Privilege creep in the Cloud

Written by Ian Tinney

November 15, 2021

Managing high volumes of human and non-human identities is key to securing the multi-cloud. We look at the risks of privilege creep and how you can use CIEM to manage it.


Identity has been described as the new security boundary. As cloud deployments grow, so do the volumes of human and non-human identities and access requests that security teams must manage.

Get it wrong, and you end up failing to implement ‘least privilege’, which can lead to ‘privilege creep’ with an overly permissive network that is more susceptible to attack. Privilege-creep is a major issue, with the Cloud Security Alliance (CSA) citing “insufficient identity and access management” as one of the biggest security challenges now facing the cloud, and it can result in major compromise.

Cryptojacking in the cloud

An example of how privilege-creep can be exploited is cryptojacking. This can see access credentials used to seize control of cloud computing platforms which are then used to feed the power-hungry crypto mining rigs used to generate cryptocurrency. It’s a lucrative business and, according to Kaspersky, is on the rise this year due to renewed investment and interest in cryptocurrency. The security vendor claims that changes to miner code, allowing connection to different devices and the creation of different currencies, have increased by a factor of four over the past year.

A business that recently succumbed to this threat was running a Service Account in Google cloud that had not locked down permissions, allowing the creation of Virtual Machines. One of its employees accidentally leaked credentials by saving them to his personal GIT Repo, enabling the miners to gain access.

Thankfully the issue was quickly flagged by the cloud service provider, enabling the business to quarantine the Github Repo and investigate further. High-capacity mining servers were then detected in the GCP Projects that the Service Account had access to, and that access was then revoked. But had these been exploited, the business would have been saddled with cloud computing costs that could have run into the tens of thousands.

Why IAM is difficult

Cryptojacking illustrates both the exploitability and seriousness of lax identity and access management (IAM), and it’s a problem that is set to increase as businesses build out their cloud deployments and privilege creep expands. But addressing IAM is, in itself, difficult due to the need to…

  1. Create a unified inventory of all identities, users and roles on a continuous basis (no easy task, given that non-user identities will number in the hundreds or thousands and that these will fluctuate)
  2. Scale to consistently apply governance to all identities across multi-cloud platforms
  3. Assign, monitor and manage identity entitlement by mapping end-to-end, from identities to their associated permissions
  4. Use your visibility of these identities to quantify and manage IAM risks to determine what the access is associated with what identity and how they can then use those permissions
  5. Audit, monitor and manage any instances of over privilege
  6. Ensure real-time visibility into IAM events

… and it needs to do all of this without impeding access or the functioning of the network.

CARTA and CIEM

To help make IAM more achievable, Gartner proposes the CARTA (Continuous Adaptive Risk and Trust Assessment) approach, part of its Adaptive Security Architecture. Rather than dealing with incidents in isolation using rigid yes/no responses, CARTA uses continuous monitoring and analytics to make context-based decisions. This means that it is more facilitative, so it doesn’t hamper network performance while being comprehensive because it’s based on zero trust, so no device is deemed inherently trustworthy.

A Cloud Infrastructure Entitlement Management (CIEM) platform takes the CARTA concept and applies it to IAM to deliver a discerning solution capable of assigning or revoking access, enforcing the principles of least privilege, and resolving issues to reduce excessive permissions in multi-cloud environments.

As CIEM continuously analyses identities and their behaviours, it can be used to carry out investigations and root cause analysis. It generates risk reports, audit activity reports for identities and executive summary reports that give oversight of the state of security cloud-wide and, when combined with playbooks, can be used to automate incident response and remediation. In this way, it provides deep visibility and effective management of all identities, guarding what has become the new security frontier.

If you’d like to find out more about identity and entitlement, how a CIEM solution works, and to see examples of applicable use cases, download our Access Control datasheet here.

Follow Us