The Super-Sized Risk of Super-User Accounts for Cloud Applications

By Matthew Vulpis, Content Contributor  |  April 07, 2021

As large organizations continue to move more and more data and compute to the cloud – in fact, to multiple clouds – risk analysis has changed and has become more mission-critical than ever.

Given the increasing number of threats against applications running on cloud infrastructures, including the protection of data at rest and data in transit, IT and OT teams must consider the complexities associated with multi-cloud environments to manage risks.

Super-users who used to be granted privileges for on-prem infrastructure and applications and for private data networks are increasingly being granted super-user privileges enabling them to configure multi-cloud services, so they can respond to user preferences while also managing threats on individual and collective services.

Technology leaders are increasingly in search of new "trust fabrics" that can allow them to take advantage of all the benefits of cloud without risking attacks, both external and internal.

We caught up with Orhan Yildirim, CTO of Ironsphere, a New Jersey-based cybersecurity company, focused on Privileged Access Management (PAM), to learn how their clients (in banking, telecom, healthcare, retail, and other highly regulated industries) are managing the cloud-access challenge, enabling super-users, while at the same time putting software in place to help automate and secure assets.

"It is urgent for organizations to challenge the risks and rewards of super-user accounts," Yildirim said. "Too many enterprises are learning the hard way about the grave consequences of not monitoring, managing, and controlling super-user privileged accounts closely enough. With at least as much risk coming from insiders, according to experts, this topic has become top of mind, all the way to the Board of Directors level, given the risks associated with just one super-user causing intentional or unintentional damage."

As defined by Wikipedia, "in computing, the super-user is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin, or supervisor. In some cases, the actual name of the account is not the determining factor; on Unix-like systems, for example, the user with a user identifier (UID) of zero is the super-user, regardless of the name of that account."

The definition goes on to say, "in systems which implement a role-based security model, any user with the role of super-user (or its synonyms) can carry out all actions of the super-user account. The principle of least privilege recommends that most users and applications run under an ordinary account to perform their work, as a super-user account is capable of making unrestricted, potentially adverse, system-wide changes."

"The emphasis on, and investment in, securing systems from external adversaries has proven effective in keeping out intruders," Yildirim said, "but over the past several years, internal threats are causing tremendous damage, as we've seen reported in the media, but often not reported by the companies harmed. Anyone inside an organization with super-user privileges has the potential to take entire businesses and their customers down, either through carelessness, incompetence, or maliciousness."

Yildirim explained that corporate IT systems cannot be efficiently run without granting the appropriate people the privileges to make changes in networks, clouds, databases, and applications.

"There is an important place for super-users – the key is to minimize risk through software security solutions, Yildirim continued. "Without ensuring policies are applied to those who have access to confidential information, secrets, sensitive personal data and more, organizations are breaching their regulatory requirements, which can cause a failing grade from auditors, and actions at the board level, depending on the organization and the industries they serve."

Modern governance techniques can enable IT and OT leaders to set up super-users by privilege, by scope, by time, by location, and other levers, Yildirim said. "If there is no way to automatically secure passwords, serious security risks will plague the enterprise, especially if there is no way of monitoring who is using a shared account at a particular time, so there is no audit trail, no discrete user records as part of event logging, and therefore zero accountability."

Yildirim says the challenge is how to manage user access if they attempt to access target hosts directly, bypassing whatever has been put in place.

"Dynamic password controllers eliminate personal privileges on target hosts, securely store shared/non-personal super-user accounts in an encrypted digital vault, and automatically change them at regular intervals," Yildirim said. "Once a super-user account is vaulted and updated, users no longer have direct access to the new credentials, effectively making the organization's PAM solution the single owner of that super-user account. "

By blocking direct access at the network level and configuring rules in network devices to only allow access to target hosts, this type of solution blocks all other sessions to prevent any unsupervised privileged access. Rules can be configured as ACLs (Access Control Lists) on network elements or as Access Rules on firewalls.

According to the Ponemon Institute (News - Alert)'s Cost of a Data Breach Report, an annual compendium of data breach trends that over the years has become a barometer of sorts for the information security industry, in 2020, data breaches on average cost $3.86 million.

While the average cost is down a tick (1.5%) from Ponemon's 2019 figure, $3.92 million, the report's highest cost - the average cost of a data breach in the United States in 2020 - $8.64 million, is higher than 2019's figure, $8.19 million.

Given new and more sophisticated attacks in 2020 and 2021, in some part due to the pandemic forcing work-from-home models, creating new vulnerabilities, and attracting cybercriminal activity, we can expect even greater costs in the months and years to come.




Edited by Maurice Nagle