reducing risk in cloud migrations centrify · pam best practices in the cloud, such as using root...

REDUCING RISKIN CLOUD MIGRATIONSControlling Privileged Accessto Hybrid and Multi-Cloud Environments

About This Report

Key Findings

Benefits Driving Cloud Migration

Impediments to Cloud Migration

Objectives of Privileged Access to the Cloud

Responsibility for Securing Privileged Access to the Cloud

Privileged Access Challenges and Concerns

Sprawling Identity Repositories

PAM Practices in Cloud Environments

Key Action Items

Our Survey Respondents

About The Contributors

3

4

5

6

7

8

9

10

11

12

13

14

Centrify is redefining the legacy approach to Privileged Access Management by delivering cloud-ready Zero Trust Privilege to secure modern enterprise use cases. Centrify Zero Trust Privilege helps customers grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. By implementing least privilege access, Centrify minimizes the attack surface, improves audit and compliance visibility, and reduces risk, complexity and costs for the modern, hybrid enterprise. Over half of the Fortune 100, the world’s largest financial institutions, intelligence agencies, and critical infrastructure companies, all trust Centrify to stop the leading cause of breaches – privileged credential abuse.

US +1 (669) 444 5200EMEA +44 (0) 1344 317950Asia Pacific +61 1300 795 789Brazil +55 11 3958 4876Latin America +1 305 900 [email protected]

Centrify is a registered trademark of Centrify Corporation in the United States and other countries. All other trademarks are the property of their respective owners.

The prospect of using the public cloud is one that has organizations excited about the cloud’s availability, accessibility, scalability, and speed of delivery. But, the shifting of applications and workloads to the cloud presents organizations with the challenge of how to properly secure an environment they don’t fully control. To both manage and use cloud workloads, organizations must grant privileged access to internal users, and external partners and contractors. Too much access and privilege puts the workloads and the data they host at risk.

©2019 Centrify Corporation All Rights Reserved. Centrify.com 3

80% of data breaches involveprivileged access abuse.*

*Forrester, “The Forrester Wave™: Privileged Identity Management, Q4 2018,” November 14, 2018.

How are organizations, as part of their cloud migrations, proactively addressing the known privileged access risks of shifting to the cloud?

About This Report

To better understand how the issue of privileged access is both perceived and being addressed as part of a cloud migration, we surveyed over 700 information security professionals. In this report, we’ll discuss what’s driving these migrations, and challenges organizations are facing as they move their operations to the cloud. We’ll then examine the number one concern cited around cloud — security.

This report looks at how organizations view securing privileged access to cloud infrastructure and workloads. Cyberattacks, by both internal and external actors, leverage privileged credentials. Therefore, cloud creates an expanded attack surface that can be exploited if organizations do not accept their responsibility to secure it.

Key Findings


The leading challenge facing cloud migration projects is security, selected as a top consideration by 60% of survey respondents.

71% understand that controlling privileged access to cloud service administrative accounts is a critical concern, yet only53% cite secure access to cloud workloads as a key objective of their cloud Privileged Access Management (PAM) strategies.

There is still widespread misunderstanding of who is responsible for securing privileged access to cloud workloads. 60% of organizations incorrectly believe the cloud provider is responsible for securing privileged access, whereas the shared responsibility model clearly states that it is the responsibility of the organization.

51% are taking different approaches to controlling access to cloud workloads than they do with their traditional on-premises environments. While some of the PAM “basics” like Multi-Factor Authentication (MFA) are being widely used, 68% are not implementing PAM best practices in the cloud, such as using root accounts only for “break glass” purposes, or eliminating local privileged accounts and federating access controls.

Many respondents appear to be out of touch with emerging concerns for controlling privileged access in multi-cloud environments. Only a third of respondents are using modern PAM solutions to avoid creating new identity silos in the cloud. This can increase their risk of identity sprawl and expand the attack surface, which is alarming considering that 76% are using more than one identity directory in their cloud strategy.

The desire to operate in the cloud should be based on the perceived ability to attain the promised cloud benefits that have long been touted. The top two factors driving organizations’ move to the cloud are the ability to deliver IT services more quickly (65%), followed by a lowered total cost of ownership (54%), as shown below on the left.

Benefits Driving Cloud Migration


Improved speed ofIT service delivery

Lower totalcost of ownership

Greater flexibilityto react to

market changes

Outsource IT functionsthat don’t create

competitive differentiation

10%

20%

40%

70%

60%

30%

50%

Increasecompetitiveness

65%

54%

40%

22%17%

WHAT IS THE TOP FACTOR DRIVING YOUR ORGANIZATION’S CLOUD MIGRATION?

Migrating to the cloud isn’t without its problems. For many organizations, the desire to move to cloud is just one of many organizational priorities, and represents a significant new attack surface to secure. As shown below, an overwhelming concern that is impeding migrations to the cloud is security, noted by over half of organizations (60%) as the top challenge.

While other issues such as the cost of migration are also top-of-mind, organizations need to be laser-focused on how controls are implemented to secure access to cloud workloads.

Impediments to Cloud Migration


10%

20%

40%

70%

60%

30%

50%

Security Cost of migration Lack of expertise Too many essentialresources incorporated into

our own data centers

Executivesupport

Lack of time

WHAT IS THE TOP CHALLENGE OF YOUR ORGANIZATION’S CLOUD MIGRATION PROJECT(S)?

60%

35%30% 29% 29%

15%

Implementing privileged access controls is more than just about limiting access, and it can be implemented in ways that meet specific objectives. Most organizations (71%) are primarily focused on controlling privileged administrative access to manage their cloud services, shown below.

As the privilege becomes more task-, role-, or access-specific, there is a diminishing interest of securing these levels of privileged access as a goal, evidenced by only 53% securing access to the workloads and containers they have actually moved to the cloud.

Objectives for Privileged Access to the Cloud


Secure access tocloud servicemanagement

Secure access tocloud workloadsand containers

Apply leastprivilege authorization

to workloads

Delegate controlfor cloud services

20%

60%

80%

40%

Implement privilegedsession monitoringfor cloud workloads

71%

53%48%

42% 40%

WHAT ARE YOUR PRIMARY OBJECTIVES IN APPLYING PRIVILEGED ACCESS CONTROLS?

Cloud security uses a shared responsibility model. This understanding recognizes that the cloud provider secures the underlying infrastructure, while the customer is responsible for the operating systems, applications, data, and the access security of each.

As shown at right, 60% of organizations incorrectly view the cloud provider as being responsible for securing privileged access to cloud workloads.

Responsibility forSecuring Privileged Accessto the Cloud


60%Yes

40%No

DO YOU FEEL THAT

PRIVILEGED ACCESS CONTROLS

TO CLOUD WORKLOADS IS

THE CLOUD SERVICE

PROVIDER’S RESPONSIBILITY?

Source: Amazon Web Services Shared Security Model, July 2018

CUSTOMER DATA

PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT

OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION

CLIENT-SIDE DATAENCRYPTION & DATA INTEGRITY

AUTHENTICATION

SERVER-SIDE ENCRYPTION(FILE SYSTEM AND/OR DATA)

NETWORKING TRAFFICPROTECTION (ENCRYPTION,

INTEGRITY, IDENTITY)

SOFTWARE

COMPUTE STORAGE DATABASE NETWORKING

HARDWARE/AWS GLOBAL INFRASTRUCTURE

REGIONS AVAILABILITY ZONES EDGE LOCATIONS

CUSTOMER

RESPONSIBILITY FOR SECURITY ‘IN’ THE CLOUD

AWSRESPONSIBILITY FOR

SECURITY ‘OF’ THE CLOUD

From initially providing too much access, to not revoking access when no longer needed, privileged access requires a multi-faceted approach.

Our respondents indicate they are not yet concerned with many of the key challenges they will likely face securing privileged access to cloud workloads.Only 54% are concerned with securing third-party access to cloud workloads, and 67% are not concerned about creating more identity silos.

Any of these can create gaps in cloud security strategies, elevating the risk of overprivilegedusers, contractors, partners, and threat actors. These gaps leave them exposed to risk and possible breach.

Privileged AccessChallenges and Concerns


10%0% 20% 40% 100%90%60% 70% 80%30% 50%

Overprivileged entitlements - for too long a timeframe

Direct access to workloads via SSH keys or APIs, rather than using accounts and passwords

WHICH ASPECTS OF PRIVILEGED ACCESSARE YOU CURRENTLY ADDRESSING AS YOUWORK THROUGH YOUR CLOUD MIGRATION?

3rd-Party access to cloud workloads

Deprovisioning (e.g., to avoid former employees form having access)

Overprivileged entitlements - too much on a given machine

Overprivileged entitlements - too many machines

54%

43%

41%

41%

40%

33%

46%

57%

59%

59%

60%

67%

ADDRESSING NOT ADDRESSING

34% 66%

Creating identity silos

Organizations are frequently leveraging more than one identity repository. This can lead to complications for creating, managing, and securing each instance in cloud environments.

As shown to the right, 76% of organizations use more than one identity repository. Additional repositories can lead to identity sprawl, which can make the cloud a huge potential attack surface as organizations move to multi-cloud environments.

Managing multiple directories can also create a cost burden that many organizations are unprepared to take on.

Standardizing on a single identity repository and brokering access across the hybrid ecosystem can save money and reduce risk of outdated or unnecessary privilege.

Sprawling IdentityRepositories


MORE THAN ONE REPOSITORY ONE REPOSITORY

HOW MANY SEPARATE IDENTITY REPOSITORIES DOES YOURCLOUD STRATEGY LEVERAGE?

Organizations should invoke a common security model in the cloud, on-premises, and in hybrid environments.

The majority of organizations aren’t applying many commonly-accepted privileged access controls, and are failing to follow least privilege principles. For example, 68% are not eliminating local privilege accounts in favor of federated access controls and are still using root accounts outside of “break glass” scenarios.

Even more concerning, 57% are not implementing least privilege access to limit lateral movement and enforce just-enough, just-in-time-access.

PAM Practices inCloud Environments


10%0% 20% 40% 100%90%60% 70% 80%30% 50%

Eliminate local privileged accounts and federate access controls

Use root accounts ONLY for break glass purposes

Privileged session monitoring

Audit privileged sessions

Utilize enterprise directory accounts for privileged access

Least privileged access

WHAT SECURITY PRACTICES DO YOU HAVE OR PLANTO APPLY TO YOUR CLOUD ENVIRONMENT?

32%

32%

38%

43%

43%

49%

68%

68%

62%

57%

57%

51%

APPLYING NOT APPLYING

48% 52%Common privileged access security model equivalent to on-premises

60% 40%Multi-Factor Authentication for ALL privileged access

1. Understand That Privileged Access to Cloud Environments is Your Responsibility

Build in privileged access controls as part of your cloud migration project. The tools included by cloud providers are not sufficient, and the

responsibility of managing privileged access to cloud environments and workloads falls on your organization.

2. Reduce Risk Associated with Identity Sprawl

More than three-quarters of organizations are using more than one identity directory in their cloud strategy. You don’t want the headache and

resulting security exposure of creating and managing all of those identity silos, including third parties. Leverage your existing directory to

broker authentication to access cloud environments based on a privileged user’s identity and assigned rights.

3. Enforce Least Privilege

Allowing blanket privileged access is practically asking to be breached, either by an external actor looking for unrestricted access or an

internal threat trying to exploit assigned privilege. Adopt a Zero Trust approach to PAM that prioritizes “just enough, just-in-time” access.

4. Employ a Common Security Model

Security is a challenge facing cloud migration, but many of the best practices used on-premises should carry over to cloud deployments as

well. Move to an identity-centric PAM approach everywhere, no matter where you are in your cloud migration.

5. Modernize Your Security Approach

What you’ve always done may not be the best way going forward, especially for transformative technologies like the cloud.

Turn to cloud-native PAM solutions to secure on-premises, hybrid, and multi-cloud environments.


Key Action Items

You’re cloud-ready and your Privileged Access Management should be too.Don’t put your organization at risk of becoming the next data breach victim. Best-of-breed solutions are available to secure privileged access to cloud environments with a modern approach that can leverage your existing investments and security models.


Key Action Items


BREAKDOWN OF

RESPONDENTS BY

ORGANIZATION SIZE

Over 700 respondents from the United States, Canada, and the United Kingdom participated in this year’s report.

Response by organization size (shown at right) reveals a solid representation of organizations of every size. Enterprise and SMB organizations were best represented.

25%

20%

15%

10%

5%

21%Technology

14%Finance

10%Education

10%Government

9%Healthcare

8%Manufacturing

5%Telecom’s

4%Retail

3%Energy

& Utilities

2%Biotech

& Pharma

THE INDUSTRY VERTICALS REPRESENTED IN THIS REPORT Organizations in every industry vertical are making shifts to the cloud. In our report,

over 50 industry verticals are represented, with the top 10 shown below.

1,501+Employees

46%

1-500Employees

37%

501-1,500Employees

17%

Our Survey Respondents

About the Contributors


Nick Cavalancia

Nick Cavalancia is a cybersecurity expert with over 25 years of enterprise IT and security experience. He regularly blogs, writes, and speaks on a wide range of cybersecurity and cloud adoption issues, helping organizations, IT professionals, Managed Service Providers, and technology vendors understand the current threat landscape, and how to build and execute strategies that minimize risk.

Centrify

Centrify is redefining the legacy approach to Privileged Access Management by delivering cloud-ready Zero Trust Privilege to secure modern enterprise attack surfaces. Zero Trust Privilege mandates a “never trust, always verify, enforce least privilege” approach. Centrify Zero Trust Privilege helps customers grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.

reducing risk in cloud migrations centrify · pam best practices in the cloud, such as using root...

Documents