Least Privilege Policy in the Cloud

4 mins to read

Maintaining cloud security is paramount for every organization, regardless of size. One of the biggest problems companies face regarding cybersecurity is excessive privileges. For example, in Amazon Web Services, there are over 10,000 different IAM actions. These permissions allow users to read, write and manage data. All it takes for a breach is a hacker compromising a single user’s credentials or an IAM role. Even worse, that individual account may have excessive privileges giving them access to actions or applications unnecessary to their role allowing the hacker to reach even higher levels of sensitive data. Now that we’ve acknowledged the worst case, let’s discuss how least privilege policies can help your organization better manage your security permissions.

Achieving the principle of least privilege entails allowing employees and other individuals with access to data only the required permissions absolutely necessary to perform their job. Privileges to take action or even read data can apply not only to humans, but also to non-human entities such as robotic software, IoT and other types of artificial intelligence.

Lack of identity management is potentially a modern company’s greatest security concern. In fact, Forbes, in recent years approximately 74 percent of all data breaches were due to ineffective management regarding access privileges. When people throughout an organization have too many privileges, the likelihood of misusing those privileges and overall risk increases. Once you’ve recognized you want to achieve least privilege, the next step is implementing some type of identity management tool.

Building a Least Privilege Policy

Allowing people or non-people identities just enough permissions and privilege to perform their jobs adequately requires an organization to create, update and manage a specific policy proactively. A policy needs not only initial action and the limitation of identity privileges, but ongoing management and updating. Throughout the evolution of an organization, more identities gain privileges and permissions over time, but policies are often not in place to ensure the removal of unnecessary ones. On both Azure and AWS, there are already roles and policies that are set by the cloud service provider that you can’t manually change. It is common that developers aren’t even aware of the potential risks associated with these roles and policies.

Moving from one type of provider to another will often present problems with privileges. When changing cloud providers, it’s important to reevaluate cloud privilege status among accounts. An organization must create policies that keep a continuous and comprehensive inventory of identities to assist in having control over your privileges. Permission in the cloud works on a variety of different levels, including read, write, or management action. You need to not only create and update identities and privileges, but continually reevaluate each level and type of privilege that is necessary for each identity. Continuous monitoring means you’ll deactivate unnecessary privileges in a timely manner.

Where can you start? You need to start by inventorying all identities’ permissions and privileges and efficiently eliminating all those that are unnecessary. It is also critical to have end-to-end management and transparency. For the best protection, every team and department should implement a least privilege policy — it is not just a practice for the security team. Many teams are using a CIEM solution to assist them.

The flexibility that comes from functioning in the cloud also poses substantial risks. Your entire cloud infrastructure should have a streamlined policy in place. Your policy needs four major points. To summarize, first, you need continuous visibility from end to end. Second, you’ll need automated prevention and remediation. Third, get to and then maintain least privilege. Finally, practice continuous monitoring to maintain the highest level of security.

Managing Your Data for Least Privilege

All a cybercriminal needs is a few permissions to wreak havoc with your data. Unfortunately, there are often thousands that are available. In AWS, there are over 10,000 different IAM actions. You can find these throughout a variety of services in the cloud. All an attacker needs to create a data breach is access to an IAM role or other credentials with an S3:GetObject. Without establishing specific restrictions, any S3 bucket is open to an attacker.

There are several cases of data breaches linking back to excessive privileges to resources and permissions that we can learn from in the news. One of the largest to occur was the cyberattack regarding CapitalOne. The announcement came on July 29, 2019, that a hacker had access to approximately 100 million credit applications. ‘Get objects’ and ‘List S3 buckets’ were what gave attackers the access that led to an $80 million dollar data breach. In this case, there was an attack path from just two permissions. That’s all it takes. Privilege escalation in the cloud is similar. Lateral movement in the cloud looks like gaining access to one identity and using it to gain access to others until the right level of sensitive permission is gained. Many people assume that the least privilege will protect against lateral movement. In the cloud, it is possible to achieve this threatening movement with just a few permissions. Next stop is reaching your most critical systems.

Data access management, however, is not as easy as just removing privileges. It’s essential to evaluate each identity and its effective permissions. Removing too many can hinder your operation and your employee’s ability to do their jobs effectively. You need to evaluate each individual privilege on an ongoing basis and decide if it’s necessary.

Implementing Least Privilege

The least privilege principle can help mitigate these identity and data risks by limiting the amount of access identities have to data. By reducing the number of identities with elevated privileges, you make it far more difficult for a bad actor to gain access to sensitive information. Implementing the POLP in the cloud can be done in a few simple steps:

1. Define your least privilege policies.

2. Assign roles and permissions to identities based on their job function.

3. Monitor identity activity and audit logs regularly.

4. Restrict access to sensitive data as much as possible.

5. Educate your employees on the importance of least privilege best practices.

Least privilege is one of the most important concepts in cloud security, and by following these simple steps you can help protect your organization from bad actors. If you want to learn more about the use cases for identity security, contact Sonrai Security.