Bolstering Multi-Cloud Security With Identity Management
As organizations adapt to hybrid work and more and more cloud services are deployed, new service entities that collaborate and exchange data without human interaction, such as virtual machines and containers, are proliferating. The growth of these service accounts and identities and their increasing volumes of permissions, privileges, and entitlements expose organizations to new attack vectors.
Left in blind spots or uncontrolled, these permissions leave business-critical systems open to infiltration and disruption. High-profile breaches demonstrate how quickly bad actors can move laterally by exploiting misappropriated privileged credentials.
While organizations are reaping the benefits of cloud adoption, they still struggle to assess, prevent, enforce, and govern privileged access across hybrid and multi-cloud environments. Even if they piece multiple siloed systems together, they still get an incomplete view of privileged access.
Traditional Privileged Access Management and Identity Governance and Administration solutions are well suited for on-premises environments; however, they fall short of providing the necessary end-to-end visibility for multi-cloud entitlements and permissions. Neither do they provide consistent identity lifecycle management or governance in multi-cloud and cloud-native environments.
Last year, Joy Chik, Corporate Vice President for Microsoft Identity, outlined five identity priorities seeking to address the challenges of multi-cloud identity management:
- Trust in Zero Trust
- Secure Access to All Apps
- Go Passwordless
- Choose and Build Secure-by-Design Apps
- Break Collaboration Boundaries
Each presents federal agencies and other organizations with simple ways to handle the evolution of their IT infrastructure, but as always, the devil is in the details.
Trust in Zero Trust
As an approach, GovCyberHub has frequently stressed the utility and security that a zero trust framework can provide, Chik agreed, noting that "it's crucial to establish a strong cloud identity foundation, so you can enforce least privileged access to protect business-critical systems while improving business agility."
Chik added that the acquisition of CloudKnox by Microsoft last year illustrated a growing trend among IT companies to prioritize zero trust and identity management. "Our industry is adapting," Chik said. "We at Microsoft are committed to making it easier to enforce least privilege access for all users and workload identities." Chik continued, noting that federal agencies and other organizations should look for IT companies that are taking similar approaches.
"We offer granular visibility, continuous monitoring, and automated remediation for hybrid and multi-cloud permissions," Chik said. "And while I think that Microsoft is, of course, the best positioned to help government agencies, these trends are not unique to just us. Across the industry you see organizations working to empower and defend the future of hybrid work and multi-cloud environments, to provide essential visibility, and to control and monitor zero trust demands."
Secure Access to All Apps
Chik noted that there was tremendous growth in the usage of applications and that while some organizations were utilizing single sign-on solutions, many were not. "Simply put, it is one of the best ways to simplify the identity lifecycle, tighten controls, and minimize the use of weak passwords," Chik said. "The end result is stronger security at a lower cost."
While solutions like Azure AD have expansive app galleries, all of which can utilize a single sign-on, many organizations still utilize legacy apps that may not play well. Chik, however, said that Microsoft has worked to integrate older apps into the system. “You can extend multi-factor authentication (MFA) and Conditional Access to legacy on-premise apps. Those tools exist and bring more security to older, less secure applications, but I believe that everyone in the industry will tell you to eventually embrace modernity and explore what new applications can perform the work of the old ones far more efficiently and securely.”
So long as passwords remain difficult for people to remember and easy for hackers to steal, Chik will continue repeating her mantra "Go Passwordless." Passwordless authentication can minimize or eliminate many identity attack vectors, including those exploited in the most sophisticated cyberattacks.
At a minimum, going passwordless should be non-negotiable for admin-level accounts. Moreover, providing employees with a fast, easy sign-in experience saves time and reduces frustration. Forrester estimates that consolidating to a single identity solution and providing one set of credentials saves each employee 10 minutes a week on average, or more than 40 hours a year. Imagine additional savings from not having to reset passwords or mitigate phishing attacks.
Choose and Build Secure-By-Design Apps
Because attacks on applications are growing, it’s important to go a step beyond integrating apps and to work to deploy apps that are secure by design. Ideally, apps should go passwordless too, so ensure they’re using strong credentials like certificates. Chik adds that "whenever possible, choose third-party apps from verified publishers. Since publisher verification badges make it easier to determine whether an app comes from an authentic source." She also encouraged ISV partners to become verified publishers if they haven’t already.
Since most apps ask to access company data, administrators may choose to review consent requests before granting permissions. While neglecting to review requests is a security risk, doing it for every single app used by every single employee takes too much time and costs too much. Fortunately, Chik highlighted new features like app consent policies and admin consent workflow which can help avoid the extreme choices of reviewing all requests or delegating full responsibility to employees. Regularly review your app portfolio and take action on overprivileged, suspicious, or inactive apps.
Break Collaboration Boundaries
Partners, customers, and frontline workers are essential for a business to flow. And to work properly, they need simple and secure access to apps and resources. Chik pointed to collaboration as a necessary component of productivity for frontline workers, while administrators need visibility and controls to protect sensitive data. Simplify collaboration for external users with intuitive self-service sign-up flows and the convenience of using their existing email or social account.
Visibility and control are easier to achieve when managing all identities using a common toolset. Chik encouraged federal agencies and other organizations to apply the same Conditional Access policies for fine-grained access control to services, resources, and apps. “By setting up access review campaigns, you can ensure that external guests don’t overstay their welcome and only access resources they need,” Chik said.
What's in Store for the Future
Looking beyond the day-to-day work of the modern office, there is a need for identity management in an increasing number of applications. One that Chik noted was the use of applicant verification. “During the pandemic, they had to support not only remote work but also remote recruiting. People usually show up to an interview with documentation in hand that confirms their identity and qualifications. It’s more complicated to vet candidates remotely, especially when hiring needs to happen quickly.”
Microsoft and industry-leading ID verification partners are pushing the frontier of identity by transforming existing ID verification practices with open standards for verifiable credentials and decentralized identifiers. Verifiable credentials are the digital equivalent of documents like driver’s licenses, passports, and diplomas. In this paradigm, individuals can verify a credential with an ID verification partner once, then add it to Microsoft Authenticator (and other compatible wallets) and use it everywhere in a trustworthy manner.
Such an approach can improve verification while protecting privacy across the identity lifecycle: onboarding, activating credentials, securing access to apps and services, and recovering lost or forgotten credentials. Chik added that Microsoft is piloting this technology with customers like the National Health Service in the UK and MilGears, a program of the United States Department of Defense that helps service members and veterans enroll in higher education and jumpstart their civilian careers.
Ultimately identity management will continue to become part and parcel of the new paradigm of cybersecurity. Together with zero trust, identity management is a powerful addition to the cybersecurity arsenal, and Chik sees them being the gold standard far into the future. "Whether your top priority is modernizing your infrastructure and apps or implementing a zero trust security strategy, Microsoft is committed to helping you every step of the way," she said. "We are working to make sure that our identity management innovations continue to fill the roles that agencies and other organizations need, so reach out and let’s see what we can do to help."