What is cloud identity security?
Cloud identity security is the practice of safeguarding digital identities and the sensitive cloud infrastructure and data they gatekeep from unauthorized access and misuse. The practice encompasses identity and access control mechanisms to allow or disallow access to human users (e.g., developers), service accounts, application identities, and other entities interacting with cloud services.
2024 Gartner® Market Guide for Cloud-Native Application Protection Platforms (CNAPP)
In this report, Gartner offers insights and recommendations to analyze and evaluate emerging CNAPP offerings.
Download report
The shift from traditional to cloud identity management
Traditionally, identity security was managed on-premises; all identities came from a single, limited but easy-to-control source, managed via in-house servers and software. However, the cost, flexibility, and scalability challenges of self-hosted on-premises servers became a problem. This led to cloud adoption and, in turn, federated identities, allowing tens to thousands of human and machine identities to easily access an organization’s multi-cloud environment.
Companies were forced to shift from traditional directory services, like Microsoft Active Directory (AD), to identity management services more suited to the cloud’s distributed, dynamic nature like Microsoft Entra ID. These services not only facilitated highly scalable, cross-domain identity management but also enabled easy integration with IaaS, SaaS, and PaaS platforms. They additionally allowed organizations to implement concepts like single sign-on (SSO) across multiple environments.
Still, the dynamic nature of the cloud—which empowers developers to spin resources up and down at the drop of a hat—also puts identities at risk of misconfigured access controls. An example is the ransomware attack on cybersecurity giant Fortinet. This incident resulted in the theft of 440 GB worth of files from Fortinet’s S3 bucket and the release of the instance’s credentials on a hacker forum, giving other hackers access to the data.
Common identity security risks in the cloud
The real-life example presented above makes it crystal clear that despite the benefits of the shift from traditional to cloud-native solutions, cloud identity protection is not without its risks. And these risks can render organizations vulnerable to cyber threats and business disruption, should their cloud environment get breached.
Common identity security risks include the following.
Over-permissioning
This involves granting users or services more permissions than required for their given tasks. Over-permissioning often leads to privilege escalation vulnerabilities like CVE-2023-2640 and CVE-2023-32629, which impacted about 40% of Ubuntu users before it was discovered by the Wiz Research Team. Over-permissioning can also lead to a larger attack surface and a wider blast radius in the event of an attack.
Identity sprawl
This refers to a single user creating multiple unsynchronized accounts across several cloud services. As such accounts often go undetected, identity sprawl makes it difficult to keep track of who is doing what in your cloud.
Shadow assets and access
This entails the proliferation of unknown, unauthorized, and sometimes over-permissioned cloud identities and assets. A study of one organization’s cloud ecosystem found that nearly half of all admin accounts were over-permissioned and inherited, some with the ability to delete entire cloud environments. As these accounts were unmonitored, the potential damage if they were breached would be catastrophic.
Weak authentication
This is often caused by relying solely on a single means of authentication, e.g., pins or passwords that are often weak or reused. Organizations are then left vulnerable to credential theft and brute force attacks, such as via the CVE-2023-7103 vulnerability.
Identity Security vs. IAM
Identity security is a broad practice that focuses on protecting all aspects of digital identities, including access control, identity lifecycle management, threat detection, and compliance. It aims to ensure that users and entities have secure access to cloud resources while detecting and mitigating potential identity-based threats.
Identity and access management (IAM) is a narrower subset of identity security, specifically focused on managing who has access to what resources. IAM provides the tools for authentication, authorization, and access control, using methods like role-based access control (RBAC) and multi-factor authentication (MFA). While IAM plays a vital role in identity security, it doesn’t cover the full spectrum of identity-related protections.
Identity security vs. Zero Trust
Identity security involves ensuring the security of user identities and overseeing their access to cloud resources. It includes practices like access management, identity lifecycle, and threat detection, specifically targeting the protection of identities.
Zero Trust is a broader security model wherein no party, either inside or outside the network, is trusted by default. It continuously verifies every user, device, and access attempt, regardless of location, and goes beyond identity security to also secure devices, workloads, and networks.
While identity security is an essential part of Zero Trust, Zero Trust extends security measures to every element of the cloud and network, ensuring constant validation and protection against potential breaches.
How identity security in the cloud works
Stage 1: Discovery and mapping
Action: Scan the cloud environment to identify all human and non-human identities (e.g., service accounts, applications).
Steps:
Map the relationships between identities and the cloud resources they access.
Create a comprehensive inventory of access permissions, roles, and entitlements.
Identify any orphaned accounts or unmanaged identities.
Stage 2: Analysis and risk assessment
Action: Analyze the risk associated with each identity, focusing on access scope and permissions.
Steps:
Evaluate effective permissions, considering complex inherited access rights.
Identify unused or excessive permissions that may increase the attack surface.
Detect identities lacking basic security measures (e.g., missing multi-factor authentication (MFA)).
Assess the overall risk level based on the sensitivity of accessed resources.
Stage 3: Policy creation and enforcement
Action: Create and implement access control policies that ensure identities are secure.
Steps:
Develop least privilege access policies based on the risk assessment.
Set up role-based access control (RBAC) to align roles with job functions.
Implement conditional access policies that take context into account (e.g., location, device health).
Enforce MFA for all accounts, especially those with administrative or privileged access.
Stage 4: Continuous monitoring and detection
Action: Continuously monitor identity-related activity for suspicious or risky behavior.
Steps:
Implement real-time monitoring to track login attempts, access patterns, and privilege changes.
Set up alerts for abnormal behavior or policy violations, such as login attempts from unknown locations.
Scan for exposed secrets or credentials and detect compromised identities.
Monitor non-human identities (e.g., service accounts, serverless functions) for unusual activity or misconfigurations.
Stage 5: Threat analysis and response
Action: Identify and respond to identity-based threats using advanced analytics.
Steps:
Correlate identity risks with other security data (e.g., vulnerabilities, misconfigurations) to get a holistic view.
Conduct attack path analysis to identify potential routes to sensitive data or administrative privileges.
Detect potential lateral movement paths that attackers could use to escalate access.
Respond to threats by adjusting access controls, isolating compromised identities, or rotating credentials.
Stage 6: Remediation and optimization
Action: Remediate identity risks and optimize access controls to prevent future incidents.
Steps:
Provide step-by-step remediation to reduce over-permissioned identities.
Revoke unused or unnecessary access rights.
Rotate exposed credentials and secrets to prevent unauthorized access.
Implement just-in-time (JIT) access for privileged accounts to limit how long elevated privileges are granted for.
Stage 7: Reporting and compliance
Action: Ensure identity security practices align with regulatory standards and can be audited.
Steps:
Generate detailed reports on the organization’s identity security posture.
Track changes in permissions, access patterns, and improvements over time.
Ensure compliance with relevant standards and regulations (e.g., GDPR, HIPAA, PCI DSS).
Provide auditable logs of all identity-related activities and policy changes for auditing and reporting purposes.
Stage 8: Continuous improvement
Action: Regularly review and improve identity security measures to adapt to new threats.
Steps:
Periodically review and update identity policies to reflect changes in the cloud environment.
Conduct regular security assessments and penetration tests to identify gaps in identity security.
Stay informed on new identity-based attack vectors and adjust security strategies accordingly.
Continuously educate users on best practices for securing cloud identities and reducing risk.
Cloud identity security and compliance
Cloud identity security is critical for ensuring compliance with various regulatory standards and industry frameworks, particularly those focused on protecting sensitive data, managing access controls, and maintaining secure environments.
Below is a breakdown of the many ways that cloud identity security is entwined with cloud compliance.
1. Regulatory standards
Many regulations explicitly require stringent identity security measures to protect sensitive data in cloud environments. Key examples include:
GDPR (General Data Protection Regulation) requires organizations to safeguard personal data, including controlling access to this data via secure identity management practices. Ensuring that only authorized users have access to sensitive personal data is essential for GDPR compliance.
HIPAA (Health Insurance Portability and Accountability Act) mandates that healthcare organizations and their partners secure electronic protected health information (ePHI) through mechanisms like role-based access controls and strong authentication methods to ensure only authorized personnel can access sensitive patient information.
PCI DSS (Payment Card Industry Data Security Standard) specifies strict access control measures to secure cardholder data. This includes enforcing least privilege access, using unique IDs for individuals, and ensuring secure management of authentication mechanisms.
SOX (Sarbanes-Oxley Act) imposes requirements on financial institutions to protect against unauthorized access and fraud by enforcing robust identity security controls, including monitoring and auditing of privileged accounts.
2. IAM compliance controls
Effective identity management systems play a vital role in meeting compliance mandates. Some specific identity security measures commonly required for compliance include:
Access control: Compliance standards often mandate enforcing least privilege and ensuring users only have access to systems and data required for their specific role/function. This limits exposure to sensitive information, thereby reducing the attack surface.
Multi-factor authentication (MFA): MFA is frequently a requirement in compliance standards to verify the identity of users accessing sensitive resources, reducing the risk of unauthorized access and data breaches.
Audit trails: Regulations typically require organizations to maintain detailed audit logs of identity-related activities, including logins, failed attempts, privilege escalations, and modifications to user access. These audit trails enable monitoring and reporting, which is necessary for both security operations and demonstrating compliance during audits.
3. Compliance frameworks
Several compliance frameworks guide organizations in securing their cloud identity systems:
NIST Cybersecurity Framework provides guidelines on securing identities, including access control (PR.AC), authentication (PR.AC-7), and identity management (PR.AC-1), to support compliance with various regulatory requirements.
ISO/IEC 27001 enforces identity security as part of its information security management systems (ISMS), particularly in areas such as access control (A.9) and cryptographic controls (A.10)
CIS Controls emphasize identity and access management as a key security control mechanism. Specifically, CIS Control 5, account management, ensures that user access and entitlements are carefully controlled and audited for compliance.
4. Cloud provider shared responsibility model
In cloud environments, compliance with identity security practices falls under the shared responsibility model, where both the cloud service provider (CSP) and the customer have roles:
Cloud provider’s responsibility: The CSP is typically responsible for securing the underlying infrastructure and platform, such as ensuring that the identity services provided (e.g., AWS IAM or Azure Active Directory) meet security standards.
Customer’s responsibility: The customer is responsible for configuring and managing identities securely within the cloud environment. This includes setting up IAM roles, defining policies, ensuring MFA is enforced, and auditing identity-related activities.
5. Third-party assessments and certifications
Many organizations rely on third-party assessments and certifications to demonstrate their compliance with identity security practices in the cloud, such as:
SOC 2 ensures that identity security controls meet standards for security, confidentiality, and privacy in cloud environments
ISO 27001 certification demonstrates that an organization has implemented robust identity security controls aligned with international standards
Cloud identity security plays an integral role in achieving and maintaining compliance with a wide range of regulations and standards. Implementing strong identity security practices helps organizations avoid the consequences of non-compliance and ensure that their cloud environments meet the required security standards.
Cloud identity security is not just about protecting sensitive data but also about demonstrating accountability and due diligence in safeguarding access to cloud resources, as required by law.
What is CIEM? Cloud Infrastructure Entitlement Management Use-Cases, Challenges, and Benefits
Read moreWiz’s approach to CIEM
Having to enforce IAM, detect identity threats in real time, and implement other best practices discussed above can seem overwhelming. This is especially so in the context of multi-cloud environments, where achieving full visibility and seamless multi-platform integration is necessary.
Enter Wiz CIEM, a solution designed to offer you complete multi-cloud identity governance in a single dashboard.
Wiz CIEM integrates with WIZ CNAPP to provide out-of-the-box code-to-cloud visibility into misconfigured permissions, identity sprawl, and other identity security risks.
Wiz not only detects and automatically remediates these risks but also goes deeper to uncover toxic configuration combinations that can leave you susceptible to cyber threats. It seamlessly discovers exposed secrets and unencrypted data, alerting you before they can be exploited, and even helps you regularly review access policies to expunge unnecessary permissions.
When Wiz CIEM says it’s an identity risk, you can be sure it is. See Wiz in action. Try out our 30-minute personal demo today.
Take Control of Your Cloud Entitlements
Learn why CISOs at the fastest growing companies secure their cloud environments with Wiz.
