Extending Zero Trust to Your Cloud Identity Lifecycle

Cybercriminals are focusing malicious attacks on privileged access and secrets management infrastructure more than ever. Specifically, they’re targeting immature cloud identity governance systems and lax security in DevOps processes that don't follow a Zero Trust Framework.

These trends shouldn’t come as a surprise, given the new, complex and fast-evolving world of multiple cloud platforms and apps. Security strategies and technologies are catching up, but the explosion in ransomware attacks in recent months tells us that we still have a long way to go to address existing IT security vulnerabilities.

What is the Way Forward with Zero Trust?

There’s growing consensus that Zero Trust will be the future state for security infrastructure. It’s been widely adopted in the US by the DoD, the banking sector, the healthcare sector. Global expansion is well underway and accelerating in EMEA, APAC, and beyond. There are also multiple formulaic working groups — the NIST Framework being the most prominent—that are pushing to optimize and advance the concept. We’re also likely to see zero trust grow to become the standard security model moving forward because it’s based on a strategy, not just more technology.

Zero Trust is not a new concept, but it’s become foundational to IT security in the cloud era where conventional security technologies and techniques — firewalls, VPNs, etc. — are no longer effective at securing devices, data and IT resources. Zero Trust strategies enable organizations to pivot away from conventional ring fencing approach, and proceed with a framework where no individual, no device, no application, no thing can be trusted as secure. Essentially, security measures become organized around digital identity and access management, privileges and permissions. Looking at the current state of zero trust, the approach is coalescing around a handful of technology elements:

• Software defined perimeter
• Secured endpoints
• Managed mobile devices
• Multifactor authentication
• Advanced identity and access management
• Least privilege access / zero standing privileges
• Dynamic / ephemeral permissions (automated processes to revert back to the “zero access” mean whenever possible).

The Current Cloud Identity Lifecycle

Because it’s not possible to ringfence every application, resource, or device in cloud environments, digital identities and their permissions define the new perimeter. The problem is the new perimeter-less environment has made managing access privileges magnitudes more critical than ever before. The privileged access and identity management practices optimized for on-premises situations are ineffective in today’s cloud-oriented DevSecOps environments.

A fundamental challenge of securing the identity-defined perimeter is the ability to easily manage and secure the cloud identity lifecycle. This priority comes into sharpest focus with offboarding users, or more accurately, the failure of so many organizations to revoke standing access privileges to DevOps environments and other sensitive IT resources.

Companies today use hundreds or thousands of cloud services, and a typical DevSecOps operation can easily generate thousands of data access events every day. The result is that each human and machine user ends up having multiple identities and standing privilege sets sitting vulnerable to exploitation.

If those privileges are not revoked or expired when an employee or contractor leaves the organization, that massive threat surface remains in place indefinitely.

Enforcing Zero Trust in Cloud Identity Management

The most effective way to manage the cloud identity lifecycle is through the maintenance of least privilege access (LPA) and zero-standing privileges (ZSP) for those users while they are working in the cloud. Likewise, with the complete removal of accounts and access when terminated employees and contractors leave the organization. These offboarding steps are especially critical in today’s dynamic work environment, with employees and contractors frequently joining and leaving your organization.

Today’s advanced dynamic permissioning platforms that incorporate just-in-time (JIT) secrets provisioning capabilities and zero standing privilege (ZSP) enforcement mechanisms can overcome these obstacles.

The automated granting and revocation or expiring of permissions—JIT privilege grants—is highly effective at minimizing attack surfaces. These solutions work on the tenets of Zero Trust, which means no one and nothing is trusted with standing access to your cloud accounts and data. With JIT, elevated privileges can extend either for the duration of a session or task, for a set amount of time, or when the user checks the profile back in manually. Once the task is complete, those elevated privileges are automatically revoked—all without involvement from systems administrators.

Interested in learning more about how Britive's multi-cloud PAM platform can help your zero trust journey? Schedule time to chat with a member of our team.

Download our blueprint for securing identity lifecycle management with Zero Trust for insight and recommendations on implementing Zero Trust principles into current identity management practices.