Can over-provisioned access become a major concern for your cloud security posture?
Sort by:
At a former company we had a breach that was public and there were a lot of learnings for me in that: you're one state or the other. Either you know you had a breach, or you've had one and just don't know it yet. For anything in corporate IT you should assume it’s open to the internet.
I've been preaching that we need to limit the access an individual has. We used to call it role-based security, but it was always a pain because your role changes and nobody notifies you until they say, "I'm doing a special project for the CFO, so I need this access." But I'm always surprised when you go into these enterprises as a new employee and they give you access to 15 applications. And you don't even know what most of them are but you’re told, "Don't worry, you'll figure it out." In a couple of years you've only used 3-4 of the 15 but still have access to all 15 and get notifications about them.
Why do we keep doing that to ourselves? We should go much smaller and say the only thing you have access to is email and maybe 1 other thing to do your job, then you request access if you need anything more. But even that access is limited in what you can do because that reduces another footprint and another vector.
Conditional access with continuous monitoring is an area I'm focusing a lot on these days. The ability to have an AI take all the types of data you have and use that to determine when and how to grant access. What other factors do I know about? I know the posture of your endpoint from your antivirus or from your mobile device management. I know from Okta where this IP logging is coming from. I know all these factors, so I can say we're not going to give you anything because this is too suspicious. Or, you have a piece of malware, so now you're cut off. The console: It's greyed out and there's nothing available to you anymore except for the IT help desk and email link.
I've been working on adding more of that over time to really create those barriers so that when someone does get compromised, there's nothing available to them, whether it's because of their network segmentation or conditional access. We have to go beyond MFA. It’s great and everyone should have it on everything at this point, but beyond that we still need to keep improving it.
Adding AI would be great. Right now I'm doing it through data aggregation, etc., but it'd be nice if it could be automated. I know there are some products out there that say they solve that, so it's an area I've been looking into a lot.