Multi-cloud ‘over-permissioning’ causing cyber risk headaches for businesses
With multi-cloud environments expanding, businesses are creating too many unused identities that can be abused
Microsoft has warned that a pervasive culture of “over-permissioning” due to rising cloud workloads and infrastructure expansion is placing organisations at greater risk of breaches.
The 2023 State of Cloud Permissions Risks report, published by Microsoft this week, found that as businesses increasingly move to multi-cloud environments, many are granting permissions that are deemed “high risk”.
Permissions allow users or machines to access applications or resources within a cloud environment and perform specific operations or commands. Microsoft said that human and machine-based user identities use just 1% of permissions granted in their daily functions, meaning that the vast majority are sitting idle and unused.
“As cloud environments expand, they have inadvertently become more complex to manage,” Microsoft warned in its report. “With over 40,000 permissions that can be granted to identities, of which more than 50% are high-risk, it is becoming increasingly difficult for organisations to know who has access to what data, and across which cloud platforms.”
Why taking ownership of resiliency is critical to cloud success
Solutions Experts from HPE share their perspectives on the resiliency challenges of cloud adoption and the need to make conscious decisions about your workloads and data
Microsoft said that since the publication of its inaugural report in 2021, it has observed a “significant increase” in organisations granting permissions to access critical cloud resources.
Similarly, the report highlighted a sharp rise in the number of ‘super admins’ present in multi-cloud environments. 'Super admins' refer to user or machine-based identities that have access to all resources within an organisation’s cloud infrastructure.
Alex Simons, corporate VP of program management at Microsoft’s Identity division, warned that super admins are “extremely over-permissioned" and that 98% of these identities are unused, meaning they could be at heightened risk of misuse if a breach occurs.
Cloud Pro Newsletter
Stay up to date with the latest news and analysis from the world of cloud computing with our twice-weekly newsletter
“Super admins are human or workload identities that have access to all permissions and all resources. They can create and modify configuration settings to a service, add or remove identities, and access or even delete data,” he said.
“Extremely over-permissioned, our research found that less than 2% of permissions granted to super identities are used, and 40% of super admins are workload identities. Left unmonitored, these identities present a significant risk of permission misuse if breached.”
Machine-based identities posing added risks
The expansion of machine-based identities in cloud environments was a key concern highlighted by Simons, with human identities now outnumbered by a ratio of 10:1.
This means that visibility and monitoring of activity within multi-cloud environments can become an increasingly difficult task, with organisations unable to effectively mitigate potential misuse of permissions.
Unified consoles create a seamless multi-cloud management experience
Supporting a more flexible, scalable approach to cloud management
“In today’s multi-cloud world, human identities are no longer the only ones accessing multi-cloud infrastructure,” Simons explained. “The number of workload identities operating across clouds, including apps, VMs, scripts, containers, and services has exponentially increased, now outnumbering human identities ten to one.”
Simons said that organisations must take steps to narrow this growing permissions gap to mitigate the potential for misuse. To achieve this, firms must implement the principle of “least privilege” and reduce the number of permissions across their infrastructure.
“Closing the permissions gap and reducing the risk of permission misuse requires organisations to implement the principle of least privilege,” he said.
“This must occur consistently to all human and workload identities across multi-cloud environments. Organisations can achieve this at a cloud scale by adopting a Cloud Infrastructure Entitlement Management (CIEM) solution to continuously discover, remediate, and monitor the activity of every unique user and workload identity across multi-cloud.”
Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.