Learning from SolarWinds to Secure Your Cloud Infrastructure: An Azure Risk AssessmentFebruary 27, 2021
Author: Raj Mallempati
It’s going to take months for companies to get a full grasp of the impact the SolarWinds breach has had on organizations—if ever. As breached organizations continue assessing the effects to their business, there is one thing we know for sure: Fortifying public cloud, multi-cloud and private cloud architectures is critical to all enterprises, and many organizations are not as prepared as they should be.
Our CloudKnox Threat Labs researchers did a deep dive into exploring the SolarWinds risk in the context of the Azure cloud infrastructure and provided our recommendations on how to mitigate and manage the risks. One of the key challenges we uncovered is that once an Azure environment is breached, the attacker can leverage over-privileged identities to traverse laterally, elevate permissions and cause extensive data exfiltration across critical Azure Infrastructure Platform services.
Why is this access to Azure Cloud Infrastructure concerning for the business? CloudKnox’s recent risk assessment conducted across more than 150 global enterprises found that more than 95% of identities (users and service principals) accessing the Azure infrastructure are using less than 2% of permissions granted. This means that over-provisioned identities are primed to be exploited by bad actors who can easily gain access to an organization’s infrastructure. What’s more, CloudKnox also found that most Azure subscriptions have identities with over-permissive Contributor roles. And while the worrying findings continue, they could be mitigated with these recommendations:
- More than 95% of identities accessing the Azure Infrastructure are using less than 2% of permissions granted. Over-provisioned identities lead to unnecessary, avoidable high risks due to insider threats, risk of stolen credentials and bad actors with malicious intent.
- Recommendation: Right-size these identities based on their past activities, aka Activity-based Authorization, and grant additional permissions on-demand, which are time bound and, if required, resource bound.
- More than 70% of subscriptions have identities (users and service principals) with over-permissive Contributor roles. Identities with Contributor permissions increase security risk significantly because of their ability to delete critical Azure Infrastructure resources.
- Recommendation: The high-risk Contributor roles need to be replaced with lower risk roles based on the activity of the identities. Leverage Activity-based Authorization to right-size all identities.
- Lack of segregation of duties: Users with over-permissive roles in development and production subscriptions. Leveraging the same set of high-risk permissions that were used in development environments for production environments exposes infrastructure to bad actors who can leverage these over-permissioned credentials for malicious intent.
- Recommendation: Leverage Activity-based Authorization to right-size permissions for all identities in development environments and clone development permissions into production environments as a starting point. Then, right-size permissions in production environments to tighten controls.
- Misconfigured network security groups with remote desktop (RDP) and Secure Shell (SSH) access from the internet enabled in the production environment. Attackers can use various brute force techniques to gain access to Azure Virtual Machines.
- Recommendation: Disable RDP and SSH access on network security groups from the internet.
- 65% of all enterprises have anonymous public read access enabled for blob containers in production environments. Sensitive, confidential data in public storage accounts is exposed to anonymous, unauthorized users.
- Recommendation: Provide controlled, timed access to blob containers to prevent anonymous or unauthorized access.
- Users assigning permissions and access outside of the security and audit processes. Unknown permissions assignments create a significant blind spot for the organizations in addition to unwanted risk.
- Recommendation: Provide Privilege-on-Demand to allow access to be requested, approved and tracked to provide visibility and avoid massive risk.
- High-risk permissions are rampant across the cloud infrastructure. High-risk permissions, such as “delete” and “create,” could allow an attacker to destroy some or all of the cloud infrastructure either intentionally or accidentally.
- Recommendation: Remove high-risk permissions, including delete and create, from users that don’t need them.
- More than 85% of all enterprises have over-permissive service principals that are left orphaned after a project has been terminated. As POC, POV or other projects wind down, vendor-named service principals are often overlooked and not removed or right-sized. Thus, leaving an avoidable attack surface that can again be leveraged to exfiltrate sensitive data.
- Recommendation: Remove the high-risk service principals from the subscription.
If not mitigated, these findings are concerning because, as an attacker gains access to resources and permissions, over-provisioned access can lead to further compromise of Azure Platform services like storage blob containers, databases and Virtual Machines. At this point, the attacker has access to the majority of the organization’s infrastructure and could exfiltrate data, take over the cloud infrastructure, and even delete everything, causing massive destruction.
What can organizations do to fortify their Azure Infrastructure now?
The challenge now becomes an undertaking of monitoring ongoing changes in permissions and access to resources in the cloud. This comes down to moving away from assumptions-based policies in favor of monitoring ongoing activities to allow least privilege access to identities. You can accomplish this by applying the five Functions from NIST:
- Identify high-risk permissions, dormant applications and service principals, as well as toxic combinations that could lead to lateral movement, privilege escalation and exfiltration. Remain proactive and diligent.
- Protect the infrastructure by eliminating unused permissions—especially for non-human identities, including applications and service principals—to minimize the risk and blast radius.
- Detect using audit trail, alert triggers and automated anomaly and outlier detection alerting with key security operations center (SOC) and security information and event management (SIEM) product integrations.
- Respond by leveraging automation to delete or disable unused permissions.
- Recover with permission on-demand and just in time permission provisioning, enabling you to maintain least privilege and Zero Trust access.
Managing your cloud infrastructure security posture has matured beyond just managing your perimeter or managing your Cloud Identity access. As we move to the next evolution of cloud security, ongoing permissions and entitlements management—in addition to managing identity access—is fundamental to protecting your organization from this next generation of cloud security threats and minimizing the attack surface seen in the most recent cloud breaches like SolarWinds. Not sure where to start? CloudKnox Security’s cloud infrastructure risk assessment is a great first step.BACK TO BLOG