Grounded in the Cloud
cancel
Showing results for 
Search instead for 
Did you mean: 

Cloud Security Threats - The challenges around identity and access management in the cloud

SimonLeech

This is the second blog in a series of 5 looking at some specific cloud security threats identified by the Cloud Security Alliance, available to download here. The other blogs in the series can be accessed by searching the blog for the tag cloudsecthreats.

This blog will look at the challenges around insufficient identity, credential, and access management in the cloud. Identity and Access Management (IAM) is always a hot topic when discussing cloud migrations with our customers, and one of the main points of entry for hackers trying to breach an organization. For an overview of what IAM means to cloud, please refer to Chris Steffen's recent Cloud Security 101 blog.

Time and time again, passwords are becoming the weakest link that attackers use to get into an organization – whether it be a mass password disclosure as the result of a provider data breach (check https://haveibeenpwned.com/ to see if your own email address has been breached), or a targeted attack using social engineering techniques, hackers have shown that the password is the easiest way to get in through the front door.

Identity management has long been an area for concern in the traditional datacenter, especially as users are expected to manage multiple identities for multiple systems. This concern has been dealt with, with a certain amount of success, through the use of identity federation systems and single sign on (SSO) solutions.

Identity.JPGHowever in a cloud environment, there are a couple of additional concerns that should be considered. Firstly, how will you deal with identity management integration with third party solutions, such as an online CRM tool or a cloud-based email service? Whilst a CSP (Cloud Service Provider) will likely be able to propose an in house solution, this raises credential lifecycle concerns as employees gain or lose access to systems. For this reason using identity federation between the CSP and the enterprise may make a lot of sense, although often the CSP either doesn’t provide the capability to integrate with enterprise identity and access management systems, or the customer chooses not to take advantage of the integration.

In a public cloud environment, where often an entire organization is protected by a single administrative user account, the chance of severe organizational impact is high, should a criminal manage to obtain the password – take for example the demise of Code Spaces in 2014. It is well worth reading the InfoWorld article for more details, but to summarize a cybercriminal obtained the password, failed to get Code Spaces to pay a ransom demand, and deleted the entire cloud instance including all backups, forcing the company out of business.

Additionally, the topic of multi factor authentication (MFA) systems, such as one time passwords or tools like Google Authenticator can provide a lot of value in an environment where the user no longer needs to be within the physical boundaries of an organization to log into a corporate owned system or application. Using multi factor authentication means that even when the user name and password of a system is disclosed, login is not possible without access to the system (either software or hardware based) providing the additional factor of authentication. Well implemented MFA systems considerably reduce the impact of a mass password breach, as well as making many social engineering techniques ineffective.

An example of where MFA would have provided value in a breach is the recent ‘Celebgate’ incident, where the iCloud accounts of many celebrities were breached and data stolen. The user IDs and passwords were stolen via a focused phishing attack, but the damage could easily have been prevented had the individual users enabled Apple iCloud multi factor authentication on their accounts.

A well thought out identity and access management strategy is critical to the success of the journey to the cloud. At Hewlett Packard Enterprise we deliver solutions to integrate enterprise directory services with cloud applications and service directories (for example HPE Helion Keystone), as well as products such as HPE Security ArcSight User Behavior Analytics to integrate user activity in the cloud directly into the enterprise SIEM.

0 Kudos
About the Author

SimonLeech

Simon Leech is a Certified Information Systems Security Professional with a specialisation in Security Architecture (CISSP-ISSAP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified in Cloud Security Knowledge (CCSK) and Chief Technologist Security within the Hewlett Packard Enterprise EMEA Hybrid IT Team. Within Hewlett Packard Enterprise, Mr Leech is responsible for influencing and evangelising the security strategy of the Hybrid IT team. Simon is active on Twitter as @DigitalHeMan

Events
28-30 November
Madrid, Spain
Discover 2017 Madrid
Join us for Hewlett Packard Enterprise Discover 2017 Madrid, taking place 28-30 November at the Feria de Madrid Convention Center
Read more
See posts for dates
Online
HPE Webinars - 2017
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all