Blog
    1m
Share this Article
  • Link
Stay up to Date
Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

Keep up with BeyondTrust

Customer Support Get Started
  • LinkedIn
  • X
  • Facebook
  • Instagram
  • Add BeyondTrust as a preferred source on Google
  • Privacy
  • Security
  • Manage Cookies
  • Do Not Sell My Data
  • WEEE Compliance

Copyright © 2003 — 2026 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

Prefers reduced motion setting detected. Animations will now be reduced as a result.