Many enterprises are trying to secure the user accounts for various cloud applications and services their employees use, and with good reason: Attackers have increasingly targeted cloud accounts and credentials through methods like phishing attacks and drive-by downloads in hopes of gaining entry into an enterprise IT environment. While much attention has been paid to protecting user accounts, root and administrative accounts can be much more devastating to an organization if they are compromised.
As an example, consider the case of Code Spaces, whose Amazon Web Services (AWS) management portal was compromised in 2014. Once the attacker had access, the company's entire infrastructure was exposed, and this ultimately led to the demise of the company. What should organizations do to protect the most privileged accounts associated with their environments and implement strong privileged user management?
In most infrastructure-as-a-service (IaaS) clouds, there are several forms of administrative or root access available. By default, IaaS environments require a user account to be created as an initial admin, which is often authenticated solely by a username or email with a password. This initial administrator can then configure the environment and create new users and groups. User directories like Microsoft's Active Directory can also be linked to cloud access, providing cloud access to numerous administrators based on internal roles. Many IaaS system images or templates also include a default user account that has privileges associated with it. In AWS Machine Images, this user is "ec2-user."
Basic privileged user management concepts
First, organizations should revisit the core concepts of privileged user management, which include separation of duties and least-privilege access models. Many cloud providers include built-in identity and access management tools that allow distinct policies to be created for each user and group the organization needs. This allows security teams to help design reduced privilege policies that allow admins to only perform the operations absolutely needed, depending on their roles.
For cloud providers that do not support granular role and privilege models within their applications, this may be achieved by using an identity-as-a-service provider that proxies identity information between in-house credential stores and cloud provider environments, also acting as a single sign-on portal at the same time.
The use of multifactor authentication for all privileged user access to cloud environments should be mandatory, and this likely could have prevented the initial compromise of Code Spaces' console. Many providers offer a variety of different forms of multifactor access, including certificates on the endpoint, hard and soft tokens from leading multifactor providers, and SMS codes -- which are not as secure, but still better than nothing at all.
Ideally, any user with admin privileges will use an approved multifactor method to access management consoles and any other sensitive assets or services within all types of cloud environments. For most organizations, soft tokens and certificates will prove to be the most viable and secure options in privileged user management.
Finally, a critical aspect of controlling administrative and root access is performed through the management and monitoring of cryptographic keys. Most admin accounts -- especially those built into default system images, such as the ec2-user in Amazon instances -- require the use of private keys for access. These keys are usually generated when a user is created, or they can also be generated independently, and must be carefully controlled to prevent illicit access to any account, especially admins or root users.
As part of privileged user management, security and operations teams should ensure keys are secured internally, as well as in the cloud, ideally in a hardware security module or other highly secure platform built specifically to control cryptographic keys. Developers who need to integrate keys into their deployment pipelines should leverage tools engineered to protect this sensitive information, such as Ansible Vault or Chef encrypted data bags.
To make sure privileged accounts aren't being abused, security teams should collect and monitor logs available in cloud environments, as well, using built-in tools like AWS CloudTrail or commercial logging and event monitoring tools and services.
Learn how the cloud access security broker space is evolving and maturing
Check out three expert perspectives on cloud identity and access management
Find out how to buy CASBs with confidence
What you can do to manage cloud sprawl