The Cybersecurity Minefield of Cloud Entitlements - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

07:00 AM
Connect Directly

The Cybersecurity Minefield of Cloud Entitlements

In the rush to the cloud, some organizations may have left themselves open to cybersecurity incidents. Here's how machine learning and analytics helped one company close the gaps.

Credit: kras99 - Adobe Stock
Credit: kras99 - Adobe Stock

Almost as quickly as we experienced the pivot to work-from-home and to move-to-the-cloud to minimize the economic impact of the pandemic, we also saw what felt like a pick up in significant cyberattacks, from the Solarwinds supply chain attack to a raft of ransomware incidents.

How can your organization avoid such attacks? Did moving workers home and more workloads to the cloud actually increase the cyber risk for businesses? David Christensen, who has spent a decade working on cloud security at several startups and is now director of Global InfoSec Engineering and Operations for cloud and digital transformation at fintech B2B company WEX, believes that a little-known vulnerability is the cause of many of today's cloud security issues.

He says the biggest security gap today in the cloud has to do with cloud entitlements. Anything running in the cloud must have some sort of entitlement associated with it for it to interact with other resources -- for instance, giving a server permission to access particular storage or giving a server the ability to launch another service.

Humans are often in the position of setting up these entitlements in the cloud.

Christensen said that entitlement misconfigurations can happen when someone reuses a policy from one server for a new server because it includes all the things they need for that new server, and then they just ignore the things they don't need. But ignoring those other things is a mistake.

"You say 'I'm just going to use this policy because it looks like it's going to work for me,'" he said. But then that server inherits access to other resources, too, including access it doesn't need.

An accelerated move to the cloud can make matters worse.

"As a human being we can't process all those actions in such a short period of time to determine whether or not approval of a policy is going to lead to a future security incident," Christensen said. "It's what I keep describing as the Achilles heel of cloud security. It's like a matrix of if this then that, and most people who have to define that can't do it fast enough...When the business is trying to move fast, sometimes you just have to say, 'well, I don't think that this is bad, but I can't guarantee it.'"

The need to control cloud entitlements has led to a new category of software called cloud infrastructure entitlements management or CIEM. Gartner defines entitlement management as "technology that grants, resolves, enforces, revokes, and administers fine-grained access entitlements (also referred to as 'authorizations,' privileges,' 'access rights,' 'permissions' and/or 'rules.'"

Gartner predicts that by 2023, 75% of cloud security failures will result from inadequate management of identities, access, and privileges. That's an increase from 2020 when the number was 50%.

The accelerated move that many organizations have made to the cloud has made security failures more likely, according to Christensen. Some organizations may have tried to apply the same security measures that they used on-premises to the cloud.

"It creates a lot of gaps," Christensen said. "The surface area is different in the cloud."

Christensen found some security gaps when he joined WEX 2 years ago as an expert in cloud security. The company, which provides fleet card and B2B card services, had embarked on a cloud-first journey about a year before he joined.

To get a better idea of the extent of these issues at WEX, in January 2021 Christensen deployed an analytics-based discovery, monitoring, and remediation tool from Ermetic. Within the first 30 days of putting the platform into production, WEX found almost 1,000 issues, and it was able to close those gaps in its cloud security. By early July the platform had found a total of nearly 3,000 issues to fix.

"Again, the cause of these wasn't a lack of effort to try to build those least-privilege policies," Christensen said. "People thought they were following the right procedures as advised by Amazon, and as advised by peers in the industry."

But the scale of cloud entitlements had made it close to impossible for humans to do on their own. It's that type of use case where analytics and machine learning can help close the gap.

For WEX, the application has led to a better security posture for its cloud-first strategy. At a time when attackers are everywhere, that's so important.

"Ultimately, there are two or three things an attacker is trying to do -- get at your data, disrupt your business, or give you a bad reputation," Christensen said.

What to Read Next:

10 Tips for Landing a Job in Cybersecurity
More Remote Work Leads to More Employee Surveillance
Becoming a Self-Taught Cybersecurity Pro


Jessica Davis is a Senior Editor at InformationWeek. She covers enterprise IT leadership, careers, artificial intelligence, data and analytics, and enterprise software. She has spent a career covering the intersection of business and technology. Follow her on twitter: ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll