{"id":4235,"date":"2019-02-04T12:44:15","date_gmt":"2019-02-04T16:44:15","guid":{"rendered":"https:\/\/solutionsreview.com\/identity-management\/?p=4235"},"modified":"2019-02-04T12:44:15","modified_gmt":"2019-02-04T16:44:15","slug":"the-cloud-perimeter-and-non-human-identities-with-balaji-parimi-of-cloudknox","status":"publish","type":"post","link":"https:\/\/solutionsreview.com\/identity-management\/the-cloud-perimeter-and-non-human-identities-with-balaji-parimi-of-cloudknox\/","title":{"rendered":"The Cloud Perimeter and Non-Human Identities with Balaji Parimi of CloudKnox"},"content":{"rendered":"

\"The<\/p>\n

Cybersecurity experts across the globe proclaim identity as the new enterprise digital perimeter. What exactly does that mean though? How should enterprises incorporate identity into their perimeter security? How should enterprises fortify their human and non-human identities to prepare for the new age? <\/span><\/p>\n

\t\t\t

\"Download<\/a><\/p>\n<\/div>\n\t\t<\/div><\/div><\/p>\n

We spoke with Balaji Parimi, Founder and CEO of <\/span>CloudKnox Security<\/span><\/a>, to find out. CloudKnox Security provides identity privileged lifecycle management for the cloud and private environments. <\/span><\/p>\n

Here\u2019s our conversation, edited slightly for readability: <\/span><\/p>\n

Solutions Review: You mentioned in our first communications about shadow infrastructures taking center stage in the enterprise network. What is shadow infrastructure? Does it pose a security risk to enterprises evolving to the cloud?<\/b><\/h4>\n

Balaji Parimi: Shadow infrastructure is a subset of Shadow IT\u2014referring to the infrastructure that is being managed and utilized without the knowledge of the enterprise IT\u2019s knowledge. <\/span>While many security experts are familiar with the need to share security responsibilities in infrastructure-as-a-service (IaaS) environments, business teams who are experimenting with cloud services for one-off projects assume that everything is taken care of by the provider. <\/span><\/p>\n

As new projects spin up and leave basic security requirements unaddressed, these IaaS environments can unintentionally expose data or be hijacked by attackers for nefarious purposes.<\/span><\/p>\n

SR: Has identity become the new digital perimeter already? How much more does it need to evolve and adapt to become enterprise\u2019 official digital perimeter in 2019?<\/b><\/h4>\n

BP: I think it is safe to say that \u201cidentity\u201d has become the new digital perimeter and there is no turning back. <\/span><\/p>\n

As more enterprises evolve their cloud strategies, they will be faced with legacy identity tools that were never meant to exist outside the enterprise. They are realizing that secure access and authorization to hybrid cloud environments is a significant impediment to execution.<\/span><\/p>\n

For example, many companies who are trying to employ the Principle of Least Privilege (POLP) in their hybrid cloud are leveraging solutions that still use Role-based Access Controls (RBAC)\u2014a 30-year-old mechanism that was created in the pre-cloud era. The problem with this practice is that traditional RBAC only works in a static environment. <\/span><\/p>\n

This means that a typical privileged identity today has authority to perform many high-risk actions on a wide swath of critical infrastructure despite the fact that they only use and need a fraction of those privileges to perform their day-to-day jobs. This practice creates a significant, completely avoidable risk and grossly violates the best practice of POLP which clearly states the following:<\/span><\/p>\n

\u201cThe Principle of Least Privilege (POLP) is a fundamental guideline for secure computing that restricts privileged identities to only the permissions they need to perform their authorized tasks.\u201d<\/span><\/p>\n

Therefore, e<\/span>nterprises will need to evaluate tools that will enable them to implement the principle of least privilege<\/a> at a granular level across their hybrid cloud environments and prevent \u2014or at least significantly minimize\u2014the risks associated with incorrectly or overprovisioned human and non-human identities.<\/span><\/p>\n

SR: How will cloud adoption change identity as the digital perimeter?<\/b><\/h3>\n

BP: Cloud infrastructure (e.g. compute, storage, network, etc.) has seen unprecedented levels of automation. While this automation has given enterprises the ability to scale to new heights in efficiency, it has also introduced a new set of cloud-related cyber threats.<\/span><\/p>\n

Just as the infrastructure has evolved, so have the attackers. They are quickly learning to take advantage of this automation to get their hands on the \u201ckeys to the kingdom\u201d\u2014a trend indicating an attack strategy targeted at the cloud infrastructure itself as opposed to specific identities or data sets.<\/span><\/p>\n

We believe that enterprises need to be watching out for human and non-human identities with incorrectly or overprovisioned high-risk privileges; if identity is the new perimeter and the new entry point for attackers, then high-risk privileges will quickly become one of the most menacing threat vectors to cloud infrastructure for years to come.<\/span><\/p>\n

Enterprise security and infrastructure teams need to recognize how vulnerable their critical workloads are in today\u2019s modern infrastructure. They need to always remember that a one-line script or a click of a button by a human or non-human identity can result in the most catastrophic damage, whether it is through simple negligence (e.g. typo error) or malevolence (e.g. compromised credential or malicious insider). A holistic understanding of who or what can cause such damage must be front and center of any cybersecurity strategy going forward.<\/span><\/p>\n

We like to recommend that every company operate under the assumption that the #1 risk to their hybrid cloud infrastructure is a trusted identity with excessive privileges<\/a> and the only way to manage that risk is to implement the principle of least privilege.<\/span> If not, they run the risk of compromising every security system, policy, and procedure they\u2019ve worked to put in place.<\/span><\/p>\n

SR: How have non-human identities evolved for enterprise cybersecurity?<\/b><\/h4>\n

BP: A few years back, the average ratio of non-human identities to human identities was less than one to one. Today, there\u2019s an average of six non-human identities (e.g. service accounts, bots, servers, API Keys, applications etc.) for every human identity. We believe this ratio will continue to increase exponentially. <\/span><\/p>\n

We already see enterprises struggling to understand basic information like \u201cwho are the identities that can touch their infrastructure,\u201d \u201cwhat privileges do those identities have<\/a>\u201d and \u201cwhat actions have they performed over a specific time period.\u201d The continued rise in non-human identities will make these questions\u2014and most importantly, the risk these identities introduce\u2014more crucial and more exceedingly difficult to identify and manage.<\/span><\/p>\n

SR: How should enterprises prepare for non-human identities entering and interacting on their network?<\/b><\/h4>\n

BP: Non-human identities require much more regular oversight than human identities do, but unfortunately the opposite usually happens; they often tend to get ignored or forgotten. The reason they need more frequent attention is because non-human identities (e.g. service accounts, bots) do not have the capability to adapt their behavior to a changing situation, like human identities who perform actions per their own intelligence and within context. <\/span><\/p>\n

Therefore, if a non-human identity suddenly performs an action that they have never performed on a resource that they have never accessed\u2014there is a very good chance that credential misuse has occurred.<\/span><\/p>\n

What security and risk management teams should expect to see during a review are non-human identities performing repetitive tasks with a small number of fixed privileges. Any variance or anomaly signals a potential problem or danger.<\/span><\/p>\n

We believe that in the era of cloud computing, enterprises need to recognize that the complexity of managing identities and identity privileges will increase exponentially over time. They should consider that the various arrangements of identities (human and non-human)\u2014in addition to privilege types and resources\u2014across multiple cloud platforms will run into the millions and make it virtually impossible to administer manually. <\/span><\/p>\n

In order for enterprises to get ahead of this, there are a couple of recommendations we typically like to share as follows:<\/span><\/p>\n

    \n
  1. <\/b> \u00a0\u00a0<\/b>Get a true understanding of your enterprise\u2019s risk posture by gaining the right level of insight and visibility into the surrounding environment, including:<\/span><\/li>\n<\/ol>\n