Ponder this question for a moment. How many distinct passwords do you remember?
The average user relies on dozens of passwords for home and business. Hopefully there is no password re-use between any of the credentials... And, hopefully, the passwords are not so simple that they would fall victim to a dictionary attack.
Now consider findings by Skyhigh Networks in their Cloud Adoption and Risk Report. The average user within an organization uses no less than 36 cloud applications, equating to, perhaps, another 36 passwords (varying based on factors such as single sign on or password management solutions) to remember as well.
These cloud resources are subject to the same problems of password complexity, reuse, and basic management as an on-premise directory services and authentication system, like Active Directory, except setting up policy needs to be done individually or distributed using solutions like AD Federated Services. Unfortunately, both on-premise and cloud solutions have their own security risks from not being able to enforce current password policy to having one master password for all user resources - that represents the same risk as password re-use.
Reducing Identity Risk in Cloud Environments
To mitigate these threats, organizations typically apply a layered security approach (with yet another solution) to enforce multi-factor authentication. This hardens access by requiring two or more pieces of evidence to validate you are who you say you are. While multi-factor solutions can come in a variety of forms—from trusted devices to pin codes and biometrics—the outcome is a higher confidence of your identity. Ultimately, you still need a password per site unless you are leveraging a centralized directory store (or something worse, like Facebook or Google) to authenticate you. Then, we are back to one password for everything and, hopefully, multi-factor identification (if supported by the cloud resource) can keep you safe. This brings us to our next problem…
Stale or Default Passwords in Cloud Environments
How often do you change your passwords on cloud resources if they are not centrally connected via an authentication service? Probably nearly never – right? Yes, we are forced to change them for work assets, but we normally do not change them for home resources, or non-corporate managed cloud resources like Twitter, Facebook, LinkedIn, etc.
Yes, solutions like ADP and Salesforce require periodic password changes, but that policy must be set up by your IT security or operations teams. There is no centralized enforcement, and definitely no way to verify password history or re-use between resources. It just does not exist – yet.
Addressing Legacy Attack Vectors in Cloud Environments via Improved Password Management Hygiene
So why are these findings from Skyhigh so important? It identifies legacy attack vectors that we have been struggling to close for years, but still cannot seem to mitigate:
- Password Re-use – There is no way to determine between cloud resources if the same account password is reused across applications. The risk of one password being compromised represents an attack vector for every resource that shares that password. Trying to remember 36 additional passwords, plus your traditional on-premise credentials, proves impossible for most humans. This is an opportunity for password management solutions.
- Password Policy – Many cloud resources lack the maturity to enforce password policies for complexity, duration, and even multi-factor authentication. To reduce risk, avoid working with vendors who lack these capabilities and who do not have some form of integrated authentication services.
- Rogue Accounts – Provisioning and Identity Access Management (IAM) solutions provides a frontline offense for managing entitlements. Unfortunately, they can only manage what they can see. Cloud resources are typically beyond their control. Yes, IAM solutions can provision an Office 365 user with WorkDay, but they cannot control a rogue user, resource, or account. Just look at how many fake Twitter accounts exist representing the President of the United States. Nothing stops a rogue account from impersonating your business, only the data they may have access to. The more cloud resources your company empowers, the higher the risk for some form of impersonation; especially if accounts are not managed when employee turnover occurs.
- Vulnerability Management – This problem is a little more obscure than most people may assume. When you trust a cloud resource to access your data and business operations, you implicitly trust that the provider is conscientiously doing everything possible to ensure that no exploitable vulnerabilities are present in their solution. You, as an end user, typically lack the rights to perform a web application scan, vulnerability assessment, or penetration test and demand remediation. This is a risk. The more vendors you have, the higher the likelihood that one of them is not doing something right. As a vendor, I have recently seen more clients requesting hardening guidelines, results of security testing, and vulnerability reports attesting that we are doing the right things. You should make these requests of your vendors too. Your partners’ vulnerability management programs need to be an extension of yours and incorporate a way to trust and verify their results as well as to secure your users and your information.
- Management and Session Tools – Cloud resources simply lack the tool sets we take for granted in on premise environments. It is a maturity factor. There are few network management (availability or service level agreement) solutions or session recording and auditing products to monitor third-party cloud resources. Again, we are at the mercy of the provider. We have seen all new markets develop around Cloud Access Service Brokers (CASB) to solve some of these problems, but nothing really stops a user with permissions from dumping data out to a file or to another cloud service. If these technologies are on premise, mature products like data loss prevention (DLP) and personally identifiable information (PII) discovery can assist with information classification. In the cloud, authorized and unauthorized users present an elevated risk as it is more difficult, or impossible, to monitor things we had control over before.
The cloud provides a more flexible, cost-effective, and distributed method to promote business and extend functionality out to the marketplace. With this model, there are risks. Everything from the accounts and passwords we use to secure these resources, to the tools and management functions we perform everyday on premise need an appropriate translation. As cloud adoption and usage continues to expand, organizations need to get on top of privileged and non-privileged account access to better manage risk, before cloud security issues erode confidence in the cloud.
Interested in learning more about our cloud security capabilities? Request a personalized demo today.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.