If using one cloud server is good, then wouldn’t using multiple cloud servers be even better?

That seems to be the thinking for many large organizations, which are increasingly turning to multicloud infrastructure as a best practice: in a recent Harvard Business Review survey, 85% of respondents said that “their organizations use at least two clouds—and a quarter of those respondents are using five or more.” Flexera’s 2022 State of the Cloud report notes that “multicloud is the most popular cloud infrastructure, with 89% of enterprises relying on it.”

There are real benefits from using some combination of multiple cloud infrastructures—including AWS, Azure, and Google Cloud Platform—to help organizations optimize performance, ensure resiliency, and avoid relying too heavily on any one vendor.

But while multicloud infrastructure can help businesses realize key goals, doing so also introduces new challenges for admins.

At best, those challenges could result in inefficiencies and wasted effort. At worst, managing users, rights, access, authentication, and revoking access across multiple cloud environments could expose companies to unnecessary risks and introduce major security vulnerabilities.

In too many instances, cloud providers’ security features are insufficient at resolving these issues. After studying multiple cloud governance failures and advising security-first organizations on the best ways to address them, we’ve put together the following best identity governance practices to help businesses secure the cloud and move to zero trust.

“A minefield for zero-trust implementation”

The growth of multicloud environments and the corresponding challenges in managing expanding cloud entitlements are leading to growing risks.

Admins need to realize that these challenges can arise from the very start. IT teams will likely discover that their cloud providers’ complex identity and access management (IAM) environments don’t align with their on-premises usage history and access privileges. And that’s where the problem will start: VentureBeat recently reported on Gartner’s prediction that “99% of cloud security failures” will result from control misconfigurations.

“The more complex a multicloud configuration, the more it becomes a minefield for zero-trust implementation.”

Multicloud creates three major cybersecurity vulnerabilities

This square-peg-round-hole problem is one that admins will need to address straight away by learning the cloud providers’ various pre-determined IAM capabilities first, then understanding how to configure and manage them.

Broadly, we see three major identity governance challenges expanding as organizations move to multicloud environments. These challenges can result from the organization’s original governance policies, the cloud provider’s, or some combination of both/and:

  1. Accidental data exposure: Oftentimes resulting from the misconfiguration of rights and assets, in which a resource is left as public when it should be private. Gartner also predicted that this year half of enterprises will “unknowingly and mistakenly expose some applications, network segments, storage, and APIs directly to the public, up from a quarter in 2018.
  2. Excessive rights: If a user profile is over-provisioned in one environment, and if that same profile is migrated to another environment, then you’re now dealing with an even wider blast radius. The problem grows exponentially as organizations adopt even more cloud environments. While it’s an old idea, organizations must move to least privilege necessary—every user should have the bare minimum they need to perform their role. Least privilege is more than just good cybersecurity, it’s also a key component of moving to a zero trust posture.
  3. Weak, recycled passwords: Similar to having over-provisioned users move from one environment to another, users frequently recycle the same passwords from one cloud tenant to another. One weak password is bad—using it to access multiple cloud environments is even worse. Businesses should strive to use passwordless authentication whenever possible; in the interim, they should at least mandate password rotation and add multi-factor authentication (MFA) processes.
Using Cloud Infrastructure Entitlement Management (CIEM) to secure the cloud

One of the ways that the industry is responding to these new challenges is Cloud Infrastructure Entitlement Management (CIEM), a new process for managing identity-as-a-service cloud entitlement issues. CIEM accounts for the specific ways that cloud tenants are increasing the frequency and impact of cloud entitlement issues.

CIEM joins related governance programs like Customer Identity and Access Management (CIAM), External Identity and Access Management (XIAM), and Enterprise Identity and Access Management (EIAM), which all attempt to account for the growing types of users and the distinct entitlements that each need.

But unlike CIAM, XIAM, and EIAM, CIEM attempts to do more than manage rights and ensure effective repeals. CIEM solutions also preview current rights, ensure effective access reviews, verify that all types of different users’ rights align with their intended use, and prevent any entitlements from exposing company data, information, or systems.

More cloud, more money, more risks, more problems

Security and IT teams are turning to CIEM because the risks of any public cloud environment is greater than on-premises environments, given that cloud environments are accessible twenty-four hours a day. Those risks grow exponentially as organizations integrate multiple cloud environments.

Another need CIEM addresses is controlling the costs of public cloud environments. Consider what could happen if an employee who had managed public cloud resources leaves their company. Without the right controls and redundancies in place, a resource that had only been intended to run for a fixed time could continue consuming resources without an owner to manage it.

Businesses could incur more costs if they forget about a cloud resource. They could also expose themselves to more vulnerabilities: ex-admins could create hosts under their former company’s domain, phish customers, and exfiltrate their information. It’s bad when a scammer impersonates your brand and steals a password; it’s far worse when brand abuse comes from inside a company.

Finally, threat actors could breach the cloud provider itself and use that access to attack its clients. In December 2021, Brazil’s health ministry disclosed that attackers had stolen user credentials from a cloud provider’s infrastructure environment. That access allowed the attackers to destroy assets that the ministry had hosted on the provider, crash the ConecteSUS app, and ultimately prevent Brazilians from receiving vaccinations during the pandemic.

Governance best practices to secure multicloud environments

The good news is that there are governance best practices that organizations can implement to secure multicloud environments.

The breach of the Brazil health ministry demonstrated that organizations should maintain a distinct IGA environment to manage cloud providers’ entitlements separate from their CIEM and EIAM environments.

A separate IGA environment can better manage the volume and complexity of data needed to control users’ entitlements. Moreover, given the risk of a breach, maintaining a separate governance system makes it harder for hackers to move laterally and access critical information.

Whether setting up a separate environment entirely or combining a governance environment with other data, security teams should consider any users who can access it as privileged accounts, as those users can access high-risk infrastructure tools and resource.

Likewise, security teams should ensure that the system used to manage their CIEM instance receives an appropriate degree of layered protection. At a minimum, that should include multi-factor authentication (MFA). Typically, cloud providers make it easy to include MFA, which can help to secure both a specific environment and the overall cloud provider.

Get smart: use context

And while MFA is an important first step in securing CIEM, it’s only the first step: organizations should also consider including functionality that brings them closer to zero trust, including the ability to dynamically change authentication requirements.

Organizations can achieve that capability buy using contextual authentication to dynamically assess risk: smart security systems can assess the user’s location, device, network, and other signals to examine risk in real time and restrict access if needed. Additional measures—including password rotation, temporary activation of rights, session management, and auditing—can layer in additional security for governance environments.

Security teams can use these signals to feed and train security event monitoring tools: with visibility into users’ actions, smart IAM systems can learn to understand which events are expected—and which indicate risk.

If the system detects a problem, then an organization’s incident response team must be able to use whatever tool manages access to block exploited accounts.

Make sure your governance solution can export its policies

Because the use of multicloud environments is so prevalent, organizations need to ensure that whatever security they’re developing for a given environment can extend to others as well.

Whatever solution an organization uses to manage a single cloud environment should be able to export similar access policies to different providers. The rights assigned to a database administrator in Azure should mirror the rights assigned to the same person when they are administering an AWS environment. Doing so allows organizations to scale their security settings as they integrate more cloud environments.

Many CIEM market tools provide this mapping for standard profiles—however it’s not always the case that they can extend custom profiles in multicloud environments. Those custom profiles may not track for custom profiles, admins, or other high-risk users, so organizations should make certain they understand how mapping functions work for different user grounds from cloud environment to the next.