Cloud computing has transformed businesses of various organizations but the same time has created new security challenges. The shift from on-premise to cloud based solutions has transformed the way technology companies deliver computing technology and applications. These advances have also created new security vulnerabilities and amplified existing vulnerabilities.
Cloud Security Alliance (CSA) had released a report “The Treacherous 12” which highlights top threats for cloud computing ecosystem.
In our previous mail edition, we explained about first threat “Data Breaches” as security concern. In this mail edition we will explain about second threat i.e “Insufficient Identity, Credential and Access Management” as security concern and its business impact.
Insufficient Identity, Credential and Access Management
Data breaches and enabling of attacks can occur because of a lack of scalable identity access management systems, failure to use multifactor authentication, weak password use, and a lack of ongoing automated rotation of cryptographic keys, passwords and certificates.
Credentials and cryptographic keys must not be embedded in source code or distributed in public facing repositories such as GitHub, because there is a significant chance of discovery and misuse. Keys need to be appropriately secured and a well-secured public key infrastructure (PKI) is needed to ensure key-management activities are carried out.
Identity systems must scale to handle lifecycle management for millions of users as well as the CSPs. Identity management systems must support immediate de-provisioning of access to resources when personnel changes, such as job termination or role change, occur.
Identity systems are becoming increasingly interconnected, and federating identity with a cloud provider (e.g. SAML assertions) is becoming more prevalent to ease the burden of user maintenance. Organizations planning to federate identity with a cloud provider need to understand the security around the cloud provider’s identity solution, including processes, infrastructure, segmentation between customers (in the case of a shared identity solution), and implemented by the cloud provider.
Multifactor authentication systems – smartcard, OTP, and phone authentication, for example – are required for users and operators of a cloud service. This form of authentication helps address password theft, where stolen passwords enable access to resources without user consent. Password theft can manifest in common network lateral movement attacks, such as “pass the hash.”
In cases where legacy systems require use of passwords alone, the authentication system must support policy enforcement such as verification of strong password use as well as organization-defined rotation period policies.
Cryptographic keys, including TLS certificates, keys used to protect access to data and keys used to encrypt data at rest must be rotated periodically. Doing so helps address attacks where keys are accessed without authorization. When cryptographic keys are stolen, a lack of key rotation policy may dramatically increase effective elapsed breach time and scope.
Any centralized storage mechanism containing data secrets (e.g. passwords, private keys, confidential customer contact database) is an extremely high-value target for attackers. Choosing to centralize passwords and keys is a compromise that an organization must weigh the trade-off of convenience of centralized key management against the threat presented by centralizing keys. As with any high-value asset, monitoring and protection of identity and key management systems should be a high priority.
Malicious actors masquerading as legitimate users, operators or developers can read/exfiltrate, modify and delete data; issue control plane and management functions; snoop on data in transit or release malicious software that appears to originate from a legitimate source. As a result, insufficient identity, credential or key management can enable unauthorized access to data and potentially catastrophic damage to organizations or end users.
Instasafe can help your organizations to stay safe from various Cyber threats.
Visit Instasafe for more information