Looking back over the past 6 years, and being focused primarily on cloud security with organizations of all sizes and complexity, it is not a stretch to say that most are doing it wrong. One of the biggest problems companies face regarding security is excessive privileges, yet most do not focus enough on this; which is to their own detriment. For example, in AWS, there are over 10,000 different IAM actions. These permissions include read, write, and management actions. With all this complexity and lack of focus on cloud identities as a fundamental part of a modern security program, I see time and time again huge risks in people’s clouds due to over-permissioned cloud Identities. All a bad actor would need is to leverage one of these overly permissive identities and it is game over. That being said, don’t worry there is hope.With the right focus and approach, you can discover and manage the Identity risk in your cloud.
The Principle of Least Privilege has always been a central tenet of any security program and in the cloud, it takes on an increased level of importance. Simply put, it means granting an Identity only the bare minimum privileges needed to perform its intended function. On the flip side, it also includes providing the bare minimum of access privileges to your data. In the cloud, this applies not only to people, but also to non-people entities such as Roles, Service Principles, virtual machines, data stores, and serverless functions.
Lack of least privilege and identity management is potentially a cloud company's biggest security problem leading to data breaches. According to Forbes, in recent years approximately 74 percent of all data breaches were due to ineffective control over access privileges. When Identities throughout a cloud environment are over privileged the likelihood of exploitation increases. Managing least privilege will require implementing some type of cloud identity and entitlement management tool to not only get you to least privilege but more importantly, to enable you to stay there.
Allowing identities just enough permissions to perform their jobs adequately requires an organization to create, update and manage their Least Privilege policy proactively. However, this is not nearly enough to keep you protected. What is needed is a Least Privilege Standard, and one that defines the types of Identities required and what their permissions need to be. This document, if created as a cross-organizational effort, establishes a baseline for your cloud and helps to remove ambiguity for your teams using the cloud. With this document, your teams can then simply select the Identities they need to achieve their goal. This process is a win-win for everyone -- Identity risk is managed and the Ops teams do not have to design yet another role, ultimately saving them time.
It is important to note that this needs to be a living document where, as business needs change, there is a process in place to update the standard and ensure that it continues to be effective and not a roadblock. If it becomes a roadblock, you will have rogue Identities in your cloud and surely not least privileged ones.
The key to Least Privilege in the cloud is not just getting there, but maintaining that position. You need to not only create identities at least privilege, but continually reevaluate each level and type of privilege that is required for your Identities. Continuous monitoring requires setting a baseline and then looking for deviations from that baseline. When a deviation is found, you need to react as quickly as possible to minimize the risk by getting back to the least privilege to ensure the offending Identity cannot be exploited.
A Step-by-Step Process
This starts by inventorying all of your identities as they truly exist in your cloud, and not what you see in Active Directory or another traditional Identity management solution. You then need to determine the effective, or end-to-end, permission for each identity. These two areas are where I see most organizations fail to effectively understand the risks. They often have an incomplete inventory and are blind to the full permission set of the Identities they are aware of. The next step is to drive all your Identities to least privilege. Once you do this, you have now set your baseline. With a solid baseline in place, you need to continuously monitor each and every Identity looking for deviations to their effective permissions and when those occur, remediate them as quickly as possible. In parallel, you need to continuously monitor for new Identities being created in your cloud, determine their effective permissions and evaluate if it meets your least privilege standard or if it is a new risk that has been introduced. This all needs to be done at the scale and speed of the cloud, which begs for automation so that you always have a clear picture of risk in your cloud and the appropriate mechanisms in place to manage within your risk threshold.
When it comes to data breach management, all a bad actor needs is an overly permissive Identity to wreak havoc in your cloud. Unfortunately, from what I’ve seen over the years there are often many that are available to a criminal user. To make things worse, these vulnerabilities are often unknown to the teams responsible for operating and securing their cloud.
There are several high-profile cases of data breaches linked to excessive privileges in the cloud. One of the largest to occur was a cyberattack at a major US financial institution where the attacker had access to approximately 100 million credit applications. It all came down to an over-permissioned Identity on a virtual machine. You might ask, what access did the attackers gain that led to an $80 million dollar data breach; just two permissions: S3:ListBucket to find the sensitive data and S3:GetObject to move it out of the environment. That's all that it took.
Data breach management is not as easy as just removing an identity’s privileges. It's essential to continuously evaluate each identity’s effective permissions to ensure that the risks are balanced. Removing too much can hinder your operation and your employee's ability to do their jobs effectively. Yet having too much can lead you into trouble. You need to evaluate each individual privilege on an ongoing basis and decide if it's necessary. Once established, you need to continuously monitor for deviations and when they are found, respond at the speed and scale of the cloud to manage the risk.
Sonrai Security provides your organization with a cloud security platform that can de-risk your cloud by finding vulnerabilities, helping you repair them, and preventing future problems from occurring. Sonrai Security provides the data breach management tools and products necessary to not only achieve Least Privilege across your clouds, but also help you manage and maintain the least privilege going forward.
Sonrai’s CIEM functionality does this by inventorying all identities and data relationships enabling you to establish a baseline, continuously monitoring it for deviations, and taking the actions required to fix the issue. Using our patented graphing technology, we visualize all access paths to enable you to find the issue and take action. Sonrai Security can help organize your cloud structure into "lanes" that reflect your organization's need for control and monitoring of access.
Learn more about least privilege and how your organization can manage permissions and reduce data breaches. Contact Sonrai Security for more information on secure solutions and services.