How identity and access management is causing headaches in cloud security
Identity and access management (IAM) is seen as an important tool for determining who’s who in a nefarious cloud landscape – but organisations are struggling to get to grips with it, according to new research.
The latest Cloud Report from cloud access security broker (CASB) Netskope has revealed the majority of Center for Internet Security (CIS) benchmark violations occurring in Amazon Web Services (AWS) environments fall under the IAM remit.
The data, which comes from anonymised Netskope Security Cloud customer accounts, found that 71.5% of violations were related to identity and access management, compared with 19% for monitoring. EC2 was the most likely resource where organisations fell foul, accounting for two thirds (66.2%) of violations, with IAM itself only comprising 4.5%. 86% of breaches were classified as critical.
Netskope argues that this represents a gap in organisations’ plans for cloud security compared with their actual implementations. “While many organisations have controls around cloud services and implemented things like multi-factor authentication and single sign-on solutions, IaaS/PaaS identity and access policies still need to be set,” the report notes. “Many of the IAM violations involve instance rules and access to resources or password policy requirements – simple fixes that may not have been a focus when first setting up roles and instances.
“There has been a lot of focus on micro-segmentation security technologies for I/PaaS workloads, but of note are simple IAM policies that can be addressed directly in AWS without an external security solution,” the report adds.
Enterprises use an average of 1,246 cloud services – an increase of 5.5% compared with February’s previous analysis. HR and marketing, with averages of 175 and 170 per enterprise, are the most popular by a distance – yet 96% and 98% of these apps respectively are not enterprise-ready.
It is a similar story across the board. 94% of finance and accounting services are not deemed enterprise-ready, while the figure drops to only 93% for CRM and IT service and application management. Only cloud storage – with an average of 28 services being used per organisation – comes out of the figures with any respect, although more than two thirds (67%) are still not ready for the enterprise.
One interesting note is around the research methodology; while AWS was analysed because of its market share, the report noted the importance organisations were attaching to multi-cloud. This naturally gives security teams an even bigger headache than before.
“As organisations increasingly adopt a multi-cloud approach, IT teams must continuously assess the security of their public cloud infrastructure and be aware of the data moving in and out of those services,” said Sanjay Beri, Netskope founder and CEO. “Enterprises should consider using the same security profiles, policies and controls across all services – SaaS, IaaS and web – in order to reduce overhead and complexity as the use of cloud services scales.”
You can read the full report here.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.