By Tracy Holtz, Vice President, Cloud Solutions, Americas, TD SYNNEX
Today, the world has embraced cloud networks as an efficient and cost-effective way to achieve anytime, anywhere data accessibility for organizations. Whether you have an app you’re developing with your co-workers or a report you’d like to share with your boss, facilitating those important daily interactions over a cloud network makes them more seamless and collaborative.
But there’s a major risk hidden within the convenience of cloud networks and its plethora of digital identities – it’s called over-permission.
What is “Over-Permission?”
I chatted a little about over-permission with my co-worker John Peterson in my last article, but let’s dive deeper and really define what this concept means.
Over-permission is when a digital asset, application or digital identity is given more access permissions than they truly need to properly do their job.
A real-life example can help illustrate this: imagine you want to go out for a fun night at an exclusive club. But when you get there, you are stopped by a bouncer at the front door. Before having you enter, they may have to check into their list of specific “VIPs” that are allowed in the building – and your evening of revelry at this lounge depends on you being one of those vetted names on the list.
But what if that VIP list didn’t exist? What if there wasn’t even a bouncer at the front door to begin with? Most likely, people would come and go as they please – and that “exclusive club” may not feel very exclusive anymore.
Having an over-permissioned cloud network is very much like having an exclusive club without a bouncer at the front: without anyone or anything to limit access, you’re leaving the door wide open to whoever wants to enter – regardless of if they have good intentions or bad.
And it’s not just cloud networks or apps that can be over-permissioned: User identities can be as well – and the worst of these over-permissioned flock are what we call “Super Admins.”
The Rise of The Super Admins
Microsoft defines Super Admins as “users [or] workload identities that have access to all permissions and all resources.”
Although on paper, having a “master key” to all your organization’s data sounds great, this level of over-permissioning tends to cause more problems than it’s worth:
- Too Many Master Keys, Not Enough Locks: Research showsthat over 50% of identities are Super Admins, meaning over half of all users on cloud networks (whether intentionally or otherwise) have a key for every lock in their organization.
- The Permissions Gap: Studies show user identities are only using 1% of all their permissions granted, which is leading to what experts are calling a “Permission Gap” on cloud networks.To make matters worse, there’s a large percentage of Super Admin accounts that are completely inactive, as further research in the study shows over 60% of these identities haven’t used any of their permissions for over 90 days.
- “Super Admins” Become “Super Targets” for Hackers: When you have a key that opens any lock on a cloud network, your account becomes much more desirable to hackers that want to infiltrate your network. All it takes is for them to gain access to one Super Admin account, and your entire network is compromised.
With the risks being made abundantly clear when it comes to over-permission and Super Admins, it’s natural to ask how you can solve this challenge on your own cloud network.
Luckily, the solution is easier than one might expect: we just fine-tune the permissions on your cloud network using a least privilege framework.
Least Privilege: The Key to Locking Your Cloud Network’s Door
According to NIST, least privilege is “the principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.”
When building a least privilege framework for a cloud network, be sure to take these three key steps to ensure an optimal experience:
- Perform a Cloud Audit – Check the permissions on all your user accounts, workload identities and applications. If they have any unused or inactive permissions, it’s unlikely that they need to keep them.
- Make Least Privilege the Default – When it comes to onboarding new employees or transferring current employees, you always want to follow least privilege frameworks. Only grant permissions the user will be actively using and be sure to remove all permissions that are unnecessary for their current role (even if they had a previous role that may have had access to that data).
- Regularly Monitor and Update Permissions – Even when your company follows least privilege policies, you want to ensure there is a framework for it to be continually analyzed and monitored to ensure the best results.
Least Privilege Works Even Better on AI Tools…
As a final thought, especially as we look ahead into the era of AI enablement, all the devices and tools you use will need to enforce least privilege policies on a network – especially if you plan to implement AI features and capabilities.
With a simple question and a click of a button, AI can scour all your unprotected networks and provide information to users – regardless of its relevance to their business. This is typically why I recommend to partners that wish to add AI as a component of their network to seek out ones that enforce least privilege by default – such as Copilot for Microsoft 365.
So, don’t fear the risks of too much cloud access – take control and ensure your cloud networks are a safe place for the people that use them, bettering your organization and the communities you work with!
Guest blog courtesy of TD SYNNEX.
