Welcome!

@CloudExpo Authors: Pat Romanski, Zakia Bouachraoui, Liz McMillan, Elizabeth White, Stackify Blog

Related Topics: @CloudExpo, Microservices Expo

@CloudExpo: Article

Got Privilege? Ten Steps to Securing a Cloud-Based Enterprise

Steps every service provider needs to know to differentiate their business

Do Amazon and Google get privilege? If you rely on a public cloud provider to manage highly sensitive applications, it's a question worth asking.

Within the context of the identity and access management space, privilege is generally understood in terms of controlling users who have high levels of authorization to, and control over, corporate IT systems, information assets and applications. In that important, but somewhat narrow context, poor control over privileged user accounts is an all-too-common source of risk both from a security and compliance perspective.

Whether you know it or not, privilege permeates your business: people, policies, processes, applications and data. Nevertheless, they are not always your people, or your infrastructure, your development platform, or your applications. As corporations outsource to managed service, hosting and cloud providers, they increasingly cede direct control to someone else's privileged users, who apply privileged processes and procedures to other people's data - your data. Truly, privilege is everywhere.

This understanding is at the core of privilege-centric risk management as enterprises balance the business benefits of increased outsourcing, especially in cloud environments, and the challenges of entrusting high-value business data and operations into the hands of third-party entities. As outsourcing and the various instantiations of cloud-based services become increasingly essential to business operations, enterprises need to find ways to exercise governance over their critical assets and operations by extending control over privilege, both internally and externally.

Service providers, for their part, must be prepared to address their clients' privilege/risk management requirements to maintain a strong competitive position in the market. By not effectively demonstrating strong privilege control policies and processes that are consistent with those of mature organizations - their potential customers - service providers could potentially leave a lot of business on the table.

That said, the onus remains on the enterprise to take a holistic view of privilege, risk and control across their IT environment - wherever it is - from the corporate data center to software as a service. Before committing critical or sensitive assets to a cloud service provider, organizations must assess the risk to the business if something goes wrong. Let's examine the key steps enterprises should be taking to ensure that risks of outsourcing are properly addressed.

Ten Steps for Securing the Extended Enterprise

  1. Put privilege first: Implement a privilege-centric risk management program for internal IT operations so that the enterprise can insist that the service provider follow policies, processes and practices that are consistent with its requirements.
  2. Policy follows the user: Make sure that the enterprise has privileged management policies, and processes and tools are applied to internal users leveraging outside services. For example, if you are licensing 100 Unix machines from a cloud vendor, you still need to use privileged identity management to make sure privileged accounts are recycled, that user access is audited, and that access adheres to policy.
  3. Provider is in sync: Make sure the service provider has privileged identity policies and processes are consistent with those of the organization.
  4. Reality check: Review and evaluate the service provider's security structure and processes as part of the vetting process. Make sure they are not "paper policies." In particular, look for privileged identity management tools that support and automate their policies and processes.
  5. Put it in writing: Privileged identity management policies and processes, audit and report requirements, and use of appropriate technologies should be written into contracts and service-level agreements.
  6. Define roles: Insist on policies that limit privileged user access and authorization. The service provider must be able to demonstrate clear separation of duties, especially for privileged users.
  7. No hidden passwords: There should be no use of hard-coded embedded application passwords that grant database access.
  8. Measure success: The service provider's program must demonstrate continuous control and monitoring. There should be clear metrics, mutually agreed upon, to show that security policies are being applied and that privilege control is continuously improving.
  9. Log and report: All privileged user accounts, privileged asset access, and privileged process activity should be logged and audited. Service providers should issue weekly or monthly reports that give the enterprise visibility into its operations. This visibility is critical, particularly as contracted services move up the stack to SaaS.
  10. It is in the details: Depending on the service model - more so for managed and hosted services, less so for higher-level cloud services - reports should include detailed reporting on each time a service provider used privileged accounts on the enterprise's systems.

As more and more of their IT environment moves to the cloud, enterprises must appreciate that the need for a privilege-centric approach to risk takes on even greater importance and understand that it is their responsibility to implement a program at the core of its IT operations. It is no less important to extend that program to its service providers, rewarding those that can meet its requirements with their business.

Fortunately, as service providers develop mature practices around privileged identity management, enterprises will be able to demand and expect, if not the same level of control, a level of assurance that is commensurate with the sensitivity and significance of the business assets they are willing to entrust.

At the end of the day, whether their solution is based on-premise or in the cloud, a vendor's goal should always be to gain the trust of their potential customers through whatever means possible. Across the extended enterprise, "Getting privilege" is a significant part of that equation.

That means you too, Google and Amazon.

More Stories By Shlomi Dinoor

Shlomi Dinoor serves as VP Emerging Technologies at Cyber-Ark, tasked to research, identify and propose future growth engines based on innovative technologies all with the goal of expanding the company's long-term offering. He spearheads Cyber-Ark Labs, Cyber-Ark's innovation center, with a mission to design ways to introduce novel solutions to new high-value markets and enhance Cyber-Ark's market leadership.

Shlomi brings over 12 years of experience delivering enterprise software solutions to market. Before joining Cyber-Ark, he was Director of Engineering at Verdasys, the leading provider of Enterprise Information Protection solutions, where he worked on strategic initiatives.

Shlomi holds an MBA from the University Of Massachusetts and a B.Sc. in Engineering (cum laude) from Technion, Israel Institute of Technology.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


CloudEXPO Stories
Docker and Kubernetes are key elements of modern cloud native deployment automations. After building your microservices, common practice is to create docker images and create YAML files to automate the deployment with Docker and Kubernetes. Writing these YAMLs, Dockerfile descriptors are really painful and error prone.Ballerina is a new cloud-native programing language which understands the architecture around it - the compiler is environment aware of microservices directly deployable into infrastructures like Docker and Kubernetes.
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily own their code into production, but want to use platforms instead of raw automation. That’s changing the landscape that we understand as DevOps with both architecture concepts (CloudNative) and process redefinition (SRE). Rob Hirschfeld’s recent work in Kubernetes operations has led to the conclusion that containers and related platforms have changed the way we should be thinking about DevOps and controlling infrastructure. The rise of Site Reliability Engineering (SRE) is part of that redefinition of operations vs development roles in organizations.
Signs of a shift in the usage of public clouds are everywhere Previously, as organizations outgrew old IT methods, the natural answer was to try the public cloud approach; however, the public platform alone is not a complete solutionThe move to hybrid, custom, and multi-cloud will become more and more prevalent At the heart of this technology trend exists a custom solution to meet the needs and concerns of these organizations, including compliance, security, and cost issues Blending Service and Deployment Models
When a company wants to develop an application, it must worry about many aspects: selecting the infrastructure, building the technical stack, defining the storage strategy, configuring networks, setting up monitoring and logging, and on top of that, the company needs to worry about high availability, flexibility, scalability, data processing, machine learning, etc. Going to the cloud infrastructure can help you solving these problems to a level, but what if we have a better way to do things. As a pioneer in serverless notion, Google Cloud offers a complete platform for each of those necessities letting users to just write code, send messages, assign jobs, build models, and gain insights without deploying a single machine. So cloud compute on its own is not enough, we need to think about all of the pieces we need to move architecture from the bottom, up towards the top of the stack. Wi...
Cloud-Native thinking and Serverless Computing are now the norm in financial services, manufacturing, telco, healthcare, transportation, energy, media, entertainment, retail and other consumer industries, as well as the public sector. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential. DevOpsSUMMIT at CloudEXPO expands the DevOps community, enable a wide sharing of knowledge, and educate delegates and technology providers alike.