6 mins to read
Sonrai Security hosted the inaugural ACCESS: The Cloud Identity, Access, and Permissions Summit this October. The ACCESS Summit is a free, virtual, and learning-based summit gathering cloud experts and leaders together to share their best practices and experience with achieving better enterprise cloud security.
The agenda consisted of nine speakers, two entertainment breaks and a networking session to close it all out. Who was presenting?
- Chad Lorenc from Amazon Web Services
- Chris Kirschke from Albertsons
- Simon Gooch & Johan Lund from Accenture
- Ashish Rajan from Kaizenteq Ltd & The Cloud Security Podcast
- Eric Kedrosky from Sonrai Security
- Amanda Fennell & Darian Lewis from Prove Inc.
- Sandy Bird from Sonrai Security
- All hosted by Karen Levy and Jeff Moncrief from Sonrai Security.
Every presentation offered unique learnings spanning across machine identity management, justification of security solutions to stakeholders, cloud identity risks, and lessons from a live hack where attendees got to walk in the shoes of an attacker. Every session is worth a watch, but for now, we’ll call out some of our favorite takeaways.
Let’s get into it – here are the best ‘moments’ from our amazing presenters:
1. Nobody wants to buy your least privilege
Chad Lorenc from AWS kicked off the event with his keynote, titled, ‘Accelerate Identity Security Maturity in the Cloud.’ Chad confidently stated if listeners walked away with one learning it was this moment – ‘nobody wants to buy your least privilege.’ What does that mean?
Chad continued to explain that least privilege is a wonderful security principle, but it is a horrible boardroom technique. Least privilege is not a strategy to adopt just for the sake of it, but instead, Chad suggests least privilege is a means to an end. Teams want to lead with business objectives – reducing risk, eliminating human error, meeting compliance, and streamlining operations – least privilege is just a way to accomplish those objectives.
For example, start with driving down risk, decide what business objective it is you’re focusing on, determine the metrics to measure it, find your highest risk data, and work backwards to build your security program around meeting your objective.
Chad then insists that business objectives should have measurable metrics tied to them. You should be able to quantifiably show how much a least privilege program is monetarily saving your organization versus manual, insecure or inefficient processes.
2. Wall of shame? More like hall of fame
Picture this: your team has identified a major business objective they want to meet and they’ve built the case for buying a third-party solution to make that happen. You deploy that solution and boom – it’s a scary sight!
In his session, ‘From Strategy to Execution: How to Close Identity Security Gaps in the Cloud,’
security leader, Chris Kirschke, says: ‘don’t worry about the law of large numbers.’ When your team is responsible for major security initiatives and you’re dealing with stakeholders and reporting on progress, Chris empowers practitioners to draw the line in the sand and manage expectations in those communications. Communicate that you’ll hit the risky stuff first. Focus on looking left and making changes in the development process to actually avoid some of those security issues in the first place.
Why’s he think that? Well, Chris recommends against the ‘wall of shame’ approach – focusing on how many vulnerabilities you’re missing or how slow remediation is – it doesn’t work. Instead, enable your team to ‘walk to the hall of fame.’
Apparently, Karen loves that!
3. Achieving the same goals (as PAM & IGA) with different tools
Simon Gooch & Johan Lund from Accenture joined Sandy Bird in their session, ‘Closing the Security Void Left by PAM and IGA in the Cloud.’ Privileged Access Management and Identity Governance and Administration are long-time trusted solutions and security principles to properly govern digital identities. However, cloud security vendors (like Sonrai) are calling attention to their antiquated nature when it comes to securing cloud identities.
Johan asserts “Cloud is unique in this space in the sense that a machine identity doesn’t really fit in the same sense of the traditional IGA or traditional PAM view. You can’t vault a machine identity and you definitely can’t put some session monitoring in place when it’s being deployed to do automation. And so, I think it’s definitely unique, it’s different.”
There’s numerous reasons traditional PAM and IGA tools don’t cut it in the cloud (you can read our CIEM vs PAM and CIEM vs IGA blogs to learn more,) but Simon Gooch calls out an enlightening point in the session.
Simon asserts that cloud identity management needs an evolution and extension of PAM and IGA – these first generation solutions can’t be ignored. We still want to apply the principles behind PAM and IGA, but the mechanism behind achieving them is different in the cloud – it requires different solutions. Simon calls out the need for learning a new ecosystem (the cloud), extrapolating the principles from IGA and PAM, and finding a new way to achieve them.
Sandy summarizes the point in one go: “The tools might be different, but the same goals get achieved.”
4. “You are now this identity”
There aren’t many things cooler than watching a live hack – and that’s what Jeff Moncrief is best at – stepping into the shoes of our adversary. Jeff presents a cloud attack path and discusses the implications in his session, ‘Live Hack: The Anatomy of a Cloud Attack.’ There’s one pivotal moment we found to be especially worth noting.
So to set the stage: Jeff searches for compromised credentials in a repository – this is a common way attackers compromise your cloud – credentials unintentionally left hardcoded in public spaces. He finds an access key via a PIM file. He then finds the matching endpoint through another file in the repo that lets him know this has got something to do with an AWS workload, the S3 service, and a lambda function in prod. With all of this, he begins the attack in his command line. He logs into AWS with the compromised identity. He issues the command IAM:listroles to see every role he can assume.
But! Here’s the key moment. Jeff knows from his earlier recon on the github repo, that the access key he found has something to do with a Lambda function in prod – so if he can find that identity he can do serious damage. He lists all contents from the home directory. He finds LambdaBucketPolicy.JSON…Bingo.
Listing the contents of the file. There’s a role for another account called MedicalResultsReader. Sounds enticing. Jeff assumes the role.
“You have to understand how to generate the credential, set the environment variables for the secret access key, the session token and the AWS access key, all right here. When you do that, you are now this identity right here, okay?”
It is this moment we want to highlight. At this point in the attack, an adversary has become an entirely new persona, they have privilege escalated and they have moved laterally. This entire attack relies on the abuse of cloud identities and their permissions. In this case, a cross-account trust relationship that actually moves backwards allows a Sandbox identity to privilege escalate into a Prod environment. This cannot be seen by ANY traditional IAM tool or cloud-native identity governance solution.
From here, now that Jeff is this new persona, he is able to list the contents of prod S3 buckets and acquire billing information including credit card information. Voila!
5. Without proper governance, your security best practices have a shelf life
Joe South asserts that proper IAM governance precedes any sort of security best practices or ‘secure by default’ principles in his session, ‘Mapping the Battlefield by Untangling Cloud IAM.’ Joe explains sufficient governance and the right policies in place are what enforce continuous security – and without them, ‘your good security practice has a timer on it.’
To illustrate his claim, he shares an anecdote from his own work experience. At a previous job, Joe’s organization confidently turned down deploying a Data Loss Prevention solution in a certain environment because ‘there’s no way this data is gonna leave [the] environment’ and it was ‘totally safe.’ Joe took this as a challenge!
Sure enough, he was able to exfiltrate the data.
He summarizes his takeaway message: ‘you need to have good strong policies in place that enable the security team to have the teeth they need to actually execute on good security practices.’
Watching the ACCESS Summit
If you enjoyed these brief moments from just a few of our ACCESS summit presenters, you can enjoy the entire experience on-demand.
Every session is available on our site, with accompanying resources and content to continue learning more.
