Eyal Arazi , Radware

Workload security , therefore , is defined by the people who can access those workloads , and the permissions they have .

One of the primary reasons for migrating to the cloud is speeding up time-to-market and business processes . As a result , cloud environments make it very easy to spin up new resources and grant wide-ranging permissions , and very difficult to keep track of who has them , and what permissions they actually use .

All too frequently there is a gap between granted permissions and used permissions . In other words , many users have too many permissions , which they never use . Such permissions are frequently exploited by hackers , who take advantage of unnecessary permissions for malicious purposes .

As a result , cloud workloads are vulnerable to data breaches ( i . e theft of data from cloud accounts ), service violation ( i . e completely taking over cloud resources ) and resource exploitation ( such as cryptomining ).

• The built-in mechanisms of public clouds usually provide fairly basic protection , and mostly focused security on the overall computing environment , they are blind to activity within individual workloads . Moreover , since many companies run multi-cloud and hybrid cloud environments , the built-in protections offered by cloud vendors will not protect assets outside of their network .

• Compliance and governance tools usually use static lists of best practices to analyze permissions usage . However , they will not detect ( and alert to ) excessive permissions and are usually blind to activity within workloads themselves .

• Agent-based solutions require deploying ( and managing ) agents on cloud-based servers and will protect only servers on which they are installed . However , they are blind to overall cloud user activity and account context , and usually cannot protect non-server resources such as services , containers , serverless functions , etc .

• Cloud access security brokers ( CASB ) tools focus on protecting Software-as-a-Service ( SaaS ) applications , but do not protect Infrastructure-as-a-Service ( IaaS ) or Platform- as-a-Service ( PaaS ) environments .

New approach

Modern protection of publicly-hosted cloud environments requires a new approach .

• Assume that an organization ’ s credentials are compromised : Hackers acquire stolen credentials in a plethora of ways , and even the largest companies are

Such promiscuous permissions are frequently mis-characterised as ‘ misconfigurations ’ but are actually the result of permission misuse or abuse by people who shouldn ’ t have them .

Therefore , protecting against those promiscuous permissions becomes the number one priority for protecting publiclyhosted cloud workloads .

Piecemeal solutions

The problem , however , is that existing solutions provide incomplete protection against the threat of excessive permissions .

76 INTELLIGENTCIO www . intelligentcio . com