The Cybersecurity Minefield of Cloud Entitlements

Almost as quickly as we experienced the pivot to work-from-home and to move-to-the-cloud to minimize the economic impact of the pandemic, we also saw what felt like a pick up in significant cyberattacks, from the Solarwinds supply chain attack to a raft of ransomware incidents.

How can your organization avoid such attacks? Did moving workers home and more workloads to the cloud actually increase the cyber risk for businesses? David Christensen, who has spent a decade working on cloud security at several startups and is now director of Global InfoSec Engineering and Operations for cloud and digital transformation at fintech B2B company WEX, believes that a little-known vulnerability is the cause of many of today's cloud security issues.

He says the biggest security gap today in the cloud has to do with cloud entitlements. Anything running in the cloud must have some sort of entitlement associated with it for it to interact with other resources -- for instance, giving a server permission to access particular storage or giving a server the ability to launch another service.

Humans are often in the position of setting up these entitlements in the cloud.

Christensen said that entitlement misconfigurations can happen when someone reuses a policy from one server for a new server because it includes all the things they need for that new server, and then they just ignore the things they don't need. But ignoring those other things is a mistake.

"You say 'I'm just going to use this policy because it looks like it's going to work for me,'" he said. But then that server inherits access to other resources, too, including access it doesn't need.

An accelerated move to the cloud can make matters worse.

"As a human being we can't process all those actions in such a short period of time to determine whether or not approval of a policy is going to lead to a future security incident," Christensen said. "It's what I keep describing as the Achilles heel of cloud security. It's like a matrix of if this then that, and most people who have to define that can't do it fast enough...When the business is trying to move fast, sometimes you just have to say, 'well, I don't think that this is bad, but I can't guarantee it.'"

The need to control cloud entitlements has led to a new category of software called cloud infrastructure entitlement management or CIEM. Gartner defines entitlement management as "technology that grants, resolves, enforces, revokes, and administers fine-grained access entitlements (also referred to as 'authorizations,' privileges,' 'access rights,' 'permissions' and/or 'rules.'"

Gartner predicts that by 2023, 75% of cloud security failures will result from inadequate management of identities, access, and privileges. That's an increase from 2020 when the number was 50%.

The accelerated move that many organizations have made to the cloud has made security failures more likely, according to Christensen. Some organizations may have tried to apply the same security measures that they used on-premises to the cloud.

"It creates a lot of gaps," Christensen said. "The surface area is different in the cloud."

Christensen found some security gaps when he joined WEX 2 years ago as an expert in cloud security. The company, which provides fleet card and B2B card services, had embarked on a cloud-first journey about a year before he joined.

To get a better idea of the extent of these issues at WEX, in January 2021 Christensen deployed an analytics-based discovery, monitoring, and remediation tool from Ermetic. Within the first 30 days of putting the platform into production, WEX found almost 1,000 issues, and it was able to close those gaps in its cloud security. By early July the platform had found a total of nearly 3,000 issues to fix.

"Again, the cause of these wasn't a lack of effort to try to build those least-privilege policies," Christensen said. "People thought they were following the right procedures as advised by Amazon, and as advised by peers in the industry."

But the scale of cloud entitlements had made it close to impossible for humans to do on their own. It's that type of use case where analytics and machine learning can help close the gap.

For WEX, the application has led to a better security posture for its cloud-first strategy. At a time when attackers are everywhere, that's so important.

"Ultimately, there are two or three things an attacker is trying to do -- get at your data, disrupt your business, or give you a bad reputation," Christensen said.

What to Read Next:

10 Tips for Landing a Job in Cybersecurity
More Remote Work Leads to More Employee Surveillance
Becoming a Self-Taught Cybersecurity Pro