A Precarious Balance: Privileged Users and the Cloud

Organizations face a unique balancing act when dealing with privileged users. On the one side, they require high level access in order to successfully do their jobs. On the other, these privileges can cause serious damage if misused, accidentally or intentionally. The question becomes, “do we maintain security at the cost of productivity, or do we increase productivity at the cost of security?” This problem has been exacerbated by the increase in cloud use, as cloud security threats can cause even more damage than on-premise environments, since cloud environments are typically at a much higher capacity than on-premise environments, leaving much more data at risk.

So far, achieving this balance has been more than a bit wobbly. In EMA’s Responsible User Empowerment report, 76% of organizations surveyed reported a violation of privileged access policies had occurred the year before. According to Cybersecurity Insider’s Insider Threat Report, 37% of organizations felt that too many users with excessive access privileges were the primary risk factor for insider attacks. Given the server level, administrative access that privileged users have, these threats are often far more damaging than other insider threats.

So how do we tip the scales back towards security? Read on for three steps to take in order to find a security equilibrium.

Erring on the side of caution

As exemplified by the report mentioned above, there is simply too much privilege given out, and too many privileged users. Organizations must change tack and tighten access to ensure that it is only given to those who absolutely need it. While this may seem to go against what is intuitively expedient, limiting access will ultimately save time. There won’t be users accidentally altering configurations on servers they should not be using. The cloud is particularly vulnerable to this security oversight, since cloud infrastructures are so vast that it’s very difficult for IT teams to detect if a modification has been made until it’s too late.

Identifying need

In the name of productivity, it is easier to hand out full access to anyone who requests it, as it is the quickest way to allow both the user making the request to get to work, and the administrator granting the request to move on to other tasks. However, privileged users in the cloud have access to critical cloud resources like management functions or configuration information. Once access is given, it’s difficult to track individual users, so it may be impossible to tell who is to blame if an insider attack occurs. Therefore, it’s important to pause and ask why that user needs access. To do this on a person to person scale would be impractical, but it is an important exercise to perform for individual job roles. Job descriptions already contain what is expected of an employee, and it can be relatively simple to infer whether they will need to be a privileged user.

Finite privileges

Once this job role has been established, access can be further limited to only the necessary actions on only the parts of the environment that a privileged user needs, and only during the time that they need to complete those actions. Perhaps some users may not require access to the cloud at all, and only need privileges for on-premise servers. This type of policy is called the least privilege principle. For example, a web administrator may only need access to web servers and a select number of privileged commands, during U.S. business hours.

What about exceptions to a job role? Naturally, this is to be expected. When this is the case, it is unnecessary to grant someone additional access in perpetuity if they only require additional access for a limited amount of time. But how can one ensure that these roles are properly assigned, and that exceptional privileges expire in a timely manner without overtaxing IT teams? This is where Privileged Access Management (PAM) solutions shine.

A tool for enablement                                   

As long as cloud environments require administration, no cloud is safe from privileged user threats. With the average organization using over 1900 unique cloud services, it is impossible to maintain the least privilege principle manually. Needs change too rapidly for an IT team to preserve security while sustaining productivity. PAM solutions, like Powertech Identity & Access Manager (BoKS), allow IT teams to restrict privileges so that no one employee has full control of your system, yet still give users the credentials they need to get their work done. Just as tightrope walkers use a pole to maintain stability, organizations also need a tool to walk the careful line of security and productivity.