Cloud Accounts: The Overlooked Privileged Identity

Cloud administrative accounts are prime targets for cyberattacks.

Cybercriminals are modifying their strategies by deprioritizing email as a preferred attack vector (down from 52% to 37% YoY) and shifting to a variety of methods to target cloud accounts (44%) and compromising applications (39%), according to our most recent Ransomware Research Report. Gaining control of a cloud admin account can reap a big payoff for an attacker in terms of ransomware, exfiltration of sensitive data, or bringing down an organization’s development and production environments.

The challenge for many organizations is that privileged and administrative cloud accounts often operate under the radar, unknown and unseen, leaving them vulnerable to an attack.

What is a cloud account?

These are administrative accounts that have elevated privileges, or rights, to control cloud infrastructure and applications. These can be accounts like your master Google, Amazon or Microsoft cloud administrative accounts. They can also be cloud infrastructure accounts that control the creation of virtual machines and containers. Cloud accounts can be individual privileged users who have received temporary or permanent escalation of rights to perform a job or task.

Often, these cloud administrator accounts are known to IT, but their access to specific cloud resources isn’t well documented or managed. Moreover, since the cloud is built for agility and speed, best practices like requiring multi-factor authentication (MFA), vaulting of administrative credentials, and rotation of keys can often be overlooked or inconsistently applied. Everything in the cloud can change in the blink of an eye, so constant discovery is needed to keep up.

Cloud administrators are a fast-moving bunch. Especially in development environments, they’re constantly spinning up virtual machines and containers for testing. They’re adding new users like third-party developers and contractors to the mix. Identities and access permissions are often decentralized among multiple identity providers and across resources, making understanding access pathways – who got access, how, and why – challenging to determine with traditional IT approaches.

The issue is: how do you know, at any given moment, who your cloud administrators are?

Well, you could scan each one of your public cloud instances and build a list manually. But chances are you’d have incomplete information before the list is even finished. You’d never be able to stay up to date.

You could rely on each cloud platform to provide details on all privileged accounts and identities that have access, using their native tools. There are several issues with that approach, however:

• Some cloud platforms provide information on delegated access. For others, it’s challenging. AWS, for instance, can make it difficult to see who has received privileged access from another cloud admin. So, let’s say a cloud admin goes on vacation and delegates tasks to a different member of the team. That person may retain access even after their colleague returns. You’d never know about these shadow cloud administrators.
  
  
• Even if you had the information, lists that cloud platforms provide would be disconnected from your central access control policies, MFA enforcement, risk management, auditing, and usage analytics. You’d still need to shoulder the burden for proper identity and access management.
  
  
• Each cloud provider only knows about the access an identity or account has in its environment. It doesn’t have the full picture of privileged access across multiple cloud environments, so you won’t be able to understand your risk exposure should that identity or account be compromised.

Best practices in cloud identity discovery

What’s the best way to discover privileged accounts operating in the cloud?

To eliminate gaps in your attack surface, the cloud discovery process needs to be seamlessly integrated with Privileged Access Management (PAM) as part of a holistic identity security strategy. It must be granular so that you can identify the owner and all the users of each administrative and privileged account with cloud access, the specific resources and data they can access, and when they can do so.

Instead of relying on scripts that tend to break when cloud service providers update their platforms, APIs that provide a direct connection to public cloud instances are more stable and secure.

Automation is key. Since cloud environments are ever-changing, discovering new users, detecting changes in existing privileges, and identifying potential shadow admins are necessary on a continuous basis.

From cloud identity discovery to ongoing privileged management

Once you discover accounts with cloud access, you can bring them under centralized control so you can manage them though your PAM vault just like any other type of privileged account. This means that admin credentials, secrets, and keys can be securely stored and accessed in alignment with your IT policies. You don’t need to have one policy for local admins and another for cloud admins. Instead, you can apply consistent policies, including just-in-time (JIT), just-enough privileges (JEP) to avoid exposing standing privileges.

In addition, by integrating solutions for Cloud Identity Entitlement Management (CIEM), you can confirm that policies are applied and working as you expect. For example, you can double-check that MFA is properly configured for cloud access. If it’s not, you can quickly remediate the issue before an attacker has a chance to take advantage.

Learn more about Cloud Identity Discovery

Delinea Cloud Identity Discovery is tightly integrated with the market-leading Privileged Access Management solution, Delinea Secret Server, and delivered as part of the cloud-native Delinea Platform. Get more information here.