As organizations are embracing and adopting multicloud infrastructures, identity permissions have increased across three leading cloud platforms: Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GPC). Although this shift brings new opportunities for innovation, it presents new permission challenges organizations have never faced before.
Today, we’re thrilled to announce our 2023 State of Cloud Permissions Risks report. The report covers key risk findings surrounding identities and permissions across multicloud infrastructures.
This year we’ve found some eye-opening insights about workload identities and super admins. Let’s look at these risks and explore how to remediate them:
Workload identities
In today’s multicloud world, human identities are no longer the only ones accessing multicloud infrastructure. The number of workload identities operating across clouds, including apps, VMs, scripts, containers, and services exponentially increase, now outnumbering human identities 10 to 1.
Additionally, the average percentage of inactive workload identities— at 80%— has doubled since 2021, and less than 5% of permissions granted are used by workload identities. To help reduce this risk, we recently launched the preview of App Health Recommendations within Microsoft Entra Workload Identities, allowing you to easily identify inactive apps or expiring credentials.
As workload identities accessing cloud infrastructure increase, its critical organizations monitor their access to reduce their risk of breach.
Super Admins
Super admins are human or workload identities that have access to all permissions and all resources. They can create and modify configuration settings to a service, add or remove identities, and access or even delete data. Extremely over-permissioned, our research found that less than 2% of permissions granted to super identities are used, and 40% of super admins are workload identities.
Left unmonitored, these identities present a significant risk of permission misuse if breached.
Managing and remediating permissions risks across multicloud
Closing the permissions gap and reducing the risk of permission misuse requires organizations to implement the principle of least privilege. This must occur consistently to all human and workload identities across multicloud environments. Organizations can achieve this at a cloud scale by adopting a Cloud Infrastructure Entitlement Management (CIEM) solution to continuously discover, remediate, and monitor the activity of every unique user and workload identity across multicloud.
There are three ways Microsoft Entra Permissions Management, Microsoft’s CIEM solution, can prevent your cloud permissions from expanding your multicloud attack surface:
- Discover: Assess your permissions risks and identify what identity has been doing what, where they’ve been doing it, and when they’ve been doing it.
- Remediate: Grant permissions on-demand and just-in-time to ensure the least privilege principle.
- Monitor: Continuously monitor permissions usage across clouds to prevent security threats.
Through Microsoft Entra Permissions Management, we offer a free multicloud risk assessment to help you identify the top permission risks across your multicloud environment. You can learn more about multicloud permission risks by downloading the 2023 State of Cloud Permissions Risks Report and take the first step to securing your infrastructure by starting your free risk assessment today.
- Read the 2023 State of Cloud Permissions Risk report
- Learn more about how cloud permissions risks impact your organization
- Learn more about Microsoft Entra Permissions Management
- Start your free multicloud risks assessment!
Best regards,
Alex Simons (Twitter: @Alex_A_Simons)
Corporate Vice President of Program Management
Microsoft Identity Division
Learn more about Microsoft identity:
- Get to know Microsoft Entra – a comprehensive identity and access product family
- Return to the Microsoft Entra (Azure AD) blog home
- Join the conversation on Twitter and LinkedIn
- Share product suggestions on the Entra (Azure AD) forum