Managing Permissions and Entitlements is at the Core of a Zero Trust Model in the CloudMarch 4, 2021
By Nicholas Barretta, Principal Solutions Architect at CloudKnox
Many organizations are setting their sights on a Zero Trust strategy for cybersecurity, seeing it as the best way to protect their networks and data in multifaceted, fast-changing, ever-expanding hybrid and multi-cloud environments. To get there, they need a firm grip on all the identities within their environments—and the permissions and entitlements granted to those identities—which is a difficult, if not impossible, thing to do manually.
A big part of the problem is that nothing exists natively in the cloud that provides a full range of identity and access management (IAM) at the scale organizations need to truly achieve a continuous, Zero Trust permissions model. Cloud service providers such as Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure do offer IAM tools customers can use, but they don’t cover the full landscape of identities. This includes both human identities and an exponentially growing number of non-human identities (e.g., service accounts, instance roles, serverless execution roles, app principals).
Identity and access management in the cloud are synonymous with vulnerability management because so much of what is running in the environment is tied to an identity and its permissions and entitlements. The cloud has expanded the network far beyond the boundaries of a traditional enterprise, turning security’s primary focus from protecting the perimeter (while still important) to authenticating and authorizing the identities within. In hybrid and multi-cloud environments, identity is the fastest-growing attack surface. An attacker who compromises one of those identities has access to all of its permissions. If those permissions are overly broad and provide access to, for example, every cloud storage bucket in an environment, a single breach can turn into a leak of millions of user data records that ends up on the front page of the news, thanks to the broad permissions given to the identity.
As organizations expand their cloud infrastructure operations and developers continue to increase their pace of innovation as a result, permissions creep can more easily proliferate throughout the enterprise, increasing the attack surface. This is compounded by the fact that all of the cloud providers are adding new cloud services and functionality—and thus, new permissions—at a nearly daily frequency. Organizations face a big challenge getting to a level of holistic visibility of who can do what in the environment, and whether the status quo “what” is too permissive.
The urgency of the problem is evident in the details of recent high-profile data breaches where attackers gained access to a data store or a cloud storage bucket. In many cases, the breach could have been prevented from going any further had the compromised resource identities been right-sized for least-privilege access. In one well-known case, a major financial institution—one recognized as a thought leader in cloud security, with a full slate of effective controls in place—suffered one of the largest and most expensive breaches in history because it had an overly-permissive identity provisioned to a cloud instance. As these attacks make clear, if an attacker gets hold of an overly-permissive identity, it’s game over.
Organizations need to consider taking the next step in identity management with Cloud Infrastructure Entitlement Management (CIEM), which improves on IAM approaches by presenting a more granular view of permissions across a sprawling cloud enterprise and providing automated tools and advanced analytics that can enable strict and continuous right-sizing of permissions at that scale. It’s an essential step for anyone looking to get to Zero Trust in a hybrid and multi-cloud environment.
Zero Trust, after all, is based on ensuring that all users and devices are continuously authenticated, authorized and validated. Knowing all of the identities and their permissions is crucial to enforcing that strategy.
The Three Pillars of CIEM: Visibility, Remediation, and Monitoring
Effectively controlling permissions in the cloud depends on implementing the three pillars of CIEM: visibility, remediation, and monitoring. With granular visibility into the environment, organizations can keep track of the “permissions creep” that plagues so many organizations while immediately identifying their highest–risk areas for prioritization. For example, a permissions management platform, such as CloudKnox, can provide granular visibility into both real-time and historical identity and resource activity. Combined with a streamlined enforcement mechanism, it can enable continuous activity-based authorization that keeps pace with the dynamic activity in the cloud.
That kind of visibility supports the second pillar, remediation, by allowing for the right-sizing of over-permissioned identities—based on observed activity—as well as the identification and removal of inactive identities. If an identity has super-user privileges, but has only read from one cloud storage bucket in the past 90 days, why does it need all of those permissions? If it has no activity, why does it need to exist at all? Remediation via a CIEM platform can often be done with a single-click or carried out programmatically at scale through an API call.
However, because the cloud is such a dynamic environment, point-in-time right-sizing alone is not enough. Organizations also need the ability to grant—and control—permissions on-demand (POD) as requested by developers. A developer who has X permissions today may also need Y permissions tomorrow, either on a temporary (i.e., to deal with a production issue) or on-going basis. A platform that provides an approved flow for permissions, with justifications for access and an audit trail down to the fine-grained permissions level, allows developers to get the access they need without letting permissions creep get out of hand. POD also allows permissions to be granted and revoked according to a schedule—why should a CI/CD pipeline execution role have broad permissions 24/7, when it only runs for two hours every night?
The third pillar, monitoring, is essential to making sure that a preferred state of identity management doesn’t fall victim to the kind of policy violations and/or permissions creep that contributed to the problem in the first place. The platform produces a risk Index, assessing the identity and resource risks at both the environment (account/project/subscription) and identity levels, ultimately contributing to fully informed risk assessments. Alerts can be set up to monitor for unusual or risky permissions activity—for example, an identity that is suddenly trying to list all buckets in an organization or create its own local user account to potentially masquerade behind.
All of the above presents a daunting task for any organization to try to do on their own. They typically will take one of two paths. One is to run everything through a central IAM team, as in the days of on-premises operations, but that doesn’t scale well in the cloud because it slows down developer teams. Typically, the central team doesn’t have the context to know why permissions are being requested, so they’re really just making a best guess and also slowing down the developers while bottlenecking their own time from other tasks. In the second model, the central cloud team can delegate IAM access to team leaders who are in a better position to judge permission requests. However, while this model is an improvement, the IAM leaders often don’t have the time and resources to handle all of the demands quickly while defining fine-grained permissions down to the resource level. Typically, they’ll end up using one of the out-of-the-box managed policies that the cloud platform vendor provides, assuming that these are least-privilege by default. It’s important to remember the shared responsibility model: the vendor is responsible for security of the cloud, and the customer for security in the cloud. The latter includes right-sizing permissions for the users’ specific least-privilege needs, and the predefined policies are offered as examples and starting points, not as Zero Trust permissions models.
To keep up with the identities and limit permissions across the cloud enterprise, organizations need an automated platform, such as CloudKnox’s, which is the only platform that provides all three of the pillars that CIEM comprises. It gives customers visibility into the full range of identities and permissions with a data-driven approach that takes the guesswork out of controlling permissions. It performs remediation from within CloudKnox’s solution, and provides a thorough, audited flow for granting permissions on-demand. As an aid to implement the platform, it gives organizations the means to get control of what is an increasingly serious threat to the enterprise.
Closing the Gaps
If least privilege enforcement in the cloud isn’t at the top of an organization’s list of priorities, it should be—especially with Zero Trust as a goal. There are some good tools available for cloud governance that can, for instance, enforce certain web application firewall configurations, maintain security group rules, or prevent users from deleting forensic data. However, without a comprehensive, data-driven, and scalable approach to identity and access management, security gaps will persist as long as overly-permissive identities do.
The inconvenient truth in cybersecurity is that some attackers will gain access to a network and compromise a resource with access to an identity. The last line of defense when that happens is least-privilege, which will limit the damage an attacker can do. It’s also the key to achieving a Zero Trust model for managing vulnerabilities in an ever-expanding cloud environment.
Nicholas Barretta is a Principal Solutions Architect at CloudKnox. He previously spent two years at AWS as a Senior Solutions Architect, as well as two years prior at Google Cloud as a Customer Engineer and has spent the past half-decade helping organizations plan and execute their migrations and deployments to the cloud. He can be reached at email@example.com as well as on LinkedIn.BACK TO BLOG