Security, privileges and the cloud
FYI, this story is more than a year old
Whether it’s the takeover of a corporate social media account, such as Twitter, to inflict brand damage, or access to servers using compromised privileged accounts to steal data and completely disrupt business operations, enterprises must be aware of how to mitigate the risk of cyber attacks in cloud environments.
Privileged accounts represent one of the largest security vulnerabilities an organisation faces today.
Used by administrators to log in to servers, network appliances, database servers and more, privileged accounts hold the proverbial keys to the IT kingdom. In the hands of an external attacker or malicious insider, these accounts allow users to take full control of an organisation’s IT infrastructure, disable security controls, steal confidential information, commit financial fraud and disrupt operations.
Cloud services give attackers access to unlimited compute and connectivity resources, and a wider attack surface. Privileged accounts exist and create a significant attack surface in every type of cloud environment – private cloud, public cloud and hybrid cloud environments.
Such accounts typically include administrative accounts on virtual machines and management consoles, as well as cloud provider APIs, and administrative accounts for software-as-a-service applications including corporate social media accounts.
In flexible and dynamic cloud environments, privileged accounts are extremely powerful. Beginning with the management console, an administrator can control thousands of images. Machines can be provisioned or deleted with the click of a button, just as corresponding administrator accounts can be created and deleted.
APIs exacerbate the problem by provisioning and deleting machines without the need for user interaction. All of this can be done without the added budget approval and purchasing processes that deliver a ‘checks and balances’ review in a traditional hardware environment.
The potential for disruption – whether intentional or inadvertent – is significant.
The exponential rise in default passwords
One characteristic of privileged accounts in the cloud environment is their propensity to grow exponentially. This is because new server instances are commonly deployed by simply cloning an existing template.
When this occurs, new servers are deployed instantaneously with default administrative passwords – putting them at high-risk of being compromised and exposing the organisation to the security vulnerabilities associated with unauthorised access.
Cloud environments have privileged credentials in two different layers – at the management console and at the virtual server layers. This makes it necessary to employ a layered approach to protecting privileged credentials in virtual servers as well as in the tools used to manage the environment.
Specific tools that that require protection include hypervisors, APIs and web management consoles provided by cloud service providers.
In the management console and server layers, the dynamic nature of cloud environments makes detecting changes far more challenging than in a traditional hardware environment. It is challenging to maintain visibility when privileged users are free to make changes to the environment with relative ease, thus avoiding detection. As a result, monitoring activity to detect changes is difficult.
Essential security capabilities
Despite the complexities, there are steps organisations can and should take to protect their privileged accounts in cloud environments.
The first is to secure all privileged credentials. Passwords and SSH keys should be managed and protected. Access to, and use of, privileged credentials must be tightly controlled. It's a good idea to introduce work flow approvals for your most sensitive credentials.
Next, eliminate default passwords and SSH keys. Make sure as soon as any new machine is provisioned, default passwords and SSH keys are replaced or rotated. The new credentials should meet existing policies for complexity and frequency of rotation.
To prevent malware from travelling from third party (e.g. contractor) machines or network machines to the cloud environment, isolate activity using a jump server. This acts as a single access control point, segregating the internal network from the cloud. The jump server enables organisations to enforce strict firewall rules, further enhancing security.
Another good tactic is to avoid using credentials in scripts and applications, as they can make an attacker's job easier.
Passwords and SSH keys used to authenticate scripts and applications should be replaced with dynamic credentials that are stored in a secure environment. For maximum security, consider automating the rotation and retrieval of these credentials.
It also pays to think carefully about how privileges are awarded. Limiting administrative privileges based on job or role and enabling centrally managed credential escalation minimises the risk of misuse with no impact on user productivity.
Monitor and record privileged access
I've already mentioned how difficult it can be to gain visibility into privileged credential access in the cloud environment. Therefore, live monitoring and recording privileged user access and session activity is essential. This makes it easier to identify malicious or unintentional changes.
In case the information may be required for compliance or future forensics, back up all monitoring with tamper-proof audit logs and video recordings.
Look for attacks inside the cloud
For maximum security, organisations should have a strategy in place for uncovering attacks that may occur inside the cloud environment.
To mitigate the risk of malicious activity leveraging privileged accounts, all activity should be monitored and analysed based on typical usage patterns and policies.
If alerted to suspicious activity, organisations must be able to slow down or stop in-progress attacks by rotating the credential and limiting lateral movement by the attacker.
Extending privileged security programs to the cloud
Organisations should be able to extend the same level of security, control and monitoring deployed for on-premises accounts to privileged accounts in cloud environments.
It’s equally important to maintain the same level of security policy for all privileged accounts, regardless of where they reside.
The use of a single security solution for all privileged accounts and credentials streamlines administration and management. At the same time, full visibility, monitoring and recording of privileged account activity in cloud environments provides auditors with a complete view of activity and streamlines audit procedures.
We know privileged accounts have become a preferred attack vector for advanced external and internal attacks thanks to their ability to provide a pathway directly into the heart of the enterprise. Privileged accounts in cloud-based environments must be secured with the same rigour that is currently used with on-premises accounts. And that means creating a critical security layer capable of disrupting cyber attacks before they stop business.
By Sam Ghebranious, Regional Director for Australia and New Zealand, CyberArk