But there are ways to mitigate those risks. When it comes to insider threats, organizations should follow the advice experts have been issuing for decades—limit employees’ access and permissions to what they need to do their jobs—the principle of “least privilege.” It’s called identity and access management (IAM), and it’s a security fundamental.
“Organizations should prevent users from having permissions to open up new attack surfaces and time-box access to sandbox environments,” McQuade said. “For instance, opening up a NAT [network address translation] gateway from a hybrid networking environment in AWS isn’t necessarily bad—in fact, it’s necessary in some cases—but it introduces the possibility of a server using that NAT gateway to pull packages or content from any remote resource. Users shouldn’t be the sole bearers of responsibility—the organization should build in preventive measures.”
Among those preventative measures:
Make sure the cloud platform is correctly configured
“Enhancing automation of configuration management and infrastructure provisioning activities significantly reduces vulnerabilities linked to misconfiguration, mismanagement, missing patches and mistakes,” he said.
Put “guardrails” in place
Secure-by-default landing zones can help prevent new attack surfaces from opening in new environments like development, staging and production, McQuade said, “by preventing potentially dangerous calls to the cloud provider’s APIs.”
“Landing zones provide enough guardrails at creation time to support innovation but ensure enforcement of organization security requirements such as network architecture and log aggregation.”
Supplement the guardrails with monitoring
“Have an internal team provide a top-level view of all cloud-related risks, determine visibility and prevention requirements, and turn those requirements into programmatic policies to manage IAM,” McQuade said.
Visibility requires proper monitoring and alerting, while prevention requirements include “programmatic definition of policies per environment, such as service control policies in AWS, and other controls that prohibit potentially dangerous actions,” he said.