As the pressure to develop and deliver increases, many enterprises choose to rely on third parties to help operate and develop their businesses. It is worth noting that third-party software and service providers and partners are also important components of the attack surface in the cloud environment. Although enterprises cannot completely sever their connections with third parties, they can enforce the principle of least privilege when granting them access to single cloud and multi-cloud environments. This article will guide you through how to mitigate the impact of third-party risks on cloud business and the techniques to mitigate such risks.
The impact of third parties on the cloud environment
Third parties, including suppliers, contractors, partners, and even cloud providers, are essential components of the enterprise business ecosystem. They help businesses grow in various ways, including from software engineering and IT to marketing and business development, and to law and strategy. Many of these third parties also collaborate with other third parties to achieve their own business goals, forming a supply chain of interconnected relationships between companies and networks.
However, these third parties and supply chains also create huge vulnerability risks in the cloud environment. According to IBM's 2022 Data Breach Cost Report,19% of leaks are caused by damaged supply chains, andthe average total cost of third-party leaks is as high as 4.46 million US dollarsIn addition, compared with the global average of other types of leak behaviors,On average, it takes 26 days to identify and block third-party leaks.
Third-party vulnerabilities are not only related to software; discrepancies, mismatches, and/or practices below the organization's standards can also create vulnerabilities. For example, some third parties may not pay attention to password security. In other cases, they may reuse credentials or inadvertently misconfigure their environment. Once these third parties gain access to the enterprise's supplier, malicious attackers may easily access the enterprise environment.Enterprises often tend to view third-party collaborators as trusted entities.therefore third parties are usually granted access and control rights to sensitive resources. However, due to human error, negligence, or lack of understanding, these permissions are sometimes over-privileged intentionally or unintentionally, at which point attackers can take advantage of this trust and disrupt the enterprise environment.
Third-party risks are different from local risks
In the cloud, over-trust in third parties and supply chain participants is more risky than in on-premises environments. Local servers and components can define network boundaries and implement security controls to protect these boundaries, such as firewalls. However, in the cloud, infrastructure is distributed and resides on public infrastructure, making it impossible to secure it. This means that the security policies and solutions currently in use (such as third-party PAM) are no longer effective.
In addition, the distributed nature of the cloud, as well as the dependency of employees on cloud-based resources (such as SaaS applications), has changed connection requirements. Enterprises that have experienced cloud adoption now rely on identities and credentials as the main means of providing access to company resources, making identity a new security boundary. At the same time, the cloud has transformed many architectures from monolithic to microservices to support higher development agility. These cloud services now also require digital identities as the main means of accessing resources.
Identity management is becoming increasingly complex
In the cloud, IT, DevOps, Security, and DevSecOps now manage a vast number of new digital organizational identities. Each identity has a complex subset of permissions that determine what resources they can access and what operations they can perform on these resources. In the 2022 Security Digital Identity Trends survey conducted by the Identity Defined Security Alliance (IDSA),52% of security professionals believe that cloud adoption is a driving force for enterprise identity growth
Managing and monitoring these identities and their permissions is extremely complex. In situations where a large number of identities and complex permissions are combined, human errors become unavoidable. According to Verizon's 2022 Data Breach Investigations Report, credential leaks are the main security issue for enterprises. The research found that the main reasons for the success of ransomware are incorrect configuration of identities, risky third-party identities, and risky access keys. In other words, third-party credentials are an important reason for attacks on companies and the leakage of their data, so protecting third-party credentials needs to become a key part of the security strategy.
Implement the principle of least privilege for third parties in the cloud
The level of detail, data scope, and speed of decision-making required for managing and monitoring the principle of least privilege should be 'automated'. Enterprises can reduce third-party risks through automation and the principle of least privilege. The following are six key points to ensure that automated mechanisms can protect enterprises from third-party risks while minimizing permissions:
1. Check for unnecessary third-party permissions
Cloud-based access management is extremely complex. Automated multi-cloud monitoring mechanisms will check for excessive permissions or incorrect combinations of third-party credentials, and determine whether these permissions violate the principle of least privilege by providing third parties with the ability to access sensitive data and modify infrastructure.
2. Monitor Based on Context
Modern security policies need to apply security controls in a contextual manner. For permissions, it is necessary to provide the context of the permission scope. Permissions that are excessive, i.e., those beyond the principle of least privilege, are the permissions that should be monitored and reduced. Automated security controls provide mechanisms to mark accounts and services as trusted, thereby reducing false alerts.
3. Automatically Fix Third-Party Vulnerabilities
A large number of alerts can lead to fatigue for development, IT, and security teams, so the use of automated solutions is essential. Automated solutions can provide recommended strategies and automatically fix them in the enterprise's workflows, even through IaC left-shift optimization strategies, leaving only some key issues for the relevant teams to judge and resolve, thereby effectively reducing the time spent on handling a large number of alerts.
4. Set Permission Thresholds
By setting permission thresholds to limit the operations that different identities can perform, this helps to minimize risks by limiting the potential of what users can do. Setting automated permission thresholds is particularly important for third parties because IT teams often provide them with excessive access permissions or directly accept the default configuration of cloud suppliers without thoroughly researching and understanding how to limit their permissions to the actual resources they need.
5. Ensure Usability
Ensure the ease of use of the automated solution. Integrate the automated solution into the workflows of development and security teams, making third-party identity management simpler and more convenient by combining it with easily understandable dashboards, clear instructions, and CI/CD pipelines.
6. Deliver JIT Access
JIT (Just-In-Time) access is a security principle that provides users with access permissions for a limited period of time and then revokes them. JIT is very useful when users need to be granted access rights to complete specific tasks, such as when developers need to fix errors in production. Secure automated solutions will also support third-party JIT access. This way, if suppliers need to access sensitive environments to resolve important issues related to their work, enterprises can provide them with such access permissions without giving attackers an opportunity.
Conclusion
From a business perspective, third parties are as much a part of the corporate business as any internal department. However, from a security perspective, it is necessary to consciously and strategically differentiate these entities. Enterprises cannot control the security strategies of third parties, thus posing significant security risks. To manage such vulnerabilities, one canAn automated security solution that enforces minimum permissions and JIT (Just-In-Time) accessAutomated permission management and monitoring can reduce access risks by only granting the necessary access permissions to third parties (including developers). This will be an effective way to balance and ensure the continuity and security of cloud business.
评论已关闭