Imagine your HR department stopped keeping a record of current employees. The result would be chaos, as administrators would suffer from limited visibility into the people working and accessing the company resources daily.
As ridiculous as that may sound, it happens all the time in the cloud with digital identities because most companies still lack robust identity access management (IAM) governance and tooling – which, in turn, creates massive security blind spots.
Not only do you have people accessing resources, but you also have non-people identities that may have way too much privilege and access to the cloud and its resources. Some examples of non-people identities are:
- AWS Roles, Azure Service Principles
- Serverless functions – AWS Lamba, Azure Functions
- Compute – VMs, serverless functions, EC2s
- IT admin accounts – service accounts, technical accounts
- Automations deployment – IaC, bots
- Cloud services – AWS, Azure Advisor
Anything that does not have a human association is a non-person identity. An enterprise can have tens upon tens of thousands of non-people identities, which far outweigh the number of people identities. Get your trust relationships wrong, and an identity can have excessive permissions.
When you have numerous developers running around in an environment, doing different roles and functions, chances are they will accumulate permissions across multiple groups, roles, services, and accounts.
The only way to close blindspot gaps and proactively manage identity and data security risks is to prioritize IAM and conduct identity access reviews. By doing so, you can protect your data using the Least Access principle, and enforce the Principle of Least Privilege, ensuring only authorized identities access your private, sensitive data. Traditionally this was done periodically, quarterly, or worse, yearly. In the cloud, it needs to be done continuously.
Does Your Organization Actually Keep Track of Access?
Nowadays, organizations are more distributed across the workforce and applications. It’s crucial to acknowledge that identities – people and non-people – are accessing sensitive content at any given time.
Are you doing enough to secure your data? At all times, do you know which identities can access your data? Do you know how they are accessing it? What can you do to enforce least privilege and least access?
For example, an HR group does not need access to customer data. Therefore, you need to set security controls that limit the effective permissions tied to that specific group.
But it doesn’t stop there. Organizations need to consider non-people identities. Each non-people identity permissions to them. Do you know what their effective or end-to-end permissions are? We’ve established that non-people identities now vastly outnumber people identities. What’s more, non-people identities can be grossly misconfigured. And we all know that misconfigurations frequently go unnoticed.
Organizations need to dig deep and bring to light the effective permissions for non-people identities, then work towards getting to least privilege, locking down access to only what’s needed. Teams then monitor non-people identities for anomalous behavior and work proactively to remediate it.
What is an Identity Access Review?
As the name suggests, an identity review involves taking inventory of all the people and non-people identities in your cloud as well as the data to which they have access. This process helps an organization to maintain an active, evolving approach to risk assessment and management. The process reduces overall risk exposure while aligning with organizational changes. The common misconception is that this only needs to be done periodically, which is asking for trouble.
You need to be continuously performing Identity and Access reviews. By conducting continuous audit and monitoring, you will better understand the level of risk to your cloud environment. Enterprises gain a complete overview of who, what, when, where, and how an identity – people and non-people – is tapping into their network. A tool that provides insights about identity risk with a specific context, e.g., date and time, location, IP address, and pinpoints governance and platform issues, will enable teams to manage risk effectively.
Workflow management and automation enable you to ensure that the issues found through continuous audit and monitoring get addressed promptly. Receive alerts when a toxic combination, escalation of privilege, or other identity abuse cases occur. You can then go in with the proper remediation and prevention steps. Automation bots that can remediate issues and protect sensitivity based on guiding policy principles will also help. Teams benefit from consistent risk protection in real-time, and CISOs benefit from the assurance of passing audit.
Benefits of Identity Access Reviews
Catch Small Problems Before They Escalate
Vigilance is essential, and teams should identify the effective permissions that pose a risk and prevent them from becoming a breach event. For example, an identity can have effective permission to access sensitive data (social security number) but has not yet assessed it. Let’s say the identity becomes dormant. It’s just sitting there waiting for something to use it. Hackers can then go in, find that identity and compromise it to steal the data. It’s a security disaster just waiting to happen.
With the naked eye, finding minor problems in the cloud becomes impossible. Critical resource monitoring (CRM) enables teams to set a security baseline of the data store that you’re monitoring – who or what is accessing it; what combination of permissions is accessing it – will catch minor problems and threats before they become big ones.
Setting up change detection will alert teams of any deviation from the baselines.
Maintain Employee and Vendor Relations
Security issues almost always lead to finger-pointing and blame, both towards internal employees and vendors. Ultimately, these issues can result in termination, lawsuits, and damaged reputations — costly outcomes that are all bad for business.
Continuous identity access monitoring can help businesses inventory the resources to which employees and vendors have access. Teams can utilize tools that inform them of effective permissions of chained identities, including permissions and trust relationships. Least privilege will enable you to maintain relationships with employees and vendors, avoiding privilege escalation or toxic combinations while protecting stakeholders from risk.
Keep Projects on Track
Security issues can turn a project sideways, delay production, and even result in cancellations, creating unhappy customers and losing profits. Therefore, administrators need to keep a close watch on identity management to keep accounts secure and position business for success.
The Top People and Non-People Identity Risks
As organizations scale, they may find identity risk management increasingly complex, with countless resources – from thousands to millions. An IAM review now involves a lot more than just taking a personnel headcount, as teams must factor in non-people identities. Here are some critical threats to consider during the process.
Identities with Unchecked Access
Consider who and what has the most open access to your systems. Known as Shadow IT, developers looking to experiment or operate more freely to meet demanding production deadlines pose a threat. The reason being they know how your network is constructed and may grant themselves excess permission (such as “*”), giving them access to your most sensitive information.
But it doesn’t stop there. Now, with more non-people identities than people identities, enterprises must continually monitor them for overly permissioned instances that can lead to security failures.
The second high-risk group to assess is third-party vendors. Vendors can sometimes have access to systems and information, with use ranging from a few weeks to a few months or even years.
There are a few risks to consider here. In some cases, a vendor will sign a contract, receive network access, and then lie dormant for some time before a project starts. Or a contract will end, and – due to a lack of visibility, for instance – the missed account will not be deprovisioned.
Risks multiply when vendors work with other third-party agencies – mainly temporary or freelance hires with little-to-no security clearance and weak ties to the organization – who may want to exploit information for their gain.
In both cases, it opens the door for overly permissioned, non-people identities with their effective permissions to fall into the wrong hands. When working with third-party vendors, it’s imperative to adopt a zero-trust model that automatically recognizes, analyzes, and monitors all identities, people and the non-people ones at their disposal, in every interaction.
New employees also pose an initial risk upon entry, as managers will often tell their IT department to add the person at the same level of access as a current employee. Although people may work in the same department, they may not need the same system access permissions as their colleagues. A new person may be onboarded and put into two different groups – each with their own access permissions. A toxic combination occurs.
Similarly, employees who transfer from one area to another without adequate review of their access may inadvertently accumulate data business intelligence or system access beyond the units for which they’re required, for example, during mergers and acquisitions.
Inappropriate access assignments can lead to the gathering of excessive permissions, segregation of duties violations, jeopardize sensitive material, and needlessly expand risk exposure. Organizations need to set restrictions by securing the data (lockdown) based on behavioral controls, policy restrictions, then monitor for anomalous activity.
What Next After an Access Review?
Once the organization knows its identity and access risks, the next step is remediating them.
Remember that the goal here is to achieve a state of least privilege and least access, which requires a level of real-time monitoring, alerting, and remediation that is only achievable through advanced automation.
Sonrai Security’s CIEM solution offers just that — continuous anomaly detection for suspicious identity behavior and suggested cloud changes to help you meet Least Privilege. Built-in to our CIEM solution is our remediation capabilities including an organized ticketing workflow to ensure the right team is notified of concerns with prioritization, or automated bot remediation.