to control access to cloud administrators via the role-based access control method. Peo-
ple in this ADAG can typically share access to the group emails, which were used to cre-
ate the cloud accounts. They may use those emails to reset your cloud root accounts.
Effectively, any of your cloud administrators can then reset a cloud account password
via email. It now becomes harder to track who has access to the shared account, and you
may begin to question the gaps in your cloud security model.
Protecting the Cloud King
Inevitably, you still need cloud administrators. The question now is how to protect those
administrators from doing things unaccountably. It may come as a surprise to you and
your administrators that their passwords are accessible to certain groups of people in
your company. The following areas show how an access breach can happen via other
system administrators.
Password Vault
CyberArk
BeyondTrust
HashiCorp Vault
Directory
Azure AD
Windows Active
Directory
Email Systems
Outlook
Outlook 365
Cloud
Accounts
Various
Administrators
Figure 1: Various system administrators can access your cloud accounts
Email System
The administrator of your email system can access other employee email accounts by
resetting their email passwords. Remember that your cloud account must be created
with a valid company email, which can be used to reset your cloud account password
when needed. Therefore, your email administrator can access your cloud account.
Password Vault System
It is a best practice to store your high privileged account credentials in a password vault
system using a commercial product such as BeyondTrust, CyberArk, HashiCorp Vault,
etc. These password vaults provide access auditing and access control for passwords
via a web interface or an API. However, the administrator of the password vault system
can still access any other employee’s password, including ones for email and cloud
accounts.
46 | THE DOPPLER |
FALL 2019