Admin, superuser, root - different names for the same concept: an account that has total control over a system. In the Windows world, this account is called Administrator. On Linux and Unix, the account is root. In the Mac world, the account is Admin if you’re working in the UI, and root if you’re in the command line.
No matter what these highly privileged accounts are called, they hold great power over the system and, as they saying goes, “with great power comes great responsibility.” This is why most companies apply the principle of least privilege (PoLP) as part of their security program. PoLP can include, enforcing separation of privileges, such as breaking up administrative responsibilities across different operations accounts; rather than having a single account that can add/delete users, change configurations, and run backups. Instead, these operational tasks can be spread across three user accounts, reducing the risk of a single user causing significant damage to a server. PoLP also means limiting the access for each user to only what they need to do their job. If there’s no reason for a user to install new software on their laptop, remove that privilege from their account. If an employee doesn’t need access to the database with the company’s most sensitive intellectual property, block their access to it.
PoLP is a tried-and-true approach, but some companies don’t implement it because they don’t understand how to do so or because they think it will require too much time to properly maintain. This is a shame, because a robust PoLP-based approach can provide strong protection by limiting the “blast-radius” of attacks and reducing a company’s overall attack surface.
As companies continue to embrace and benefit from the power of the cloud, the ability to manage privilege becomes even more important. Unfortunately, due to the many different clouds that organizations use, the complexity of implementing PoLP has increased. Complex doesn’t mean impossible though -- but it does entail some planning up front.
Privileged access security: 6 tips for multicloud environments
Here are 6 tips that will help your company embrace the benefits of multiple clouds—without sacrificing security and control by providing too much privilege to individual users.
1. Get Your Identity House in Order - PoLP requires a comprehensive understanding of who needs to do what in your organization. If you haven’t done a full identity audit, for all on-prem and cloud users, now is the time to do it. For cloud workloads, don’t forget to include the superusers for your cloud instance, service principals, access to orchestration tools, and management of workloads (such as Kubernetes). Don’t forget that apps are users too, which means app and API access also needs to be reviewed
2. Focus on Admin - Attackers gain persistence by creating privileged accounts for themselves. And many inside attacks are only possible because a given insider has too much privilege. So, take special care looking for IDs and apps with broad access -- as you find them, remove rights or revoke access entirely, if it’s not needed.
3. Time is on Your Side – Time-based access is a highly effective way to limit the attack surface. Does port 22 (for ssh) need to be open at all times?--Or, just when an admin needs to log in? Where you can, implement JIT (just in time) server access to limit remote access windows. Also, check to see which accounts have been dormant for a long time - do those users still need access or can it be removed?
4. Modernize Password Management - It’s not uncommon to find password re-use in large cloud estates. This is a massive exposure for an organization, which can be reduced or eliminated by using modern password management approaches like a true OTP (one time password), MFA (multi-factor authentication), and limiting concurrent logins. Secrets management helps here for application passwords and keys.
5. Normalize Cross-Cloud Privilege - Major CSP (cloud service providers) provide excellent tools to manage your instance, but your company probably isn’t in only a single cloud, instead working across many clouds for IaaS and SaaS. This is why it’s important to implement an identity management solution that works across cloud providers and can scale quickly to new instances.
6. Optimize and Trace - All this up front work means you’ve reduced risk for your organization. However, when it comes time to communicate the effectiveness of your risk reduction efforts to executive leadership or an assessor, unified reporting will provide the evidence you need to show the program is working. In addition to aggregate reporting for identity management, incorporate continuous cross-cloud access management monitoring, ongoing audits, and alerting whenever a new superuser account is created.
For a deeper dive on this topic, check out my on-demand webinar: PoLP in a Multicloud World.
For more on multicloud security, check out these additional resources:
Diana Kelley, CTO, Executive Mentor, Research Analyst, Security Keynote Speaker
Diana Kelley’s security career spans over 30 years. She is Co-Founder and CTO of SecurityCurve and donates much of her time to volunteer work in the cybersecurity community, including serving on the ACM Ethics & Plagiarism Committee, as CTO and Board member at Sightline Security, Board member and Inclusion Working Group champion at WiCyS, Cybersecurity Committee Advisor at CompTIA, and RSAC US Program Committee.
Diana produces the #MyCyberWhy series, hosts BrightTALK’s The Security Balancing Act, and is a Principal Consulting Analyst with TechVision Research and a member of The Analyst Syndicate.
She was the Cybersecurity Field CTO for Microsoft, Global Executive Security Advisor at IBM Security, GM at Symantec, VP at Burton Group (now Gartner), and a Manager at KPMG.
She is a sought after keynote speaker, the co-author of the book Cryptographic Libraries for Developers, has been a lecturer at Boston College's Masters program in cybersecurity, the EWF 2020 Executive of the Year, and one of Cybersecurity Ventures 100 Fascinating Females Fighting Cybercrime.