With the introduction of cloud we saw a major shift in enterprise perimeters. The traditional approach to defend a network was to set up perimeter defenses such as firewalls and intrusion prevention/detection systems.
In the modern digital world with customers, remote workers, vendors, distributed offices being fully remote, the concept of classic perimeter no longer exists. Firewalls that once protected all the resources inside the four walls of a data center today cannot protect cloud workloads.
Identity as a Disruptor
The fundamental unit of any access in all cases is an identity. With an identity token, a user or device can get access to an enterprise service. In the cloud, identity is everything, in the hands of an attacker, the same identity token grants similar access. As the number of users and connected devices accessing the cloud (Iaas, PaaS and SaaS) grow, the number of identities increase. With an exponential increase in identities, there is an increase in attack surfaces.
Perimeter-less borders require solid identity strategies and operational models to enable control over all users and devices.
Why the Attackers are Behind Identity these Datys
The attacks and attacker patterns also changed drastically. The attackers stopped attacking perimeter security devices and network security devices. They are behind identities. This is evident from recent cyber-attacks like Solorigate.
How a Zero Trust Model can Rescue Enterprises
A Zero-trust identity (also known as Trust but verify) model integrates all security domains, creating identity-aware infrastructure for control, visibility and governance of human/machine identities, applications and devices.
A zero trust model ensures that a request is valid and clear to gain access at every stage. The Zero Trust model provides controls for identity-based soft perimeter that go beyond credentials. Following a least privilege model combined with conditional access and resource segmentation further minimizes the attack surface. Even when the infrastructure or services get attacked from identity based attacks (like password spray or stolen credentials) the data and resources stay protected.
Out of the 8 major cloud/security transformations (over $50m US) that I have participated in since 2015, only one enterprise had a dedicated strategy and program to reevaluate the cloud identity strategy. Their security team firmly believed in the concept of Zero Trust. Their identity team was involved in the digital/cloud transformation game early. They mapped multiple possible cloud identity use cases, ran a bunch of POC (Proof of Concepts) with cloud identity solutions and solidified their cloud identity strategy. The result:
- The technology and business units were able to smoothly migrate their workloads to the cloud
- Security operations were able to see an environment with minimal attack surface and exposure
- Zero security incidents and privacy violations during and after cloud migration
Only identity can both enable the enterprises to secure their resources (people, process, technology and data) while giving end-users the convenience and ease-of-use they seek. It was a win-win for all the stakeholders.
It’s Not Too Late!
Even though you have missed positioning your identity strategy in the first place, consider using an infrastructure-as-code security tool to catch potential identity issues before they make their way to your environment in order to prevent a security breach. These IaC security tools scan your terraform files to identify and remediate security violations in your cloud enabling you to focus more on your business strategy.