Ponder this question for a moment. How many distinct passwords do you remember?The average user relies on dozens of passwords for home and business. Hopefully there is no password re-use between any of the credentials... And, hopefully, the passwords are not so simple that they would fall victim to a dictionary attack. Now consider findings by Skyhigh Networks in their Cloud Adoption and Risk Report. The average user within an organization uses no less than 36 cloud applications, equating to, perhaps, another 36 passwords (varying based on factors such as single sign on or password management solutions) to remember as well. These cloud resources are subject to the same problems of password complexity, reuse, and basic management as an on-premise directory services and authentication system, like Active Directory, except setting up policy needs to be done individually or distributed using solutions like AD Federated Services. Unfortunately, both on-premise and cloud solutions have their own security risks from not being able to enforce current password policy to having one master password for all user resources - that represents the same risk as password re-use.
Reducing Identity Risk in Cloud EnvironmentsTo mitigate these threats, organizations typically apply a layered security approach (with yet another solution) to enforce multi-factor authentication. This hardens access by requiring two or more pieces of evidence to validate you are who you say you are. While multi-factor solutions can come in a variety of forms—from trusted devices to pin codes and biometrics—the outcome is a higher confidence of your identity. Ultimately, you still need a password per site unless you are leveraging a centralized directory store (or something worse, like Facebook or Google) to authenticate you. Then, we are back to one password for everything and, hopefully, multi-factor identification (if supported by the cloud resource) can keep you safe. This brings us to our next problem…
Stale or Default Passwords in Cloud EnvironmentsHow often do you change your passwords on cloud resources if they are not centrally connected via an authentication service? Probably nearly never – right? Yes, we are forced to change them for work assets, but we normally do not change them for home resources, or non-corporate managed cloud resources like Twitter, Facebook, LinkedIn, etc. Yes, solutions like ADP and Salesforce require periodic password changes, but that policy must be set up by your IT security or operations teams. There is no centralized enforcement, and definitely no way to verify password history or re-use between resources. It just does not exist – yet.
Addressing Legacy Attack Vectors in Cloud Environments via Improved Password Management HygieneSo why are these findings from Skyhigh so important? It identifies legacy attack vectors that we have been struggling to close for years, but still cannot seem to mitigate:
- Password Re-use – There is no way to determine between cloud resources if the same account password is reused across applications. The risk of one password being compromised represents an attack vector for every resource that shares that password. Trying to remember 36 additional passwords, plus your traditional on-premise credentials, proves impossible for most humans. This is an opportunity for password management solutions.
- Password Policy – Many cloud resources lack the maturity to enforce password policies for complexity, duration, and even multi-factor authentication. To reduce risk, avoid working with vendors who lack these capabilities and who do not have some form of integrated authentication services.
- Rogue Accounts – Provisioning and Identity Access Management (IAM) solutions provides a frontline offense for managing entitlements. Unfortunately, they can only manage what they can see. Cloud resources are typically beyond their control. Yes, IAM solutions can provision an Office 365 user with WorkDay, but they cannot control a rogue user, resource, or account. Just look at how many fake Twitter accounts exist representing the President of the United States. Nothing stops a rogue account from impersonating your business, only the data they may have access to. The more cloud resources your company empowers, the higher the risk for some form of impersonation; especially if accounts are not managed when employee turnover occurs.
- Vulnerability Management – This problem is a little more obscure than most people may assume. When you trust a cloud resource to access your data and business operations, you implicitly trust that the provider is conscientiously doing everything possible to ensure that no exploitable vulnerabilities are present in their solution. You, as an end user, typically lack the rights to perform a web application scan, vulnerability assessment, or penetration test and demand remediation. This is a risk. The more vendors you have, the higher the likelihood that one of them is not doing something right. As a vendor, I have recently seen more clients requesting hardening guidelines, results of security testing, and vulnerability reports attesting that we are doing the right things. You should make these requests of your vendors too. Your partners’ vulnerability management programs need to be an extension of yours and incorporate a way to trust and verify their results as well as to secure your users and your information.
- Management and Session Tools – Cloud resources simply lack the tool sets we take for granted in on premise environments. It is a maturity factor. There are few network management (availability or service level agreement) solutions or session recording and auditing products to monitor third-party cloud resources. Again, we are at the mercy of the provider. We have seen all new markets develop around Cloud Access Service Brokers (CASB) to solve some of these problems, but nothing really stops a user with permissions from dumping data out to a file or to another cloud service. If these technologies are on premise, mature products like data loss prevention (DLP) and personally identifiable information (PII) discovery can assist with information classification. In the cloud, authorized and unauthorized users present an elevated risk as it is more difficult, or impossible, to monitor things we had control over before.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.