Joseph Carson: Privileged Access Cloud Security: Insider Tips and Best Practices

So really pleasure to be here and I'm gonna be focusing around privileged access cloud security and it's cuz many organizations, of course, you know, we've heard a lot about the pandemic and for me, you know, for yes, a lot of employees have moved to working remotely and working from home. And it does mean a lot of kinda changes in organizations, threat landscape, significantly exposing them to more risks around, you know, credentialed staff, identity theft, third party, privilege abuse, and also even continuing providing access to employees to be able to continue doing their jobs.

For me, I think the pandemic is probably just really accelerated the path we were going on. I've worked on a lot of various, such as autonomous shipping, where we were looking at taking people at a very high risk health environments and putting 'em into where they can actually operate and work remotely. So I do see this as, you know, an opportunity.

We have seen the acceleration to cloud computing as a result of this, and even here in Estonia, you know, while people started moving and working remotely and from home, we did see even the art education system having to evolve and keep up with the ability to continue delivering education to children, where we've seen, you know, a lot of use of online educational tools. So children can stay and educated and stay being up to date and communicate with their teachers using collaboration platforms as well. We've also seen a lot to do with health.

You, it was very high risk to go to the doctor. So we've seen a lot around telemedicine and remote access and communications with doctors, but it has meant a big shift in how we actually managed and secured this devices for many organizations, the security would've been focused around the perimeter, the devices, the endpoints, and this has seen a big shift focusing around identities, cuz we've seen a lot of devices lead the office that actually contains a lot of sensitive information.

We've seen applications moving outside the organization where they would've been previously protected by firewalls and rules and DMCs and controls. And we're also seeing privileges moving outside to fireballs as well, where being local administrator rights are even full domain, administer rights now being access and operated in people's homes where the environment may not be secure as what you would actually ideally wanted to be. So this has created a lot of risks and it has enforced and accelerate a lot of organizations moving to cloud computing.

And this has also created more challenges to get visibility. Now, one of the things I always interestingly find, you know, alarming is when I talk to people about cloud computing, sometimes people's visibility is around that, you know, computers are actually up in the clouds, they have this misinterpretation and also it gets into challenges around impact assessments. It gets into this multi higher multi-cloud environment where you're using many different cloud platforms.

And if you did even an audit in organizations, you might be surprising to see how much technology they're using across multiple different providers. And this is alarming because it means that you're losing visibility. You're losing control of a lot of the access management side of those. And in reality, when we get down to what really it does mean simply cloud computing just means that you're computing resources are in somebody else's data centers, sometimes in someone else's regulatory boundaries and legal frameworks.

So it's really important to understand that, you know, lo location and regional and boundaries and legal frameworks as well when we move to cloud computing, but many organizations are moving quickly to accelerate and ensure that they can continue providing services to their end users and making sure that businesses continue to operate. Now with that, it's also important that there's a lot of regulations. That's also looking at frameworks to put the right practices in place.

We've seen things like EU GDPR, really helping ensure that the way I see a GDPR is really it's, it's interesting where it was explained to me from one of the European ministers many years ago when I worked on the early versions and, and, and reviews was that it's like putting basically you think about shipping and international shipping and data, you know, basically shipping containers are flowing through international waters and simply basically GDPR was, you know, putting a flag on data. So as data moves within cyberspace, it's like putting a flag on that data.

So that makes sure that basically the regulations and binders of that data, no matter where it goes, that actually can relates back and is actually enforced by EU law. And as if you think about shipping containers as they move from port to port, just like data does in cyberspace, that really it's the flag on the vessel where the legal boundaries basically start and stop.

And, and GDPR was really around that same type of initiative. So no matter where data was able to flow in cyberspace, whether being in cloud computing and other countries and other geographical regions, that there are some type of tie in to legal boundaries to really make it possible, to adhere, to and make sure the right protections were in place. But as organizations move the cloud computing, a massive challenge arises. And we also look at the latest horizon data breachs investigations report. And I do write, cannot yearly on this.

I do create a, a very in-depth blog that provides a good summary overview for people to get a good understanding of what really, you know, the key mentions and moments in there. And I do get a lot of good feedback, even from the authors of Verizon data breach investigations report into my blog itself. But one of the key things is that out of the, you know, the cloud breaches out there, 77% of cloud breaches are actually resulting from compromise credentials.

And that's one of the key takeaways is that we still actually inherit the same bad practices that we do in traditional environments and organizations as we do in our even home environments. And we're actually repeating those same mistakes and same bad practices in the cloud. And that's actually crucial that we need to basically reset and understand that the current security practices you do internally and in the past do not work successfully in the cloud. And that's simply methods are, you know, attackers are using facing scams targeting employees when they're working from home.

And we've even seen the increase in vision, which is basically the same purposes over telephone, ultimately to try and get access to passwords and credentials. In this particular case, simple email comes into an employee they're so used to clicking on things and, and many people that's their job. We have to ensure that people can still do their job and, and internet browsers and, you know, operating systems. And the internet itself was built to click and a simple click on this will take an employee to a normal expected as they would do a login page by entering the username and password.

They're simply unexpectedly unaware, unknowingly giving their username and password over to cyber criminal who can then take that and laterally move into the organization's environments into the cloud environments, undetected, unknowing to the organization because they're still using unauthenticated authorized account and credential while it's being abused and unbeknowing to that victim. And there's many out there that happens simply looking at things like speeding tickets.

We've seen health insurance scams trying to steal passwords even over COVID 19, a lot of misinformation and, and directions out there trying to get people to hand over their credentials in order to see medical information or contact tracing or get updates in their, you know, the area we've also seen it surveys been used and even bad fishing emails in order to simply get people to hand over the passwords. And we can kinda look at the top breaches out the top reasons why cloud breaches happen is per access management.

It's all about access controls to the devices and to the environments, whether it being Ida pass is SAS. Whatever that environment is you're using, whether it's infrastructure, environments, platforms, even software as a service, that's really important that access management is critical to becoming an important part of your security strategy.

We've also seen insecure applications, APIs, and one of the biggest ones that was actually increased over years, you know, is basically misconfigured cloud storage, open sugars by default, everyone having read access to the cloud environments and cloud storage, human error continues to be one of the increasing areas that actually enables attackers again, access the sense of data. So we had to make sure that we, you know, improve consistency and somewhat automate as much as we can by removing the human element, the human factor here that contributes a lot of these activities.

Dedos attacks, overprivileged users, people in inheriting privileges becoming, you know, changing jobs and roles within organizations. And so we just increasing their privileged footprint, shared credentials between employees, password only security as the only security control, meaning that it's the only basically protection that many organizations have. Third party access, remote employees, and even shadow. It becomes even bigger as organizations start embracing more cloud solutions and applications.

And one thing is I try to explain this from a metaphor from simplicity to really take you back a step and think about traditional security and traditional on premise approaches is very similar to what I refer to as the garage concept is that it's simpler to keeping all your cars and your vehicles and your transportation in your garage. You're used to having one access control, which might be the garage door. You might have another door entrance, you might have pin codes, passcodes.

You might have a door garage opener that allows you again, access, but once you're inside that garage, you're not authorized. You can access most things in that environment. And that's very similar to basically, you know, sitting in your office desk, working your laptop and communicating with other network resources. You basically have a no one access control and no one internet connection. And basically that's the main area that we need to look at now, as we move to cloud, it's very different. You can't take that same approach.

You can't take that basically one control and one entry point for basically your security controls in the cloud. And as we move to cloud computing, I refer to this as simple as almost ticking your cars or transportations your bike and everything out of your garage, going across the street and putting it all into a shared parking lot. Now that shared parking lot, it might have no security controls. It might have no fences. And some of them out there also have actually better security controls that you might even can not be able or access from your, you know, home garage.

And this means that really have to redefine how you look at security when you move to the cloud. And it really means that you have to understand that that yes, you may have in the past locked your garage door, but in the cloud, that same approach doesn't work. You need to really think about, well, your car, you know, I need to think about maybe you need to, you know, block the windows and you need to lock the doors. You need to make sure your, your boot is closed. May take a different approach to cloud security because the way basically it's more open it's shared resources.

And it really means that organizations need to get back to the basics. As you look at cloud computing, it is fundamentally going back to the security fundamentals, but not taking the same approach as you would've done on your on premise solutions, but actually looking up from the integrity side of things, going back into confidentiality, the availability and all of those coming together is really kinda enforcing that security approach. So it means that as you move to cloud computing, identity access management becomes so critical.

And combining that with a strong privilege access management, things like single sign on multifactor authentication, auditing encryption all becomes essential when you move to cloud computing and you have to think of it, not just basically from a network perspective, but you also have to think of it from an application or service perspective. One thing that we did many years ago in Estonia is we saw organizations moving to software defined networks and really looking up from a software perspective.

And what we looked at it was really the approach is must be organizations need to move to service defined network. What is the end to end service? And what is all the components that makes up that service and think about that as the approach, what is the end goal? What are you trying to achieve to deliver to the end user?

And this is really critical to understanding how to make it simple, how to take the simple approaches, but at the same time, along the way, make sure you're thinking about the confidentiality, the access controls, the integrity, the auditability of that data, and also the availability. So moving in is what things can we do in order to reduce the risks. And this is really getting into the fundamentals is I kinda, really kinda evolve that through my many books and talks and, and research on the topic. It really means that as we take this, it must be a risk based approach.

It must be focused at business value. It must be focused around how do we help employees be more successful? How do we help them do their jobs? How do we help the business be profitable? How do we reduce the risks from cyber tax? And this got me into looking at what I refer to as the privilege access management matrix. It's always about the important questions you need to ask yourself. It's about kinda where do you start? It's about getting into that risk based approach and understanding is what's the risks you're worried about what makes you concerned?

And I think, look at Liz, what is the first thing that you really need to think about is why you have privileged access in the first place? And we're actually getting to the point, think about step back is that almost all users are becoming privileged users kind of going past that just the demand administrator or the security Analyst is a privileged user. That's not the case is that you might have more privileges, but at the end of day, all users are becoming privileged users.

And we now need to look at it from that same approach, is that it just means that they might have, you know, a doctor might have access to a single patient right quarter or a single group of patients that are assigned to them. Or you might have a doctor that might have access to all patient records.

Now, what if that doctor's account is ever compromised? And now that same account, it may not be considered a domain admin or a root account, but it has access to privileged data. And what if that account is compromised and then a criminal simply steals all of that data and the database that they have access to. That is something that will become a major incident. So we have to look at it from a different way, is that all users becoming privileged privilege is now beyond the borders and beyond perimeter, there is no perimeters anymore.

And we have to get the fact that it actually starts in lies with entities, whether that being human or non-human. So we need to understand the fundamentals of why they're needed and why they're being using organizations, getting into the service use cases. What is the purpose is if we're actually configuring the environment and adding users, is it we're installing software backing up data? What types of accounts? Cause not all privilege accounts are equal. We can't look at them as equality.

You've got different accounts that can actually spin up software or change configuration or add users or remove security. You've got different types of accounts out there. It must be based on that risk based approach who interacts with them. Is it humans non-humans is it services? Is it applications? Is it help desk workers? Is it third party contractors? Where are they found? Is it in programs? Is it in hardware? Is it automation? Is it virtual environments? Is it in the cloud then getting into it's all about the usage.

It's not about just having accounts sitting in a vault and protecting them. It's about enabling the usage. That's the goal of privilege. Access management is enabling secure usage. And this is where we get into looking at it from a service perspective. Is that how do they get interactive? How do they make it easy for them to use? How do you make security usable? And then understanding is that what security controls need to be applied to them is a password satisfied for your Twitter account or is a password okay for your domain account?

How do you make sure you apply the right security controls to increase the effectiveness of security program, reduce the risks, but at the same time, make it usable and also looking at from risk perspective, what is your, what keeps you open? Like are you worded by insider threats? How do you prevent that?

Well, it really gets down to making sure you can actually reduce peoples from willingness to abuse them, knowing that they're being watched, knowing that they're being recorded. So this is the privilege access management matrix, and this is a tool that I've developed in order to help you ask, ask the right questions, to get the right direction. And ultimately means that the principle of least privilege needs to be enforced everywhere, whether being application control, elevating applications.

So you're making sure that it's only the context of the, the application or process and not the user that's been elevated, making sure you get into the principle of least privilege implying that everywhere, not just on applications and on devices and servers, but also in web applications, in cloud applications, in hybrid environments, in virtual environments, making sure you're only getting the right level of privilege to do your job. And we've heard a lot about just in time privileges or just in time access. And this is all about, is getting into it on demand.

I was an administrator many years ago and I've looked beyond this and it means that if I can get access to a system, I do a checkout process with a privileged access fault. Make sure monitor apply the right security controls, make another request. And then basically again, access to the target system. And really it's all about elevating on demand, whether without giving me administrator rights, but giving me the administrator rights to actually do their tasks, not the actual user level privileges. And it really gets into, this is a zero trust approach. Now I hate zero trust terminology.

I hate the name because I've learned that this is all about enabling the business. Zero trust is good for us to use internally as security is the use as security professionals to use it internally as ourselves. But at the end of the day, we need to be focusing at the business element of it. And it's all about building digital trust based on risk. And that's the term we need to be using with the business. And this means that privilege access management is almost like a continuous digital polygraph test for access. And at the end of the day, security must be usable.

So we need to focus at the people centric, focus on the people. And that means that yes, in security, we had to step back and think about it must be rejecting complexity. We had to reject, there is no room in our industry for complexity. And this means that every time we look at a solution or a strategy, we must look at eliminating complexity in focusing at how do we enable the employee to do that task, to make it easier.

And we've heard a lot about passwordless and actually passwordless is a wrong term to use because it's really about less passwords, not password, not going to no passwords, but actually how do we reduce the interaction between humans and passwords and systems credentials and authentication? It's about moving to them in the background, not letting humans create and generate passwords. And it's also heard a lot about biometrics biometrics, don't replace passwords. They increased better identifiers, such as user names.

So it's really important to look at these where they really effectively apply. And this gets into, I have authorized numerous books out there, but my most recent book, which I'd love for you to tick a, a copy and read and, and gimme feedback for your interest. But it's all about privilege access cloud security. And it takes a lot of what I've discussed during this session and enhances it and goes into more detail in order to help you get the right strategy.

And one thing that I always have as a kinda last statement is that for you to basically become better defenders and more resilient, you need to understand hacker techniques, hacker techniques will help you understand what security controls and what things you can do to best defend against cyber tax is where the hackers gonna come from. But it's focusing on the business risks that will actually help you get the security budget. You need to make those actions and make those enhancements and actually help the business.

So focusing at the return and investment that you do, and this is what really privilege access is all all about. So I'd be happy for if anyone has questions or we have a few moments for questions. I'll be happy to answer anything that the audience has.