Oh, really? Microsoft worries multicloud complicates security and identity

Microsoft kicked off its day-long Microsoft Secure virtual event on Tuesday by stressing the need for IT departments to manage user and application identities across multiple cloud environments.

The Windows giant backed this up by laying off some of its staff who handled identity security.

As well as putting out a report [PDF] on the "State of Cloud Permissions Risks" Redmond emitted an accompanying blog post from Alex Simons, corporate vice president of program management for Microsoft's Identity Division, and a focus on identity in several sessions running during the event.

At the same time, there are reports that Microsoft's expansive layoffs are hitting the company's identity team. Merill Fernando, identified on LinkedIn as a principal product manager for Azure Active Directory, posted on Twitter that members of the identity team are losing their jobs.

"People say don't fall in love with your work," Fernando wrote. "I fell in love with the people and culture that was Microsoft Identity. Now with half my immediate team gone and more across Identity, it is the end of an era. It's not going to be the same again."

The Register has asked Microsoft for a response, and will update the story if one comes in. We've also heard that Microsoft axed its GitHub India team, as part of previously confirmed cut backs.

• Microsoft pauses delayed partner ecosystem security update to count its money
• Attackers abuse Microsoft's 'verified publisher' status to steal data
• Lawyers cough up $200k after health data stolen in Microsoft Exchange pillaging
• Microsoft's AI habit comes to data governance tool Purview

In the meantime, Redmond is pushing the message that with more enterprises embracing multicloud strategies, the related rapid increase in the number of identities and permissions is increasing management complexity and fueling a growing cyber security risk.

Enterprises typically have more than 40,000 permissions they must manage and more than half of them are high-risk, according to the report. Increasingly, the identities these permissions are tied to are not human – they are applications, virtual machines, scripts, containers, and services. Workload identities outnumber human identities ten to one, we're informed.

Not only that, 80 percent of workload identities are typically inactive – double that found in 2021 – and less than five percent of the permissions granted are used by workload identities. When you throw in the issue of super admins – human or workload identities with far-reaching capabilities – the problem multiplies, or so Microsoft claims.

Super admins are a threat

Admins with full control have all resources at their fingertips, can create or modify service configuration settings, can add or remove identities, and can access or delete data.

"Our research found that less than two percent of permissions granted to super identities are used, and 40 percent of super admins are workload identities," Simons said. "Left unmonitored, these identities present a significant risk of permission misuse if breached."

In the report, Microsoft researchers noted a growing "permission gap" – the difference between permissions granted and those actually used in the real world.

"The permissions gap is a contributing factor to the rise of both accidental and malicious insider threats, which can allow attackers to exploit an identity with misconfigured permissions and access critical cloud infrastructure," they wrote.

CIEM is a key tool

Microsoft believes it has taken steps to help enterprises address the issue of inactive workloads and permissions in the cloud. Earlier this month Redmond launched the preview of App Health in Azure Active Directory, which alerts enterprises of inactive applications or expiring credentials.

The company also offers a cloud infrastructure entitlement management (CIEM) tool – Microsoft Entra Permissions Management – that continuously discovers, remediates, and monitors every unique user and workload identity across multiple clouds. CIEM offerings use machine learning and analytics, helping enterprises to scale their efforts across multiple clouds.

In Microsoft's case, its CIEM tool delivers a single interface for not only Azure but also AWS and Google Cloud. Other CIEM vendors include Zscaler, SailPoint, Sysdig Secure, and CyberArk.

Steps enterprises should take

What's key for organizations is to adopt a policy of implementing least privilege controls – the concept that users, apps, and other workloads should be given the minimum level of access or permissions to do their jobs. The goal is to work towards a zero-trust model, where no person or device that is trying to access the network is implicitly trusted. Instead, they are automatically authenticated and validated at each step they take as they traverse a network.

"Without properly implementing the principle of least privilege across all identities and all clouds, organizations are leaving their critical cloud infrastructure open to permission misuse and potentially a breach," Redmond's researchers wrote.

This includes implementing least privilege to all identities and granting additional permissions on an on-demand basis, understanding who is accessing services in the multicloud environment, regularly rotating access and service account keys, tracking permissions used by all identities, and removing inactive identities.

These steps are important because the problem isn't going away. Organizations are continuing to use multiple cloud infrastructures and, unchecked, identity problems are only going to get worse.

According to Flexera's State of the Cloud 2023 report, 87 percent of enterprises surveyed now use multiple clouds environments. About 47 percent are running "significant" numbers of workloads in Amazon Web Services, with 41 percent doing the same in Microsoft Azure. ®