GRC Viewpoint

The Importance of Identity-Based Behavior Tracking for Cloud Security

According to a recent report on cloud adoption from O’Reilly Media, 48% of survey respondents plan to migrate half or more of their apps to the cloud in 2022, and cloud usage has grown to 90%. Many companies moving to the cloud are doing so under a false sense of security with the idea that migrating from on-premise to the cloud will protect them from security threats. 

The reality is that hackers are migrating to the cloud in droves alongside the organizations doing so. Ransomware attacks, as one example, surged 105% in 2021 with attackers focusing more and more on cloud storage devices. The good news is that there is a way to lock down your cloud applications. Utilizing identity-based behavior tracking that utilizes the principle of least privilege is the best way to secure cloud environments. 

The Role of Identity in Security Paradigms—A Brief History   

It is unthinkable to have a security paradigm that doesn’t pull in identity first. Identity is the centerpiece of security and access controls. The technology for identity verification keeps improving—first it was login/password, now there is Multi-Factor Authentication (MFA) and passwordless access. However, applications have suffered from neglect for a long time given that inter-application access has traditionally been unprotected.

Historically, there’s been a reliance on the perimeter being trusted and “safe.” Then some firewall protection was added by creating a three tier deployment (web, application and then data) with firewalls placed in between these tiers so that access controls could be in place to protect the crown jewel data and create defense-in-depth. Data access was additionally protected using passwords and API secrets. Though users have been upgraded to MFA and passwordless, the apps still live in the dark world of passwords. It’s well-acknowledged that passwords are a weak form of authentication and they get easily stolen, compromised, and duplicated.

Connecting to the Mothership is Easy, There’s Always a Backdoor 

Whether robbing a bank or scraping data from a cloud application database, the perpetrators share one commonality: they need a getaway. In bank robberies it’s usually the getaway car, and in data breaches it is a way to connect back to the mothership. This is why digital hackers make sure they have a backdoor in and out of digital environments. 

Whether it’s a client desktop, virtual server, cloud application or network appliance, backdoors enable hackers to skirt normal security measures that screen authorized and unauthorized users to access something. In some cases, these backdoors are created for legitimate use to allow vendors or developers to perform management or maintenance tasks. Unfortunately, bad actors can exploit these backdoors and use them as a dedicated channel to connect to the command-and-control center. That backdoor can be used to push malicious code in and exfiltrate data back out. Vendors can’t create patches quickly enough to keep up with ransomware as malware is becoming harder to detect, and there is always a backdoor. 

Cloud made a move towards passwordless with Identity and Access Management (IAM). In the cloud, you can use IAM and forget about the passwords. However, when your app is compromised, the attacker gets the same passwordless access. Also, IAM only applies to cloud resource access and an intruder gets a free pass to exfiltrating data (free egress, data leaks). 

The somewhat newer firewall controls also don’t work well in the cloud. This is because the apps are dynamic and ephemeral and the network controls cannot keep pace with the rate of change of apps. The apps are not tied to an endpoint and their network address/identity keeps changing as they are orchestrated for scale and high availability.

Leveraging Identity-Driven Protection to Close the Backdoors

Protecting against cyberattacks can make cybersecurity managers feel like a mouse on a wheel. Malware lists are constantly updated with new file types and  packet layers are perpetually stripped away to find what lies within and investments in best-of-breed security tools and WAFs are added to the perimeter defense. Despite all this, cyberattacks continue at alarming rates. In fact, you can comply with every NIST security regulation and still get breached. A big reason is because 95% of cybersecurity breaches are attributed to human error. Unfortunately, even the smallest cloud configuration mistake can open up big security risks. 

Think of an army protecting land from an invading force approaching by sea. There will never be a better opportunity to repel the enemy. Once a beachhead is obtained, troops and resources can be continually fed into it, and driving the enemy out becomes a thousand times more difficult. Similarly, the most vulnerable point for a hacker is at the backdoor. Outflank your attacker by denying them a backdoor connection and the attack is over, regardless of the technical details of the attack.

Cloud applications don’t use backdoors by default. They have prescribed actions that they regularly undertake to function. Discovering the deterministic behavior of applications to create a normalized identity for them and restricting those applications to their identified behavior can ensure that when connections are attempted outside the norm, they will be denied. 

The way out is to embed the controls into the app themselves. This allows access controls to be applied at the app boundary rather than somewhere far away in the infrastructure where there is no identity context available. It also allows the controls to move along with the app. These controls offer a full 360 degree applicability-towards data as well as towards egress and data leaks. In the cloud, the identity of workloads takes centerpiece and the importance of network as the application identity fades away. This also leads to true passwordless access and prevents an attacker on the same asset from accessing data in a true passwordless sense. 

While there are millions of malware signatures out there, there is one signature move for a breach attack—the creation for entry and escape. An identity-driven approach to application security prevents the cyber bad guys from getting away with the crime. It’s the next evolutionary stage that is needed to curb the tide of cybercriminal activity. So go shut the door, on malicious backdoors.

By Abhishek Singh, CEO, Araali Networks

Related Articles

Latest Articles