Wiz
Eliminate Critical Risks in the Cloud

Uncover and remediate the critical severity issues in your cloud environments without drowning your team in alerts.

Free Cloud Risk Assessment
All articles

Identity Security [Cloud Edition]

Cloud identity security is the practice of safeguarding digital identities and the sensitive cloud infrastructure and data they gatekeep from unauthorized access and misuse.

Wiz Experts Team
8 minutes read

What is cloud identity security?

Cloud identity security is the practice of safeguarding digital identities and the sensitive cloud infrastructure and data they gatekeep from unauthorized access and misuse. The practice encompasses identity and access control mechanisms to allow or disallow access to human users (e.g., developers), service accounts, application identities, and other entities interacting with cloud services. 

2024 Gartner® Market Guide for Cloud-Native Application Protection Platforms (CNAPP)

In this report, Gartner offers insights and recommendations to analyze and evaluate emerging CNAPP offerings.

Download report

The shift from traditional to cloud identity management

Traditionally, identity security was managed on-premises; all identities came from a single, limited but easy-to-control source, managed via in-house servers and software. However, the cost, flexibility, and scalability challenges of self-hosted on-premises servers became a problem. This led to cloud adoption and, in turn, federated identities, allowing tens to thousands of human and machine identities to easily access an organization’s multi-cloud environment.

Companies were forced to shift from traditional directory services, like Microsoft Active Directory (AD), to identity management services more suited to the cloud’s distributed, dynamic nature like Microsoft Entra ID. These services not only facilitated highly scalable, cross-domain identity management but also enabled easy integration with IaaS, SaaS, and PaaS platforms. They additionally allowed organizations to implement concepts like single sign-on (SSO) across multiple environments.

Still, the dynamic nature of the cloud—which empowers developers to spin resources up and down at the drop of a hat—also puts identities at risk of misconfigured access controls. An example is the ransomware attack on cybersecurity giant Fortinet. This incident resulted in the theft of 440 GB worth of files from Fortinet’s S3 bucket and the release of the instance’s credentials on a hacker forum, giving other hackers access to the data. 

Common identity security risks in the cloud

The real-life example presented above makes it crystal clear that despite the benefits of the shift from traditional to cloud-native solutions, cloud identity protection is not without its risks. And these risks can render organizations vulnerable to cyber threats and business disruption, should their cloud environment get breached. 

Common identity security risks include the following.

Over-permissioning

This involves granting users or services more permissions than required for their given tasks. Over-permissioning often leads to privilege escalation vulnerabilities like CVE-2023-2640 and CVE-2023-32629, which impacted about 40% of Ubuntu users before it was discovered by the Wiz Research Team. Over-permissioning can also lead to a larger attack surface and a wider blast radius in the event of an attack. 

Identity sprawl

This refers to a single user creating multiple unsynchronized accounts across several cloud services. As such accounts often go undetected, identity sprawl makes it difficult to keep track of who is doing what in your cloud.

Shadow assets and access 

This entails the proliferation of unknown, unauthorized, and sometimes over-permissioned cloud identities and assets. A study of one organization’s cloud ecosystem found that nearly half of all admin accounts were over-permissioned and inherited, some with the ability to delete entire cloud environments. As these accounts were unmonitored, the potential damage if they were breached would be catastrophic.

Weak authentication

This is often caused by relying solely on a single means of authentication, e.g., pins or passwords that are often weak or reused. Organizations are then left vulnerable to credential theft and brute force attacks, such as via the CVE-2023-7103 vulnerability.

Identity Security vs. IAM

Identity security is a broad practice that focuses on protecting all aspects of digital identities, including access control, identity lifecycle management, threat detection, and compliance. It aims to ensure that users and entities have secure access to cloud resources while detecting and mitigating potential identity-based threats. 

Identity and access management (IAM) is a narrower subset of identity security, specifically focused on managing who has access to what resources. IAM provides the tools for authentication, authorization, and access control, using methods like role-based access control (RBAC) and multi-factor authentication (MFA). While IAM plays a vital role in identity security, it doesn’t cover the full spectrum of identity-related protections.

Identity security vs. Zero Trust

Identity security involves ensuring the security of user identities and overseeing their access to cloud resources. It includes practices like access management, identity lifecycle, and threat detection, specifically targeting the protection of identities. 

Zero Trust is a broader security model wherein no party, either inside or outside the network, is trusted by default. It continuously verifies every user, device, and access attempt, regardless of location, and goes beyond identity security to also secure devices, workloads, and networks. 

While identity security is an essential part of Zero Trust, Zero Trust extends security measures to every element of the cloud and network, ensuring constant validation and protection against potential breaches.

How identity security in the cloud works

Stage 1: Discovery and mapping

Action: Scan the cloud environment to identify all human and non-human identities (e.g., service accounts, applications).

Steps:

  • Map the relationships between identities and the cloud resources they access.

  • Create a comprehensive inventory of access permissions, roles, and entitlements.

  • Identify any orphaned accounts or unmanaged identities.

Stage 2: Analysis and risk assessment

Action: Analyze the risk associated with each identity, focusing on access scope and permissions.

Steps:

  • Evaluate effective permissions, considering complex inherited access rights.

  • Identify unused or excessive permissions that may increase the attack surface.

  • Detect identities lacking basic security measures (e.g., missing multi-factor authentication (MFA)).

  • Assess the overall risk level based on the sensitivity of accessed resources.

Stage 3: Policy creation and enforcement

Action: Create and implement access control policies that ensure identities are secure.

Steps:

  • Develop least privilege access policies based on the risk assessment.

  • Set up role-based access control (RBAC) to align roles with job functions.

  • Implement conditional access policies that take context into account (e.g., location, device health).

  • Enforce MFA for all accounts, especially those with administrative or privileged access.

Stage 4: Continuous monitoring and detection

Action: Continuously monitor identity-related activity for suspicious or risky behavior.

Steps:

  • Implement real-time monitoring to track login attempts, access patterns, and privilege changes.

  • Set up alerts for abnormal behavior or policy violations, such as login attempts from unknown locations.

  • Scan for exposed secrets or credentials and detect compromised identities.

  • Monitor non-human identities (e.g., service accounts, serverless functions) for unusual activity or misconfigurations.

Stage 5: Threat analysis and response

Action: Identify and respond to identity-based threats using advanced analytics.

Steps:

  • Correlate identity risks with other security data (e.g., vulnerabilities, misconfigurations) to get a holistic view.

  • Conduct attack path analysis to identify potential routes to sensitive data or administrative privileges.

  • Detect potential lateral movement paths that attackers could use to escalate access.

  • Respond to threats by adjusting access controls, isolating compromised identities, or rotating credentials.

Stage 6: Remediation and optimization

Action: Remediate identity risks and optimize access controls to prevent future incidents.

Steps:

  • Provide step-by-step remediation to reduce over-permissioned identities.

  • Revoke unused or unnecessary access rights.

  • Rotate exposed credentials and secrets to prevent unauthorized access.

  • Implement just-in-time (JIT) access for privileged accounts to limit how long elevated privileges are granted for.

Stage 7: Reporting and compliance

Action: Ensure identity security practices align with regulatory standards and can be audited.

Steps:

  • Generate detailed reports on the organization’s identity security posture.

  • Track changes in permissions, access patterns, and improvements over time.

  • Ensure compliance with relevant standards and regulations (e.g., GDPR, HIPAA, PCI DSS).

  • Provide auditable logs of all identity-related activities and policy changes for auditing and reporting purposes.

Stage 8: Continuous improvement

Action: Regularly review and improve identity security measures to adapt to new threats.

Steps:

  • Periodically review and update identity policies to reflect changes in the cloud environment.

  • Conduct regular security assessments and penetration tests to identify gaps in identity security.

  • Stay informed on new identity-based attack vectors and adjust security strategies accordingly.

  • Continuously educate users on best practices for securing cloud identities and reducing risk.

Cloud identity security and compliance

Cloud identity security is critical for ensuring compliance with various regulatory standards and industry frameworks, particularly those focused on protecting sensitive data, managing access controls, and maintaining secure environments. 

Below is a breakdown of the many ways that cloud identity security is entwined with cloud compliance.

1. Regulatory standards

Many regulations explicitly require stringent identity security measures to protect sensitive data in cloud environments. Key examples include:

  • GDPR (General Data Protection Regulation) requires organizations to safeguard personal data, including controlling access to this data via secure identity management practices. Ensuring that only authorized users have access to sensitive personal data is essential for GDPR compliance.

  • HIPAA (Health Insurance Portability and Accountability Act) mandates that healthcare organizations and their partners secure electronic protected health information (ePHI) through mechanisms like role-based access controls and strong authentication methods to ensure only authorized personnel can access sensitive patient information.

  • PCI DSS (Payment Card Industry Data Security Standard) specifies strict access control measures to secure cardholder data. This includes enforcing least privilege access, using unique IDs for individuals, and ensuring secure management of authentication mechanisms.

  • SOX (Sarbanes-Oxley Act) imposes requirements on financial institutions to protect against unauthorized access and fraud by enforcing robust identity security controls, including monitoring and auditing of privileged accounts.

2. IAM compliance controls

Effective identity management systems play a vital role in meeting compliance mandates. Some specific identity security measures commonly required for compliance include:

  • Access control: Compliance standards often mandate enforcing least privilege and ensuring users only have access to systems and data required for their specific role/function. This limits exposure to sensitive information, thereby reducing the attack surface.

  • Multi-factor authentication (MFA): MFA is frequently a requirement in compliance standards to verify the identity of users accessing sensitive resources, reducing the risk of unauthorized access and data breaches.

  • Audit trails: Regulations typically require organizations to maintain detailed audit logs of identity-related activities, including logins, failed attempts, privilege escalations, and modifications to user access. These audit trails enable monitoring and reporting, which is necessary for both security operations and demonstrating compliance during audits.

3. Compliance frameworks 

Several compliance frameworks guide organizations in securing their cloud identity systems:

  • NIST Cybersecurity Framework provides guidelines on securing identities, including access control (PR.AC), authentication (PR.AC-7), and identity management (PR.AC-1), to support compliance with various regulatory requirements.

  • ISO/IEC 27001 enforces identity security as part of its information security management systems (ISMS), particularly in areas such as access control (A.9) and cryptographic controls (A.10)

  • CIS Controls emphasize identity and access management as a key security control mechanism. Specifically, CIS Control 5, account management, ensures that user access and entitlements are carefully controlled and audited for compliance.

wiz academy

What are CIS benchmarks?

Read more

4. Cloud provider shared responsibility model

In cloud environments, compliance with identity security practices falls under the shared responsibility model, where both the cloud service provider (CSP) and the customer have roles:

  • Cloud provider’s responsibility: The CSP is typically responsible for securing the underlying infrastructure and platform, such as ensuring that the identity services provided (e.g., AWS IAM or Azure Active Directory) meet security standards.

  • Customer’s responsibility: The customer is responsible for configuring and managing identities securely within the cloud environment. This includes setting up IAM roles, defining policies, ensuring MFA is enforced, and auditing identity-related activities.

5. Third-party assessments and certifications

Many organizations rely on third-party assessments and certifications to demonstrate their compliance with identity security practices in the cloud, such as:

  • SOC 2 ensures that identity security controls meet standards for security, confidentiality, and privacy in cloud environments

  • ISO 27001 certification demonstrates that an organization has implemented robust identity security controls aligned with international standards

Cloud identity security plays an integral role in achieving and maintaining compliance with a wide range of regulations and standards. Implementing strong identity security practices helps organizations avoid the consequences of non-compliance and ensure that their cloud environments meet the required security standards. 

Cloud identity security is not just about protecting sensitive data but also about demonstrating accountability and due diligence in safeguarding access to cloud resources, as required by law.

wiz academy

What is CIEM? Cloud Infrastructure Entitlement Management Use-Cases, Challenges, and Benefits

Read more

Wiz’s approach to CIEM

Caption: Wiz dashboard showing identity risks

Having to enforce IAM, detect identity threats in real time, and implement other best practices discussed above can seem overwhelming. This is especially so in the context of multi-cloud environments, where achieving full visibility and seamless multi-platform integration is necessary. 

Enter Wiz CIEM, a solution designed to offer you complete multi-cloud identity governance in a single dashboard. 

Wiz CIEM integrates with WIZ CNAPP to provide out-of-the-box code-to-cloud visibility into misconfigured permissions, identity sprawl, and other identity security risks. 

Wiz not only detects and automatically remediates these risks but also goes deeper to uncover toxic configuration combinations that can leave you susceptible to cyber threats. It seamlessly discovers exposed secrets and unencrypted data, alerting you before they can be exploited, and even helps you regularly review access policies to expunge unnecessary permissions. 

When Wiz CIEM says it’s an identity risk, you can be sure it is. See Wiz in action. Try out our 30-minute personal demo today. 

Take Control of Your Cloud Entitlements

Learn why CISOs at the fastest growing companies secure their cloud environments with Wiz.

Get a demo 

Continue reading

Top 9 OSINT tools

Wiz Experts Team

Open-source intelligence (OSINT) is a framework that involves gathering, analyzing, and interpreting publicly available data to gain insights into cyber threats, adversarial activities, and attack techniques. OSINT identifies innocuous-seeming information that, if analyzed with an attacker’s mindset, could reveal critical loopholes in an enterprise’s security posture.

Top OSS Vulnerability Scanners [By Category]

Wiz Experts Team

Vulnerability scanning is an integral component of every vulnerability management program, providing security teams with insights needed to address vulnerabilities before they become attack vectors. When conducted regularly, vulnerability assessments offer asset discovery and visibility, attack surface management, and compliance enforcement.

What is Cloud Data Security? Risks and Best Practices

Wiz Experts Team

Cloud data security is the comprehensive strategy of preventing data loss or leakage in the cloud from security threats like unauthorized access, data breaches, and insider threats.