In a nod to shifting attack vectors and organizational moves to multiple cloud services, Microsoft today launched a public preview of its service for managing permissions across not only Azure, but Amazon Web Services and Google's Cloud Platform.
The service, CloudKnox Permissions Management, will allow companies to manage the privileges and roles of individual users as groups, as well as workloads. The service builds on technology from CloudKnox Security, which focused on allowing administrators and security teams to gain visibility into the actions of humans and machines in the cloud. Microsoft acquired CloudKnox last July.
Permissions management is hard enough with a single cloud, but as more companies adopt a multicloud strategy, it has become even more difficult, says Joy Chik, corporate vice president for identity at Microsoft.
"If we let these islands in the cloud be managed separately, that is when the attackers will find the gaps between environments," she says. "So having a unified way to manage the permissions of both human and non-human identities across multicloud is really important to help our customers reduce their complexity and ease their administration of tasks."
Microsoft is only the latest company to revamp services to support organizations that are dealing with the complexities of managing and securing multiple clouds.
The portability and cost-competitiveness of using multiple cloud services has convinced most companies to adopt a multicloud strategy. In 2021, 92% of business executives had committed to using multiple cloud services, averaging 2.6 public cloud and 2.7 private cloud services, according to those surveyed for the annual "Flexera 2021 State of the Cloud Report." During the coronavirus pandemic, companies accelerated their move to the cloud to support an increasingly distributed workforce, with 90% of those surveyed believing that cloud usage would accelerate.
"Cloud plans and adoption have clearly shifted as a result of the pandemic," the report stated. "Some of the increase is a result of the extra capacity needed for current cloud-based applications to meet increased demand as online usage grows. Other organizations may accelerate migration from data centers to cloud in response to reduced headcount, difficulties in accessing data center facilities and delays in hardware supply chains."
Zero Trust for the Cloud
Microsoft's CloudKnox service will integrate natively with Amazon, Azure, and Google and will implement three zero-trust principles, enforcing explicit verification, least privilege, and assuming the user has been breached. The service presents a dashboard that highlights the riskiest identities and resources in corporate cloud infrastructure and distills the data into a Permissions Creep Index — a single number between 0 and 100 that measures the gap between the volume of permissions granted and those that are actually used.
"In a zero-trust world, we need to just take it as a matter of fact that all of our environments will be breached," says Microsoft's Chik. "So the question becomes, can we quickly reduce the blast radius? Being able to identify all the users, reduce the permissions, and monitor if there are any anomalies is a great way to help detect and remediate issues."
Assuming a breach is not too much of a stretch. Attackers have increasingly used credentials to attack cloud services and remote appliances, such as virtual private networks. Microsoft, for example, blocked nearly 26 billion identity attack attempts in 2021, while Akamai detected more than 193 billion credential-based attacks in 2020.
Yet, despite the shift, defenders have not done well at hardening their cloud infrastructure. More than 90% of identities across Microsoft customers — especially workload identities, which are increasing twice as fast as human identities — use less than 5% of configured permissions, Chik says.
"They are hugely, largely overpermissioned, and frankly really exposing customers' critical infrastructure as they move to the cloud," she says. "As many of our customers are building applications or workload identities that traverse different environments, having a unified permissions management for the cloud both eases the administrative experiences and also helped traverse these workload identities and permission management issues."
Permissions management is not the only business function to tackle multiple clouds. Cost management tools have also become increasingly popular, with 42% of companies using multicloud cost management tools to tackle the rising cost of cloud services — an annual increase of 9 percentage points, according to Flexera's report.
"Multi-cloud architectures are more complex and, therefore, more challenging to manage," the report stated. "Multi-cloud tooling is essential for managing cloud resources cost-effectively and ensuring strong governance and security."