Last updated on November 19th, 2024 at 10:09am
Today’s CloudOps leaders must continuously skill-up to understand how new technologies, like AI and Cloud AI services, will impact their users and business. This pressure to stay relevant forces CloudOps to balance speed, scale, and self-service with the need for continuous security and cost-effectiveness.
Staying relevant in today’s marketplace means taking advantage of the cloud in a strategic way. This tends to push enterprises towards a multicloud footprint, even if the strategy a few years ago was to stay “single cloud”. As companies grow through M&A transactions, find the need to access best-of-breed AI cloud services, or to take advantage of rate incentives – they will undoubtedly encounter more multicloud complexity, not less.
Today, we will focus on the emerging privileged access problem, which is quickly becoming a top-of-mind concern for both CISOs and CloudOps leaders as they optimize and grow their use of cloud. Privileged access affects both human and non-human identities in the cloud, which bring their own unique challenges and concerns.
The privileged access problem
Organizations that started in the cloud years ago may have prioritized speed to market over security. For example, giving a developer administrator access to build their own cloud account and standup infrastructure may have enabled some agility early on, but with major risks to security. This has given rise to concepts like the Well-Architected Framework, and has made cloud privileged access management (CPAM) an important priority for CloudOps teams. Solutions like Kion help ensure zero-trust, least-privileged access is applied across all clouds and accounts.
Multicloud brings added complexity to the job of managing privileged access, since there becomes a need to learn yet-another cloud-service providers’ (CSP) framework for managing access and permissions.
Challenges with today’s approach
CloudOps teams have focused primarily on IAM tools for managing user identities and group memberships. Many CSPs offer integrations with leading IAM tools to help facilitate secure authentication. These tools also provide the ability to map individual identities to cloud accounts and permissions, which helps establish the baseline access a user is allowed to see.
However, as organizations scale up, things become complicated for CloudOps teams. It’s not uncommon for users to need elevated permissions at times in order to complete a specific job function. As these permissions get added, the access certain users are granted begins to drift from organizational and compliance standards, making it hard to streamline permissions schemes.
Similarly, ensuring a user or service account has consistent, least-privileged setup across multiple cloud providers becomes even more difficult since each CSP uses a different permissions framework.
This complexity becomes increasingly important to solve as the number of accounts and users grows. Not solving this means:
Security risk: Permissions sprawl leading to a complicated and expensive web of entitlements that are hard to understand or secure
Increased costs: Expensive access reviews that distract CloudOps teams from prioritizing efforts that can reduce costs or accelerate time to market
Kion differentiates by taking an ‘administratively driven’ approach that organizes cloud accounts and subscriptions into a hierarchically driven Organization Chart (Org Chart).
With this Org Chart, you push down IAM policies to various projects, teams, and business units that are ‘non-negotiable’ via Kion Cloud Rules - i.e., these policies must be true for all users who access those accounts.
Kion also provides a ‘user driven’ approach known as Cloud Access Roles, which are typically built around personas in the organization - e.g., security engineers, developers, auditors, etc. These are powerful, easy-to-use vehicles for granting users the right level of access to cloud service providers so they can accomplish their work. CloudOps teams can define the granular IAM policies and permissions in the Cloud Access Role, which are ultimately assumed upon federation into the cloud environment by the user. The Cloud Access Role includes the properly configured permissions for AWS, Azure, and GCP, and are inherited via the Org Chart – so users are able to assume granular roles for their specific job function.
Streamlined access and permissions
When combining both the ‘administratively driven’ and ‘user driven’ approach, you get a unique, least-privileged role that can easily be managed in Kion across multiple clouds and accounts. This is then used to federate into the CSP, making Kion the single, secure point of access for multiple clouds, unlocking important business benefits:
Cost avoidance: Setting up non-negotiable permissions and policies across multiple clouds and accounts can prevent accidental misuse of cloud resources that result in wasted spend, such as preventing instances that cost >$2 per hour, or restricting deployment in unapproved regions.
Improved security and compliance: Utilizing Cloud Access Roles, often defined around specific personas in an organization (like developers, security engineers, etc.), ensure consistent, least-privileged access that is manageable at scale. Unmanaged, over-permissioned, or unused IAM roles can lead to security breaches or compliance violations.
Consistency across multiple clouds: Kion unifies the IAM constructs found in the major cloud providers – such as AWS IAM policies, Azure role definitions, and GCP IAM roles.
Kion goes one step further and helps CloudOps teams automate access reviews. Kion’s “Admin Audit” is a new CIEM capability that helps identify roles and principals that have admin access or can escalate to admin through role chaining.
User Evidence
As one of the largest telecom companies in the world, Verizon supports over 150 developers across multiple cloud platforms. Managing access and permissions for such a large and growing team while ensuring security and compliance across their multicloud infrastructure became a significant challenge. Verizon needed a solution that could not only provide developers with seamless access to cloud provider consoles, but also ensure the right permissions were applied from the start.
They turned to Kion for a comprehensive platform that could address their varying cloud governance needs, including but not limited to:
Reducing operational expenses through automation of account provisioning, compliance, and security controls
Eliminating cost overruns by implementing enforceable budgets
Delivering cloud-native console access to developers
As Verizon’s cloud infrastructure continues to evolve, Kion plays a critical role in automating permission management and providing a unified platform for managing accounts, permissions, and financial governance.
By leveraging Kion, Verizon is able to streamline cloud operations, enabling secure access for their development teams while maintaining compliance and controlling costs across multiple cloud environments.
For more on Verizon’s CloudOps journey with Kion, read the full case study.