Mind the GapNovember 4, 2020
The emerging new attack surface you probably didn’t know you were creating
Risk is everywhere, something every CISO and security team knows well. Yet there’s still a gap between our recognition that risk is present, and our ability to eliminate risk. In the world of cloud security, it can be because we fail to understand the links between risk, security, and the gap that sits in the middle.
What’s the gap? In life, it’s the difference between what we assume reality is, and what reality really is. We’re blind to the risk because we don’t see the gap: either we don’t have the data to tell us it’s there, or we don’t look hard enough.
In the cloud we think we understand what our security risk is – after all, our CSP touts its Shared Responsibility Model of security. But if you don’t stop to read the fine print and the SLAs, you’ll miss the big message: you are responsible for everything you put in the cloud. The CSP will secure its infrastructure, sure, but your data, your IP? No. If you use the CSP’s default roles, but don’t check the permissions that go with those roles and how they are being used, you’re creating a gap.
When a dangerous delta exists between the cloud permissions granted and the permissions used by an identity, the result can be catastrophic on your cloud infrastructure.
Introducing the Cloud Permissions Gap
Welcome to the Cloud Permissions Gap, an alternate reality in the cloud where what you thought was safe is actually at risk. A Cloud Permissions Gap occurs when an enterprise has a dangerous delta between permissions granted and permissions used. While an identity should have only the permissions needed to do its job, in a review of responses from more than 100 global enterprises, it was discovered in most organizations, over 95% of privileged identities were grossly over-permissioned, a state that could leave an organization’s cloud infrastructure significantly exposed.
Further analysis revealed identities used less than 5% of the cloud permissions granted to perform their daily tasks, leaving more than 95% of unused permissions unnecessarily open to accidental misuse or malicious exploitation.
The Cloud Permissions Gap occurs not through malfeasance but because organizations simply don’t have the protocols and capabilities in place to correctly assign, manage, and monitor the exponential growth of permissions across their growing cloud footprints.
Why you need to Mind the Gap
Why is this gap so critical? Because you don’t know it’s there, or you can’t tell how big it is. You have no idea what your security exposure really is in the cloud, a problem that compounds daily as you put more workloads into the cloud.
Consider the common origins of most security incidents and breaches. Most of us probably don’t view these front-page stories in the context of privileged identities and their access to high-risk permissions that give access to cloud resources. But look back at some of the biggest breaches over the last few years and you’ll see in many cases the cause was directly related to permission misuse by identities that never should have had those permissions in the first place.
Gartner puts a number on the risk: they estimate that by 2023, 75% of security failures will result from inadequate management of identities, access, and privileges, up from 50% this year. Since the actions these identities can take are dictated by the types of permissions that are granted to them, limiting permissions, particularly high-risk permissions and quickly responding when those permissions are misused or abused is key to closing the gap.
Gradually, then suddenly
How does a Cloud Permissions Gap start? It’s how Hemingway’s character in The Sun Also Rises describes his fall into bankruptcy: Gradually, then suddenly. Most enterprises first try to manage permissions using traditional identity and access management (IAM) tools. However, it quickly becomes apparent these solutions are not designed to keep up with the highly automated and digitized environments that define modern infrastructure.
In addition, most native cloud IAM tools shipped with each cloud platform offer only basic functionality. These built-in mechanisms come with dedicated toolsets, management screens, and workflows that simply won’t work for enterprises running multi-cloud and hybrid cloud deployments.
Many enterprises opt to control and manage privileged access with other traditional strategies, such as RBAC, or role-based access control. RBAC is an older, static method involving the creation of standard roles with pre-defined and broad sets of permissions based on job descriptions and functions within an organization and assigning identities to these roles.
Of course, in today’s dynamic environments — even with the most disciplined use of RBAC — organizations can’t keep up with managing all the new permissions made available for each cloud service in use. As a result, most roles are seldom updated, if at all. And where they are, the temptation is to add more permissions to existing roles rather than redesign the roles entirely for least privilege.
To make matters worse, once an identity is assigned a role, it is rarely reviewed again. More often than not, the identity is never removed from a role even if it no longer performs the job function. Take the example of a contractor who left a project or a DevOps engineer who moved to another team yet still retains access to his/her original role.
Where are all these identities coming from?
The growth of identities in the cloud, both human and non-human, adds incredible complexity to the difficulty of managing permissions. In fact, the prediction is that within five years the ratio of machines to humans will increase from 5:1 to 20:1, magnifying the scope of the problem. These identities, roles and permissions are, in many cases, the result of automation necessary to support cloud transformation.
Overworked security and cloud infrastructure teams are being asked to keep up with the proliferation of new human and non-human identities with roles that give them permissions (in the tens of thousands) to access high-value resources.
The number of permissions organizations are being asked to manage is growing daily and is estimated to be around 40,000 across the four key cloud platforms (and that number is growing daily). Of those 40,000 permissions, over 50% are considered high-risk, implying they could cause catastrophic damage if used improperly. That risk, hidden in the Cloud Permissions Gap, is just out of your view. The larger the gap, the larger and riskier your attack surface becomes.
To properly address The Cloud Permissions Gap requires tackling the hidden risks creating it.
At CloudKnox, we have defined five commonly overlooked identity-centric risks that, if not addressed on a continuous basis, can wreak havoc on your cloud infrastructure. Those risks are Inactive Identities, Super Identities, Over-provisioned Identities, Cross Account Access and Anomalous Behavior.
To learn more about these identity-centric risks and how to bring them under control, listen to the on-demand webcast, “Uncover Five Hidden Risks that can Expand your Cloud Infrastructure Attack Surface.” <link>. In less than 45 minutes you’ll learn enough about the Cloud Permissions Gap to help you quantify your risk so you can start to manage it. Join us as we explore five steps to managing the Cloud Permissions Gap – and take control of your security risk in the cloud.BACK TO BLOG