An analysis of 25 large enterprises with more than 10,000 cloud accounts finds that 61% of the identities associated with them are unused.
Conducted by Sonrai Security, a provider of a platform for identifying sensitive data that has been left exposed in cloud computing environments, the analysis also finds that 92% of all identities with access to sensitive permissions were not used for more than 90 days.
On average, each organization manages 11,290 identities, with 19% of them associated with humans while another 81% were machine identities. A full 61% of those identities are unused, however, with 88% of those belonging to zombie machines compared to 12% attributed to human identities.
Few Organizations Limit Privileges
Sonrai Security CEO Brendan Hannigan said the report makes it clear that many organizations are still not tracking how cloud resources are being accessed in an age where cybercriminals routinely steal credentials. In addition, even fewer are limiting privileges so when credentials are stolen it’s not uncommon for cybercriminals to gain access to the entire cloud computing environment, he added.
Much of that lax security can be attributed to convenience, noted Hannigan. Application developers, for example, are routinely granted overly permissive privileges to perform specific tasks that are never revoked. Most cloud security incidents could be contained if organizations spent a little more time auditing who and what has unnecessary access to cloud resources, said Hannigan.
.ai-rotate {position: relative;}
.ai-rotate-hidden {visibility: hidden;}
.ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;}
.ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;}
.ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;}
Mastering the Fundamentals of the Cloud
Part of the reason this issue persists is many organizations have yet to master the fundamentals of the cloud operating model, he added. Organizations are expected to share responsibility for securing IT environments with the cloud service provider but far too many continue to assume those providers are securing data and applications in addition to the infrastructure services they provide, noted Hannigan.
Too often application developers in the name of productivity are provisioning infrastructure with little to no supervision, which then makes it relatively simple for cybercriminals to exploit misconfigurations, he added.
It’s not clear why so many organizations are not implementing best cloud security practices but in their absence, many cybercriminals routinely target cloud services that they know are poorly defended. It’s not that the cloud computing environment itself is insecure; it’s just that the processes relied on to secure them continue to be relatively immature.
The challenge cybersecurity professionals face, as usual, is inserting themselves into those workflows in the least disruptive way possible. Otherwise, application developers will simply look for ways to do end runs around processes they deem to be obstacles to be overcome rather than guardrails that protect them.
Alas, the number of developers far exceeds the number of cybersecurity professionals. It’s not economically feasible for organizations to add a cybersecurity professional to every application development team. Instead, cybersecurity professionals will need to find someone on those teams who is willing to listen and share best security practices with other developers on that team. After all, developers are much more likely to take advice from one of their own than they are a cybersecurity professional who typically doesn’t have much in the way of hands-on coding expertise.
This post was originally published on the 3rd party site mentioned in the title of this this site