Almost everything in the cloud is one excess privilege or misconfiguration away from exposure. Proper cloud posture and entitlement management can help mitigate risk and eliminate toxic combinations.
When implementing and configuring a cloud security solution, it’s easy to get overwhelmed by the sheer volume of “things” to monitor. These include web applications running on Kubernetes infrastructure, including IaaS and container resources, and the identities, both human and machine related, and more. Cloud security teams must manage each resource's service identity, as well as scan them for vulnerabilities and misconfigurations. Because there are so many things to monitor, organizations often look to tools and point solutions to help combat these threat vectors. Many have ended up with an alphabet soup of security acronyms in their environments and as a result rack up huge costs trying to configure and implement all these disparate products.
Often, each tool produces its own plethora of security findings and works from different criticality metrics. So, even with technically advanced tooling, security teams are sent back to spreadsheet hell to try to reconcile and prioritize all of the findings.
To implement a more effective security strategy, you must start by isolating what threat actors are trying to achieve when breaching cloud infrastructure. Recently, it’s become clear that almost all cloud breaches are leveraging misconfigured identities and entitlements. The Identity Defined Security Alliance (IDSA) survey “2022 Trends in Securing Digital Identities” found that 84% of companies suffered an identity-related breach in the 12 months covered by the study. Why? Not just because identities are so deeply intertwined into everything we run and build in the cloud, but because it’s an incredibly complex problem to solve. There are so many variables at play when trying to truly understand risks associated with identity management.
Regardless of whether you have a public Amazon EC2 instance with known exploitable vulnerabilities or misconfigured infrastructure served manually or by way of code, when cloud exposures are exploited, attackers immediately go after an identity. They test entitlements in order to move laterally or escalate privileges in an attempt to access sensitive data and other resources. Identity is the perimeter in the cloud and due to its far-reaching impact, identity and entitlement security should be the foundation for a holistic cloud security program.
When securing identities, it’s important to understand the difference between service and human identities, as well as the different approaches to securing them, in order to achieve the principle of least privilege. Service identities are meant to serve workloads and operate on a consistent and predictable basis. Evaluating which permissions are assigned vs. which are actually used is important to understand for “effective permissions.” Because service identities are programmed for a specific purpose and requirements seldom change, it’s possible to right-size their permissions to the bare-minimum based on activity – the principle of least privilege.
In contrast, human identities are made to be used by real people. This makes them unpredictable and it becomes challenging to right-size permissions for specific resources and actions especially when ad-hoc tasks arise. To execute on zero trust, implementing an integrated just-in-time (JIT) access program is the key. No organization can completely eliminate all access into the cloud by human users. That’s not realistic. Here’s a way to massively reduce risks associated with human identities: Give DevOps teams the ability to programmatically request short-term access to the cloud for specific tasks in critical environments and make sure that this short-term access tool integrates into existing ChatOps tools.
Security programs that don’t account for these differences can cause toil and friction between DevOps and IT teams. Delivering on the promise of DevSecOps means making sure security is embedded into workflows in a way that is scalable. This is where integrated Cloud Infrastructure Entitlement Management (CIEM) and Cloud Native Application Protection Platforms (CNAPP) tools can come into play. Integration between these tools can give you visibility and control over cloud infrastructure, Kubernetes, containers, infrastructure as code (IaC), identities, workloads and more.
Look for the following in integrated CNAPP and CIEM security solutions:
While many security teams spend time tuning controls and policies in order to combat alert overload, a better way is to integrate security tools like CNAPP and CIEM into a single platform that delivers rich context across the attack surface. With integrated security tooling, you’re able to standardize on what "critical” truly means and better understand the attack pathways that attackers can leverage to cause damage in your cloud environment. Plus, it’s much easier to update when new threats and zero-days are discovered.
For example, you might have 100 publicly accessible workloads running in a cloud environment, but only 10 of them have critical vulnerabilities and only five of those have critical vulnerabilities and high privileges. This context gives security teams insight into where they should put their efforts based on what is most likely to be exploited. Too often security teams end up trying to address all 100 public workloads because point solutions lack the integration and identity-focused context needed to efficiently address threats.
Integrated capabilities to understand risk and exposure are important. And they make sense not just from an infrastructure or vulnerability perspective, but as a way to look at it all together and dynamically adjust risk scoring based on what’s actually happening in your environment.
For more information on securing identities in the cloud watch the on-demand webinar "Managing Security Posture and Entitlements in the Cloud."
Chris Edson is a tenured senior solution architect specializing in helping Tenable's largest and most strategic customers design and secure their modern cloud infrastructures. Chris has been with Tenable for over nine years and brings a unique perspective of expertise across the entire Tenable product portfolio. As a power user of Nessus prior to joining Tenable, Chris started his career as a Tenable fan and is passionate about helping the community and customers transform and upgrade their cloud security programs. Chris holds a Bachelor of Science in Information Security from University of Maryland, Baltimore County and is certified in Amazon Web Services (AWS) solution architecture, design and security.
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose Your Subscription Option:
Thank you for your interest in Tenable.io. A representative will be in touch soon.
FREE FOR 7 DAYS
Tenable Nessus is the most comprehensive vulnerability scanner on the market today.
Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.
Fill out the form below to continue with a Nessus Pro Trial.
Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.
Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.
BUY
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose Your Subscription Option:
Thank you for your interest in Tenable.io. A representative will be in touch soon.
Formerly Tenable.io Web Application Scanning
Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.
Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.
Formerly Tenable.io Web Application Scanning
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.
Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.
Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.
Thank you for your interest in Tenable Lumin. A representative will be in touch soon.
Formerly Tenable.sc
Please fill out this form with your contact information.
A sales representative will contact you shortly to schedule a demo.
* Field is required
Formerly Tenable.ot
Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.
Formerly Tenable.ad
Continuously detect and respond to Active Directory attacks. No agents. No privileges.
On-prem and in the cloud.
Exceptional unified cloud security awaits you!
We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.
Exposure management for the modern attack surface.
Formerly Tenable.asm
Know the exposure of every asset on any platform.
Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.
FREE FOR 7 DAYS
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
FREE FOR 7 DAYS
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Tenable solutions help fulfill all SLCGP requirements. Connect with a Tenable representative to learn more.