Secure Enterprise Cloud Adoption – A Holistic Approach
August 1st, 2018
In April 2018 BeyondTrust asked security and IT leaders around the world about their cloud adoption plans and the risks associated with those plans. (You can read the full report from the study’s June publication here.) What we learned from that study confirmed our assumptions and helped customers lay out a roadmap for delivering enterprise-level cloud security. Let’s look at what we learned and how it can help you.
How Enterprise Cloud Adoption is Changing
Respondents to our Implications of Using PAM to Enable Next-Generation Technologies survey indicated that – today – 62% of workloads are on-premises, with 15% in a public cloud, 11% in private clouds and 8% in SaaS applications.
Contrast that with three years from now: On-premises drops to 44%, public cloud jumps to 26 percent, private cloud increases to 15 percent, and SaaS moves up to 12 percent. With such an increase in cloud-hosted workloads in the next three years, it’s vital for organizations to address security issues in their hybrid environments. Check out the graphic from the study.
What Are the Risks?
As cloud ecosystems evolve, and IT perimeters vanish, it’s increasingly critical to ensure visibility and security across hybrid environments. Our study showed that 52% of the time, it’s trusted users doing inappropriate things for innocent reasons that cause the most problems. In 18% of the cases, it’s trusted insiders going rogue, and in 15% of the cases, it’s outsiders gaining privileged access to steal credentials.
The question becomes: How can organizations like yours securely enable the cloud to achieve business agility goals, while unifying security controls for on-premise assets you already have in place?
Cloud Security Best Practices Are On-Prem Security Best Practices
We devised five progressive steps you can take to get control of your cloud assets. (tl;dr – you can use these same steps to apply controls over your on-prem assets, too. Save time and money that way.) Take an objective look at your environment and determine how you measure up.
1) Perform a discovery and inventory of cloud assets
Performing continuous discovery and inventory of assets across physical, virtual, and cloud environments ensures that only properly configured and approved assets are available and used in your environment. Just as important to cloud asset discovery is the management of supporting containers, for example Docker images deployed throughout the environment. Having this data will improve the visibility over Docker container usage and potential risks. Common attributes to scan for in Docker images and containers include:
- Basic image data: OS identification, repository tag, image ID; and where available, image size, creation date, and image author
- Enumerations: Services, processes, ports, certificates, users and user groups, and the network stack
- Installed software packages
- Registry and system files
2) Scan for vulnerabilities and misconfigurations
Once cloud assets are found and managed, continuous vulnerability assessment and remediation must be performed, as well as continuous configuration and hardening baseline scanning across physical, virtual, and cloud-deployed assets. While these resources are hardened to prevent security breaches and are inherently resilient to network-based vulnerability assessment scans, host-based security scanning provides a deep inspection into an instance and can report back any vulnerability or configuration anomalies. A best practice is to provision the agent as a part of the instance template to ensure the asset is secured and remains un-tampered with during its lifecycle.
Having this capability reduces risk, ensures that no cloud instances are left unmanaged (even without network scanning), and ensures configurations are consistent and properly hardened across cloud and on-premise resources against best practices from NIST, STIGS, USGCB, CIS, and Microsoft.
3) Eliminate shared and embedded privileged accounts in cloud management consoles and instances
Consoles such as those for Amazon AWS and Office 365 provide administrators with tremendous control. The AWS Console, for example, is also a de facto procurement system, enabling administrators to instantly order additional systems, storage, and network resources. Controlling and auditing access to these shared accounts ensures that all privileged activity is associated with a unique identity and ensures that all passwords are properly managed and rotated across the cloud environment.
Shared accounts are only part of the problem, though. Removing hard-coded passwords in cloud tool configurations, build scripts, code files, test builds, and production builds should be prioritized, as these embedded application credentials represent open backdoors to critical systems.
Securely storing privileged account credentials, requiring a simple workflow process for check-out, and monitoring privileged sessions limits lateral movement in the case of a compromise and provides a secure audit trail for forensic purposes.
4) Segment networks
Many organizations utilize cloud access service brokers (CASBs) as a proxy for all cloud traffic. Usually implemented using a reverse proxy (or a VPN connection), all internet-bound network traffic is funneled through these proxies to centralize access control and auditing. Most CASBs, however, deliver only generalized policies. By employing integrated multi-factor authentication, adaptive access authorization, and session monitoring, you can extend beyond typical CASBs with:
- Enterprise password management – Discover accounts, randomize, rotation, and check-in/check-out passwords.
- Session monitoring, management, and recording – Record privileged sessions in real- time via a proxy session monitoring service and enable dual control.
- Advanced workflow controls – Provide additional context to requests by considering the day, date, time, and location when a user accesses resources to determine their ability to access those systems.
- Advanced segmentation – Route all remote access sessions through the PowerBroker Password Safe proxy for management, reporting, and enforce segmentation from authorized connectivity and attack.
5) Enable privilege management in a hybrid cloud environment
In a cloud context, the principle of least privilege is important to restrict access to development, management and production systems, while granting only required permissions to appropriately build machines and images. With unified policy, management, reporting, and analytics across both on-premise and cloud environments, organizations can meet the stringent auditing demands on cloud usage.
BeyondTrust Can Help
The BeyondTrust solution for secure cloud enablement discovers all cloud instances in the environment, groups cloud assets for consistent privilege management, and scans for security vulnerabilities and privilege-related risks. By unifying policy, management, reporting, and analytics across both on-premise and cloud environments, organizations can meet stringent security and compliance controls over cloud usage, while achieving business agility goals.
How prepared are you for the cloud? Want more detail on the five steps, including how to make them work in your enterprise? Download the white paper.
For more information on how BeyondTrust can help you accelerate your business transformation to the cloud through the power of privileged access management, contact us today.