How to think about the Principle of Least Privilege in a cloud native worldAugust 7, 2020
Verizon’s seminal annual analysis of cybersecurity breaches revealed that misconfigurations saw the highest growth year-over-year (4.9%) among all threat actions it analyzed. But as we’ve seen from some of the most high-profile cloud data breaches in the past year, misconfigurations are just the tip of the iceberg.
The real damage from most misconfigurations can be avoided through the Principle of Least Privilege. Sounds simple, right…?
The Principle of Least Privilege is one of the most fundamental and important concepts in cloud infrastructure security, but is quite often seen as the holy grail. Even the most mature security programs try to achieve it, but for most, it’s elusive.
I recently wrote about why determining least privileges for cloud infrastructure identities is complex and hard in IT Pro Portal, which covers the following:
- Determining what privileges or permissions are needed for a set of identities — at scale — across an organization’s multi-cloud or hybrid cloud environment with years of privilege creep is nearly impossible. The article explores how to know when an identity needs the privileges or permissions to perform a certain job.
- It requires visibility into how permissions are being used, determining additional permissions needed to perform an operation on a specific resource, granting them on request to perform that operation, and then revoking them. In the article, I discuss the steps required for this dynamic approach.
The key is focusing on the gap between those permissions that an identity requires do their job and all the permissions they might possibly need at any point in time. In other words, the goal is to deliver a comprehensive authorization model based on permissions used as opposed to permissions granted – and makes the holy grail within reach.
I invite you to read the article in full and comment here to share your perspective.
Post by Raj MallempatiBACK TO BLOG