As the number of users in cloud environments increases, ensuring compliance becomes a more complex task. This complexity is magnified when vast numbers of users are granted myriad permissions, enabling them to access cloud infrastructure and apps laden with sensitive data.
Additionally, organizations grapple with internal teams that, either due to lack of training or sheer indifference, overlook the potential pitfalls and inherent risk related to data privacy and regulatory compliance. This internal disconnect not only jeopardizes the organization's data security stance but also increases the risk of noncompliance with ever-evolving regulations. In this context, educating and aligning teams with enterprisewide security and compliance goals becomes paramount.
Fortunately, cloud engineering and security leaders can implement streamlined solutions to protect their online environments without compromising productivity—while still achieving compliance. There are 3 ways they can begin that process today.
1. Train staff to identify social engineering attempts.
Nearly three-quarters of cyberattacks involve the human element, including social engineering attacks, errors or misuse.1 Some recent examples include the attacks on MGM Resorts International and Caesars Entertainment.2 These attacks are prime examples of threat actors targeting users with administrative accounts for elevated access. In the case of MGM Resorts, the threat actors used social engineering as the initial entry point and found an MGM Resorts employee on LinkedIn, impersonated them and called the organization's service desk to ask for access to the account.
It is often said that security is comprised of processes, people and technology (i.e., tools). People must be able to anticipate and identify social engineering incidents and phishing attacks, which are increasingly convincing and aim to trick employees and other internal stakeholders into providing front-door access to IT infrastructure. Security awareness training is therefore imperative to identify social engineering and phishing attempts. For example, if the goal is for employees to successfully identify malicious emails, IT staff should run simulated phishing attack exercises to determine how many employees fall for scam emails and click on a malicious link or provide sensitive information. Such exercises provide a low-cost, highly rewarding mechanism to improve cybersecurity and regulatory compliance.
2. Maintain cross-cloud insights.
In a multi-cloud environment, ensuring proper governance, compliance and security requires knowledge of who can access which resource and from where. This is key to minimizing the risk tied to privileged access, and it emphasizes the importance of comprehensive insight across various cloud infrastructure and applications.
Cloud platforms often function as informational and operational silos, making it challenging for organizations to see what users do with their privileges or determine what standing privileges might pose a risk. Incredibly, 14% of security leaders say that they have “no idea” how many standing privileges remain in their cloud platforms, and 10% of organizations say that they have “no visibility” into privileged access in their multi-cloud environments.3
For many enterprises, single sign-on (SSO), multifactor authentication (MFA) and identity provisioning are their first response to strengthening cybersecurity and compliance efforts when visibility is lacking. However, these tools often lack the capability to show effective access levels because they do not provide insights that promote cybersecurity and regulatory compliance. Compounding such challenges is the lack of deep visibility into user, group and role privileges within the dynamic nature of cloud infrastructure. This results in very little oversight and control over users' activities within cloud infrastructure and applications.
3. Implement JIT ephemeral access to cloud resources.
Implementing just-in-time (JIT) ephemeral (non-standing) access for all users—both human and service identities—across multiple cloud platforms is a crucial initial measure. Regrettably, service identities are frequently overlooked during security audits, and having too many permissions is often only recognized as an issue when it leads to a security breach or business disruption. True multi-cloud JIT permission granting enables users to access cloud resources easily yet securely across varied environments. A unified access model offers a centralized management and control console with a robust method to oversee user permissions, assign or withdraw privileges and reduce overall risk exposure across different cloud service providers (CSPs) and Software-as-a-Service (SaaS) apps.
Today’s cloud data breaches are often the result of excessive, unused or misconfigured permissions. Malicious actors can target privileged users with social engineering—real or virtual—and, once they have commandeered those users’ accounts, find ways to exploit excessive or unused permissions provisioned for those accounts to infiltrate and wreak havoc within an enterprise’s environment.
Enterprises that have not enforced JIT access assume a much higher security risk and make compliance exceedingly complex and time consuming, raising the likelihood of incurring serious compliance violation fees. Conversely, organizations that implement JIT ephemeral access are able to massively reduce the amount of access entitlements that must be reviewed during access certification processes. This helps free up valuable time for managers and infrastructure and application support teams who no longer need to process hundreds or thousands of unnecessary static privilege revocations.
Achieving Compliance Without Compromise
It is now evident that reducing risk and meeting regulatory compliance is not a “yes” or “no” proposition. Rather, it is an ongoing priority that requires effective solutions that are as agile as the cloud workflows and environments they support.
The rise of multi-cloud adoption presents both immense opportunities and significant challenges for modern organizations. The convergence of numerous cloud platforms has empowered enterprises to be more agile and efficient yet has simultaneously cast a complex web of security and compliance concerns.
As the cloud continues to evolve, the means to secure it must also expand by equal or better measure—and that includes effective yet secure access to cloud resources. Achieving compliance is not a one-time accomplishment but a continuous pursuit that demands vigilance, innovation, consistency and agility. Meeting those demands requires striking a delicate balance between leveraging the benefits of the multi-cloud while mitigating potential risk.
With careful planning, ongoing education, the right tools and enhanced governance frameworks, organizations can navigate this complex landscape without compromising security or compliance.
Endnotes
1 Verizon, 2023 Data Breach Investigations Report, 2023
2 Culafi, A.;, “Okta: Caesars, MGM Hacked in Social Engineering Campaign,” TechTarget, 2023
3 Britive, Data-Driven GCP Security Strategies for Multi-Cloud Landscapes, 2022
Art Poghosyan
Is the chief executive officer (CEO) and co-founder of Britive.