Defining a Cloud Permissions Firewall

4 mins to read

Sonrai recently launched the first-ever Cloud Permissions Firewall – a new class of solution built to more efficiently protect sensitive permissions and access. 

A new solution class deserves a proper introduction and definition, so this blog will cover what a Cloud Permissions Firewall is, why enterprises need one, how it is different from other identity-focused solutions, and how it helps Development, Operations, and Security Teams drastically reduce risk in the cloud without slowing down innovation.

What is a Cloud Permissions Firewall?

A Cloud Permissions Firewall is an advanced security solution designed to manage and control access and permissions at scale. It automates the process of implementing the principle of least privilege by continuously analyzing permission usage and adjusting access rights accordingly.  In the case of a Cloud Permission Firewall, least privilege encompasses unused permissions, identities, services and regions.

This solution significantly reduces the number of permissions to manage by focusing on the most impactful ones. It’s a dynamic tool that automatically ensures identities only have access to the sensitive permissions they need, improving security without compromising operational efficiency.  

The ‘Firewall’ terminology comes from the true origin of the word relating back to preventing the spread of fire. It is a breakage or barrier that protects from danger. How does a Cloud Permissions Firewall create a protective barrier within the cloud? 

By safeguarding cloud permissions, unused identities, cloud services and even entire regions from being misused or maliciously used. Cloud permissions are a critically exploited element in the MITRE ATT&CK Framework. Protecting them helps prevent successful cloud attacks by slashing the attackable permissions surface.

How does a Cloud Permissions Firewall Work?

A Cloud Permissions firewall works in a three prong approach. 

  1. Permission usage and monitoring. The solution inventories all access rights and monitors for what permissions are used, what services and regions are accessed, and which identities are active.
  2. Least privilege implementation. The firewall automates the creation and deployment of global policies to restrict access to unused sensitive permissions, services and regions, while also quarantining unused identities.   Every human and machine identity maintains access to all permissions needed through an exemptions list.  The exemption list is dynamically adjusted as your cloud grows or further needs arise. Future identities fall under a default deny for automatic protection.
  3. On-demand requests. If an identity attempts to use a restricted permission, or a new identity is created with new needs, an on-demand request is automatically fired to the relevant approver. If granted, the identity is automatically included on the exemptions list. Requests are integrated with ChatOps for quick and easy approvals and DevOps are not slowed down. The entire process takes mere minutes.

Why Do Cloud Teams Need One?

Organizations of all sizes have a lot on the line: the cost of operations, expected revenue, compliance standards, and reputation. All of this becomes vulnerable when permissions are insufficiently managed. Insufficiently managed permissions leave room for sensitive cloud access falling into the hands of malicious actors – or even being misused by authorized employees!

  • 91% of identities are over-permissioned
  • 62% of identities are unused (dormant)
  • 87% of cloud services are unused *

The most sensitive permissions out there are the ones that allow us to create, build, configure, delete, etc. cloud infrastructure. If these permissions (or unused identities and services) fall into the wrong hands, attackers can significantly disrupt business operations and even steal data. This translates into severe monetary loss.

Enterprises operating in (especially) multi-cloud environments face the challenge of nonstop identity and permission proliferation, fueling security risks and operational inefficiencies. It is impossible to keep track of and manage tens of thousands of permissions and thousands of identities. 

A Cloud Permissions Firewall addresses these challenges by automating the process of permission management, ensuring that only those who need it have sensitive permissions, but doing it in a way that does not impede DevOps and offers seamless ad-hoc or emerging access. The result is a significantly better protected cloud, or minimized damage in the case an attacker were to breach the perimeter.

*according to internal calculations based on average enterprise

How is This Solution Different or New?

Firstly, a Cloud Permissions Firewall is an entirely new concept. Traditionally, firewalls were for networking monitoring and controlling traffic. This approach to managing ‘traffic’ is now applied to permissions and access.

There are a lot of security solutions built to help secure identities or better govern access – PAM, IGA, IdP, CIEM, and so on. This new solution breaks away from all of those products with a new and innovative approach. It is not just a governance tool, an inventory, or a risk visibility tool. It is a solution that takes swift, immediate action for instant risk reduction.

Unlike traditional identity-security solutions that often require manual intervention and are not scalable for large numbers of machine identities or permissions, a Cloud Permissions Firewall can automate policy management and make achieving least privilege possible. It focuses on securing the most critical permissions and does so in a global, sweeping action.

Additionally, it integrates seamlessly with existing workflows and tools like ChatOps, making it more user-friendly and less disruptive to ongoing operations.

How Does It Help My Team?

Security Teams: Achieve the access gold standard –least privilege; Instant attack surface reduction; Easy compliance reporting with identity inventory; All access logged for audits.

Operations: Relieved from manual policy management; Saved time not managing policies individually; Communications and workflows streamlined.

Developers: Relieved from security concerns when developing; Increased flexibility and creativity; Uninterrupted work; Easy and automated access approvals.

Interested in Sonrai’s Cloud Permissions Firewall?

Read more about the ground-breaking solution, or skip ahead to start a free trial.

cloud permissions firewall cta