- CISO Series Newsletter
- Posts
- [06-27-24]--Securing Identities in the Cloud
[06-27-24]--Securing Identities in the Cloud
Defense in Depth
Securing Identities in the Cloud
How are we securing identity in the cloud? Unlike on-prem, the cloud requires you to cede control to a vendor. So what can we do to keep identities safe?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap. Joining us is our sponsored guest Adam Bateman, CEO, Push Security.
Editorial note: Geoff Belknap is an advisor to Push Security.
Where are we going wrong
Before we can start addressing the correct ways to secure identities in the cloud, it’s important to recognize our current state. Christina Morillo of the New York Football Giants shared a list of failed practices. There’s a litany of cloud identity sins in it, including MFA not being enforced, unrestricted external access to file sharing, and giving regular user accounts highly privileged roles. All of these center around organizations giving attackers easy opportunities to move laterally in a cloud tenant.
Finding the missing pieces
A lack of SSO standards resonates with a lot of security professionals. "Choosing SaaS products that support industry standard SSO such that we can provision, permission, authenticate, and of course, de-provision from our cloud-based IdP across the board," is sorely needed according to Sean R. Turner, CISO of Twinstake. We have SSO solutions, but because of industry fragmentation, it's not getting the job done. "What we are missing is a single SSO standard. The issue we have isn't the lack of SSO or its implementation. It's that there are too many standards. For example SAML, 0Auth, OIDC or 0Auth with OIDC many times a service won't support a particular provider," said Brandon Maytham of Kroo Bank.
Protecting an expanding border
We know identity is the new parameter because it’s where threat actors keep targeting. But the explosive growth of identities makes securing it challenging. "Identities keep expanding, both in amount and scope, and the ways to identify entities are ever evolving. It seems we have a gap in being able to track all of these different types of identities against a predictable lifecycle and expected uses," said Jay Dance of StubHub. Just keeping an inventory of our provisioned identities is not a solved challenge. Jeff Moncrief of Sonrai Security laid out the issue, saying, "We need awareness and mitigation of the entire unused permission attack surface. From identities to services and everything in between, a holistic shift in how we view everything unused but turned on across our cloud estates. The ‘unused’ problem is much bigger than just unused identities."
It starts with understanding risk
Because of the explosive growth of identities in the cloud, we need tools to continuously review what they can access. From there, a risk-based approach to permissions will allow organizations to get a handle on the issue. "We need to ensure continuous access reviews and Risk and SOD violations as defensive mechanisms. One of the architectures being very effective these days is risk-based provisioning for both, cloud-based identity provisioning as well as SSO-based provisioning," said Nihar Dhruva of SunPower Corporation.
Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.
Thanks to Colt Blackmore of Reach Security for being an unwitting participant in this week’s episode.
Thanks to our podcast sponsor, Push Security
Subscribe
Subscribe to Defense in Depth podcast
Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.
Super Cyber Fridays!
Join us, Friday [07-12-24], for "Hacking the Materiality of a Data Breach"
Join us Friday, July 12, 2024, for “Hacking the Materiality of a Data Breach: An hour of critical thinking about when a breach is material or not.”
It all begins at 1 PM ET/10 AM PT on Friday, July 12, 2024 with guests Jason Clark, Chief Strategy Officer, Cyera and a special guest (that means we’re still in booking mode). We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.
Thanks to our Super Cyber Friday sponsor, Cyera
LIVE!
Cyber Security Headlines - Week in Review
Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Jim Bowie, CISO, Tampa General Hospital.
Thanks to our Cyber Security Headlines sponsor, Prelude
Sponsored content
The Crucial Role of Network Segmentation in OT Environments with DirectDefense
Network segmentation plays a critical role in Operational Technology (OT) environments. Contrary to popular belief that segmentation is primarily for resilience and uptime, Christopher Walcutt, CSO, DirectDefense emphasizes that it's more about achieving visibility. Even the best monitoring tools are ineffective without proper segmentation, as OT networks are often set up with open communication between devices, hindering threat detection.
Huge thanks to our sponsor, DirectDefense
Cyber chatter from around the web...
Jump in on these conversations
"Do you allow employees to use your company email on iPhone/Android native email apps?" (More here)
"Enterprise Password Manager" (More here)
"Stunted career growth" (More here)
Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:
[07-12-24] Hacking the Materiality of a Data Breach
Save your spot and register for them all now!
Thank you!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.