A recent report from the Cloud Security Alliance showed that identity and access management is one of the biggest...
issues facing companies deploying cloud apps. In 22% of those surveyed, compromised credentials were proven to be the direct cause of a data breach. Attackers will always favor stealing legitimate credentials; to most organization's monitoring systems, a hacker logging in with a real username and password is indistinguishable from the real user. Only the more advanced defense systems are able to detect that a user has logged in and is behaving in an abnormal manner.
Only about half of organizations in the CSA report said they were using single sign-on, meaning that in many cases, cloud apps are being accessed with a password and have an account policy that may not conform to the enterprise policy. This also means that staff need to remember even more passwords, which tends to lead to poor practices such as using the same password or writing them down. Cloud apps without SSO are also unlikely to be connected to the organization's monitoring software, so failed and successful login attempts will not be recorded. This is low-hanging fruit for hackers, as taking advantage of poor password management is one of the easiest ways to break into any organization.
How hackers get around cloud IAM weaknesses
Most organizations use out-of-date password policies -- for example, eight characters with complexity -- that do little to defend against the methods that hackers use to gain access to passwords. The correct way to defend against password guessing attacks is to use passphrases. However, even those organizations that correctly implement passphrases may find it difficult to extend this policy to the cloud since many cloud apps enforce a maximum password length.
Password guessing is not the only method that hackers will use to gain access to accounts; credential theft is usually simpler via email phishing, a tactic favored by nation state and organized crime attackers. Cloud IAM policies need to reflect this risk and organizations should do their best to mitigate it by enforcing multifactor authentication on all internet-facing services, for example.
Strengthening an organization's cloud IAM policy
The first step to ensure that cloud IAM is managed correctly is to verify that the corporate IAM policy defends against the actual methods modern hackers use to target user accounts. The existing IAM policy must be modern and robust before it can be rolled out to cloud services. Once a policy has been put in place and tested, the next step is to extend this policy to cover cloud apps. However, the policy should not just be for the organization itself, but it also needs to cover outsourced IT, vendors and third parties. This policy then needs to be centrally controlled, which is one of the key challenges.
Cloud IAM is not all about the provisioning of passwords; it's also about ensuring that as employees change roles or leave the company, their access is altered or removed. This requires a robust joiners, movers and leavers policy that encompasses all the cloud services -- and requires shadow cloud services to be known and understood by the organization. Not understanding who has access to cloud apps and why can significantly increase the risk from external hackers, as well as from insiders.
Cloud IAM is a major challenge in safely extending the corporate network perimeter to include the cloud. The key point is to understand who has access, and to what apps. The corporate IAM policy needs to be extended to encompass the cloud apps that you have identified, and then combined with alerting mechanisms that can report on unusual logon activity on cloud services. By undertaking this process, it reduces the likelihood that credentials can be stolen and misused without the organization being aware.
Learn about AWS APIs that simulate cloud IAM policies
Discover how to expand your enterprise IAM infrastructure to boost security
Find out more about the evolution of SSO technology