When It Comes to Cloud Security, Least Privilege Takes Precedent
Even with a vaccine slowly rolling out, many countries around the world are encouraging home working well into Spring 2021. The adoption of the cloud to help people work remotely will be paying dividends for the companies that had the foresight to move essential business applications and systems; and it is clear from speaking to clients that they aren’t looking back.
In fact, our research with c-suite execs earlier in the year confirmed this further with 83% saying the digital transformation they embarked on to create contactless processes, facilitate homeworking and stabilize revenue is now permanent. Digital processes helped them move their company strategy on by lightyears and in some cases, simply survive.
But huge change like this isn’t plain sailing, especially when it comes to securing the enterprise. Of the execs surveyed, 40% witnessed more cyber-attacks during the start of the pandemic, and everything indicates this trend remains prevalent. Sadly, increasing your use of the cloud increases the attack surface and execs have had to acknowledge that digitalization, though a boon, also goes hand-in-hand with being a target.
The Need for Speed
Much of this has to do with the speed of rolling out applications. It was done quickly and prompted a dilemma – get security right but delay launch and see your competitors win, or hope the security is ‘good enough’.
Unfortunately, many learnt that ‘good enough’ isn’t very good, with a number admitting that their cloud provider was also their security safety net.
I suspect it’s why we are now seeing a change of heart
Take remote working as an example. Early on, and even before the pandemic, we saw many organizations adapting and applying different standards to their public cloud environment, including password policy enforcement, API keys rotation, and things like multi-factor authentication enforcement. It created a scale of security among companies – some were at the exceptionally good end of the scale, but many were far from it.
But given the number of attacks companies have either experienced, heard of or that have hit the headlines in the last six months, we’ve seen some positive movement on trying to get a handle on the weaknesses these mixed policies have on security.
For example, some companies are standardizing user permissions. So, it’s becoming common practice to have a permissions framework that relates to the function a team in the company performs. This includes setting an appropriate level of permissions for each group or user. For example, you might have a set of permissions that are appropriate for a DevOps engineer where there is more risk, versus those in place for a customer support representative.
Least Privilege Takes Precedent
There is therefore a growing acceptance that applying a ‘least privilege’ approach is worthwhile. The common practice emerging is where the ultimate goal is to grant users the minimum set of permission needed to complete their day-to-day work.
While standardization of the permissions is the first step, it is certainly not enough. Companies must be able to closely monitor permissions and how they are used by users, policies, and roles.
Only when you have this view of permissions can you expose the gap between the configured permissions versus the ones being used. And only then can you achieve a true least privilege practice and reduce the attack surface.
Who Has the Most to Gain?
Traditional sectors like banking and retail are ripe for this approach and the ones that tend to be named when this strategy is discussed. However, industries like airlines — where there is now intense pressure to reduce capex expenses, such as those related to local datacenters, and move to more opex friendly models, such as public clouds where you pay as you go — are likely to be front of the queue.
But what I’m hopeful of is that as more companies commit to the cloud to reduce overheads, and improve productivity and efficiency, they will learn from the mistakes of others and review how the cloud security posture is being managed. Failure to do so will only see the strategy to truly transform fail too, and no board needs that on their score sheet.