Table of Contents
Share this entry
You’ve got identity blindspots in your cloud. It’s inevitable. But how did we get there? And what are these blindspots?
The enterprise departure from on-prem datacenters to cloud changed things. And these fundamental changes are behind a lot of your blindspots. On-prem, most consider the network your security boundary, with a hyper-focus on network management and vulnerability patching. The cloud is a totally different landscape, and an amorphous one at that. In the cloud, identity is considered the security perimeter. With more and more infrastructure represented as code, new identities are building the backbones of cloud. Identities can gather enough privilege to create, modify, even destroy infrastructure. That was never possible at the scale it is now in on premises environments. Identity is what defines the underpinnings of cloud, so managing it has skyrocketed to the utmost importance for organizations.
On-prem concerns like network controls and posture management (think: turning on encryption, turning on logging, etc.) were one-off concerns. Your tools alerted you to a risk, and there was a clean cut action to remediate. Managing identity in the cloud couldn’t be more different. It is a never-ending management story, and its solutions are systemic and programmatic ones. Why? Because in the cloud, identities are proliferating. New compute is made every day. These identities can create more identities. Identities can modify their own privileges. This at scale makes identity management a monumental and constantly evolving beast.
These differences and the fundamental nature of how identity works in the cloud has created a new set of emerging challenges. The power, proliferation and constant chase of securing identities has left blindspots in your cloud.
What Are Identity Blindspots?
Identity blindspots are gaps in your visibility. These are the risks you didn’t know you had. Or, if you are already concerned, you can’t get a clear picture of the problem or solution.
What are some common blindspots?
Regardless of your organization size, at any given scale, a hundred accounts, a thousand, or five thousand, combined with hundreds of developers building new infrastructure daily, you end up with a cloud estate of hundreds of thousands of identities, thousands of workloads, and networks to consider. This is your cloud footprint, and to secure it, you need to see it. This visibility is a major challenge for most.
Effective permissions are the true scope of abilities any given identity can take. This sounds easy, but sometimes privilege is covert in the cloud. Privilege can be inherited through trust relationships, managed policies, groups – even from six degrees of separation away. This means sometimes an identity can execute actions not directly assigned to it. This is a dangerous reality. Just because you think you know all the permissions assigned to an identity, doesn’t mean you actually can see the true extent of their abilities. Not knowing an identity’s effective permissions leaves you at risk for the next three common identity blindspots:
Toxic Combinations are when permissions are gathered or compound together to create a toxic end result – an unintended ability. This can come about overtime from a human identity joining different roles or teams, each with their own set of permissions, and them combining together, or from an attacker doing recon and seeking out a toxic combination purposefully. For example, this could be an attacker moving throughout your environment searching for the chance to dangerously combine both a ‘read’ and ‘delete’ permission allowing them to exfiltrate the contents of a database and then delete it. What’s concerning is these toxic combinations can sometimes be separated by several degrees of separation. Meaning, the role with a ‘read’ permission and the other role with a ‘delete’ permission is reachable for the attacker, but only through several other jumps – this is extremely hard to see.
Lateral movement is when an attacker leverages techniques to progress through an environment. An attacker isn’t necessarily escalating privileges, but instead moving from one identity to another, assuming roles or creating new ones, all looking for the right permissions or pathways allowing them access to whatever they want, presumably your data. Sonria estimates around 20 new permissions made daily in the average enterprise environment. These permissions are the stepping stones allowing attacker lateral movement. If you cannot see all opportunities for lateral movement creating paths to your data, you’ve got a major blindspot.
Privilege escalation is when an identity has the ability to either directly or indirectly inherit privilege increasing their abilities. For example, an identity has the permission to modify roles. While this identity cannot read some sensitive data itself, it can modify other roles so that this other role can read the data. This identity and then assume this new role and ultimately execute their desired action (reading sensitive data.) Another example could be a low-level identity with minimal privilege having access to another service or resource with greater privilege than it. Then using that service to perform a desired action.
Most organizations are utilizing vendors, have partners, and/or integrate with other services. All of this increases your attack surface, and the reality is, your third-party’s security is now your security. Running blind to third-party environments and security practices is leaving your organization at risk. It’s been reported that a majority of recent enterprise breaches actually originated from third-party access.
Identity and Access History
Identity behavior and access history means understanding what your identities can do, are doing, and what and who is accessing your data. This insight is important for two reasons. One, it allows you to monitor for deviations and detect suspicious activity in real-time. If you have a secure baseline of what identity and data behavior should look like, and monitoring capabilities, you can detect malicious identity behavior. Second, it helps clean up your environment. Unused roles, unused permissions and dormant identities are all sitting ducks increasing your attack surface and waiting to be exploited. If you see certain identities or permissions unused for 30, 60, 90 days, your team can remediate and entirely remove the ability for these entities to be exploited. These efforts prevent attacks before they can even happen.
You cannot protect what you cannot see. Security starts with visibility. If you don’t have visibility, you have cloud blindspots.
These common identity blindspots are exacerbated in the cloud versus on-prem because of the amorphous nature of cloud. The cloud is ebbing and flowing, it is dynamic and leveraging elastic workloads, constantly commissioning and decommissioning, and spinning workloads for 30 seconds a time. This change creates so much more opportunity for an attacker to sit, watch, and exploit. If an attacker is in your environment, all they might need is that one identity in use for 30 seconds. Securing that blip in time is extremely difficult.
Revealing Identity Blindspots
Go back to the start. Ask the simple questions. Who should be here? Who should have these controls? Get an inventory of your identities and the entities they have access to – workloads, datastores, etc.
Understand their effective permissions – the true scope of any given identity’s ability.
Monitor. Ingest audit logs and action data. Who shouldn’t be here? Who hasn’t used these privileges they’ve been given? Does this identity need to access this?
Rinse and repeat into a programmatic approach.
The first step is recognizing there may be areas of your cloud you do not understand or cannot see – we’ll help you take that second step.
The Newsletter for Cloud Security Leaders. 1x a month.
Get a Comprehensive Cloud Identity AuditRequest Your Audit
- Cloud Security Platform
- By Use Case