Over the next few weeks, we’ll explore best practices for securing privileged accounts and identities in common cloud scenarios. This series can help guide effective risk reduction strategies for today and for the future as cloud workloads evolve.
First up, we’re looking at cloud management consoles, which are used by admins to set up the entire cloud environment, oversee all types of cloud activities (i.e. use tracking, data integration, resource deployment and more) and configure operational and security settings. Before we dive in, here’s a look at the current state of the cloud.
How Are Enterprises Adopting Cloud?
While achieving a fully cloud-based IT infrastructure may be an ultimate digital transformation goal for some organizations, the vast majority are taking a hybrid approach today. According to a recent industry study, 93% of enterprises have a multi-cloud strategy in place. Meanwhile, as the world adapts to new realities, software-as-a-service (SaaS) use continues to skyrocket, enabling companies to conduct critical business and empower remote workforces.
There’s no denying the business benefits of deploying cloud infrastructure and running enterprise applications in the cloud – enhanced flexibility, simplified operations, cost savings and scalability are just a few. Yet every cloud deployment scenario creates new risk. This is particularly true in the wake of COVID-19. As leaders accelerate their cloud journeys to digitize quickly, attackers are targeting critical data and assets in the cloud in earnest. Within the first few months 2020 alone, cyber attacks targeting the cloud grew by a staggering 630%.
Now more than ever, it’s important for organizations to fully understand their role in securing cloud workloads as part of the shared responsibility model. While cloud providers are responsible for the cloud infrastructure itself, cloud customers must secure their data, applications, operating systems, supporting infrastructure and other assets running in the cloud environment.
Privileged accounts associated with human users and application and machine identities are exceptionally powerful and highly susceptible to compromise in the cloud. Protecting privileged access in these environments is paramount and the onus lies on the cloud customer. In fact, more than half of the top cloud computing threats today can be mitigated with strong privileged access management (PAM) and identity access management (IAM) controls.
5 Best Practices for Securing the Cloud Management Console
Since cloud management consoles and portals enable full control of an organization’s cloud resources, they are prime targets for cyber attackers and all access to them must be secured and monitored. This is particularly true for powerful root-level accounts – the accounts with irrevocable administrative privileges such as the AWS root user account, Azure global admin role and the Google Cloud Platform (GCP) super user account.
1. Treat all cloud management console access (for both human and machine users) as privileged. First, identify what permissions a user or application/machine needs to do their specified job. Build roles for each user persona, giving them access to only what they need by following the principle of least privilege. Enforce privileged access management controls including session isolation, monitoring and credential rotation to reduce risk.
2. Implement just-in-time access to reduce the attack surface. By providing just-in-time access to the cloud management console, versus standing access, permissions are provided when the session is launched – helping to ensure that only the right users have access to the right assets at the right time, and only for a certain amount of time.