Skip to main content
banner image
venafi logo

The “Egregious 11” Have Spoken: Machine Identities in the Cloud Need to Evolve

The “Egregious 11” Have Spoken: Machine Identities in the Cloud Need to Evolve

machine identities in the cloud
August 22, 2019 | Michael Thelander

As we all know, cloud is blowing up.

Every customer we talk to is in the cloud, going to the cloud or leveraging the cloud for some aspect of their business. Setting aside for now any notion of what kind of cloud we’re talking about—whether private, multi-cloud or hybrid cloud—it’s clear that Forrester’s projection for public cloud revenue to reach $411 billion in three years is conservative, if anything.


This blow-up of the cloud—and all the complexity it entails with a mashup of IaaS, PaaS, microservices and orchestration technologies—is a good thing. According to Dr. Sunnie Giles’ recent book, The New Science of Radical Innovation,


“Leaders should not be afraid of complexity, but rather increase complexity to use it to their advantage.”

She recommends operating at ‘”the edge of chaos.”

But this very same notion can terrify information security teams.


"Where are the threats? What risks are we accelerating? How can I see through this complexity?"


The Cloud Security Alliance (CSA) has been following this conflict for years. The CSA is a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.”

As part of this effort, they’ve developed the Cloud Controls Matrix (CCM), a framework of cloud-specific security controls mapped to leading standards. The goal of the CCM is to help InfoSec professionals establish and monitor controls in this often chaotic, cloud-happy world. 

Recent Survey Highlights 11 Egregious Errors

The CSA recently interviewed 241 industry experts and issued a report specifically focused on the need to understand cloud threats and—more importantly—not leave the remediation of these threats to cloud providers. The result was a new August 6 report that “rated 11 salient threats, risks and vulnerabilities in their cloud environments.”

11 salient threats, risks and vulnerabilities in the cloud

As this blog post is focused on machine identities and their effective management, I won’t go into all 11 threats, though I do encourage the full read. As far as machine identity management is concerned, however, three of these risks are worth calling out. 

#2. Misconfiguration and inadequate change control:

”Companies should embrace automation and employ technologies that scan continuously for misconfigured resources and remediate problems in real time."

In the cloud world as well as in our traditional on-prem world, configuration mishaps are a leading cause of errors and outages. As the report states, “Misconfiguration of cloud resources is a leading cause of data breaches and could allow deletion or modification of resources and service interruption.” (Italics added.)

Misconfiguration of cloud resources is a leading cause of data breaches

As a case in point, a misconfigured AWS S3 cloud storage service exposed private information of 123 million American households in 2017.

But rather than just calling out the error, the “Egregious Eleven” report lists CCM controls that can shore up these instances: specific controls requirements for change control, configuration management, and encryption and key management are listed, with references.

#4. Insufficient identity, credential, access and key management:

“Limit the use of root accounts. Practice the strictest identity and access controls for cloud users and identities." 

Limit the use of root accounts

It seems obvious that this would be an area of concern, but the CSA report makes a clear point of calling out the management of machine identities as part of the solution here: “a lack of regular automated rotation of cryptographic keys, passwords and certificates is cited, as well as important tips:

Again, this seems obvious, but the report does the legwork of listing a number of applicable CCM controls to help build a policy:

  • EKM-01: Entitlement
  • EKM-02: Key Generation
  • EKM-03: Sensitive Data Protection
  • EKM-04: Storage and Access

#10. Limited cloud usage visibility:

“Mandate companywide training on accepted cloud usage policies … All non-approved cloud services must be reviewed and approved by the cloud security architect or third-party risk management."

"the CCA report does a great job of detailing what should be made visible"

Obviously, you can’t protect what you can’t see. But the CCA report does a great job of detailing what should be made visible, including both “Un-sanctioned app use,” where non-approved apps, services and even CAs are used to support cloud environments, and “Sanctioned app misuse.” In the latter case, the report details responses to both internal actors and external threat actors, who target services using methods like credential theft, SQL injection and DNS attacks.    

A Policy for Hope

I hope that the three callouts I have featured will pique your interest enough to read the entire report. Obviously, I feel that it is worth the time to download and read. But it might cause InfoSec leaders to wonder if they can really operate in that “edge of complexity” that Dr. Giles describes in her book.

How secure are the machine identities protecting your data in the cloud?

But all hope is not lost. Fortunately, the book also points out a way to do this: develop a loose but well-monitored set of rules. In Venafi vernacular, we would advise you to develop a policy that will help you ensure best practices. You may want to start with NIST 1800-16 (see our latest blog post here) or even CSA’s well-thought-out Cloud Control Matrix, and use these as blueprints for a world where there’s just enough control to keep us safe, but where we haven’t stifled innovation. 

How secure are the machine identities that your organization uses to secure machine-to-machine connections and communications in the cloud?


Related posts


Like this blog? We think you will love this.
Featured Blog

Increase Security for Private Workloads Using Isolated Issuers in Hardened Environments

The challenges for security pol

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Michael Thelander
Michael Thelander

Michael Thelander writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more