Where a user previously had standing access privileges potentially extending around the clock for months at a time, converting to JIT granting would compress that attack surface to several hours per month. Once the task is complete, those elevated privileges are automatically revoked–all without sys-admin involvement. With JIT permissioning, elevated privileges can extend either for the duration of a session or task, for a set amount of time, or when the user no longer needs access. ![]() These JIT/ZSP solutions work on the concept of Zero Trust, which means no one and nothing is trusted with standing access to your cloud accounts and data. Recommendation: Again, as with core security concerns, the automated granting and expiring of permissions-JIT privilege grants-is highly effective at minimizing attack surfaces. The result is that each human and machine user ends up having multiple identities and standing privilege sets sitting vulnerable to exploitation. Data Point 2: Attack surface sprawlĬompanies today use hundreds or thousands of cloud services, and a typical DevSecOps operation can easily generate thousands of data access events every day. When events occur, administrators can quickly act to protect critical information and cloud services from breaches. These capabilities are critical in enabling DevSecOps to get a complete picture of user activity, making it possible to identify threatening user behavior to which security teams must respond. When dynamic privileging platforms are integrated with existing security tools, such as user and entity behavioral analytics (UEBA) and advanced security information and event management (SIEM) engines, DevSecOps teams can gain deep visibility into cloud application events and access changes. Recommendation: Today’s dynamic privileging platforms designed to support just-in-time (JIT) privilege grants enable DevSecOps teams to maintain a Zero Standing Privilege (ZSP) security posture in a way that accelerates, not slows, the CI/CD development process. In addition, the privileged access and identity management practices optimized for on-premises situations are ineffective in today’s cloud-oriented continuous integration and continuous delivery (CI/CD) DevSecOps environments. The problem is the new identity-defined perimeter has made managing access privileges magnitudes more critical than ever before. Digital identity defines the new perimeter. Conversely, in cloud environments, it’s not possible to ringfence every application, resource, device, or user. The longstanding approach to cybersecurity in on-premises environments included ringfencing of users and assets-such as firewalls to keep out unwanted network traffic. Data Point 1: Insufficient privilege management In this eWEEK Data Points article, we discuss the four reasons it’s critical to manage privileges and access across your multi-cloud environments. Let’s consider the individual issues that are preventing DevSecOps teams from easily securing access to cloud resources, and explore potential remedies to these challenges. With DevSecOps teams now commonly working across many clouds, each with their own permission sets and usage models, we need to rethink how we manage privileged access. Especially now, when teams are dispersed and working remotely, credentials are proliferating in the cloud (outside of on-premises security protocols) and are more exposed to theft or abuse. ![]() It is not enough, however, to simply grant permanent standing privileges to a human or non-human user, even if they are limited to only those permissions needed to do their jobs. ![]() The concept of least privilege access still remains foundational – and traditional privileged access solutions can deliver effective security in situations where development and operations are segregated, and on-premises architecture predominates. Conventional approaches to privileged access and identity management are ineffective in today’s cloud-oriented DevSecOps environments.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |