Mind the Permission Gap

A few weeks ago, researching another topic, I posed a question - Which domain within the security ecosystem has struggled to move the needle over the past few years? After trawling through a multitude of annual breach analysts reports (Verizon Breach Report, M-Trends, et al., I concluded that “identities accessing cloud infrastructure” was an irritatingly tough nut to crack. Over the years, there have been many PAM and IAM solutions that have come up with innovative solutions, but the problem space is still a huge challenge to address primarily due to the rapidly shifting landscape.

The Adoption of Cloud Services

A large part of why the problem space is stubbornly persistent is the radical shift in the operating mindset for enterprises:

• Firstly, the last few years have shown a clear direction of travel in enterprises moving to cloud (IaaS, SaaS, PaaS). It's also fair to say 2020 has accelerated a lot of this adoption due to the prominent operating challenges organizations have had to face. 
• Secondly, the consumerization of Corporate IT has resulted in rapid development cycles to maintain/increase a competitive edge. This has resulted in organizations being forced to adopt more agile practices in servicing their stakeholders - enter DevOps. Whilst Cloud and DevOps are natural bedfellows, they do present unique challenges to the office of the CRO (Chief Risk Officer).

In numerous conversations with customers, the “lift and shift” motion to the cloud has removed one key road bump from the purview of infrastructure teams - scarcity.  When a data center is physically landlocked on on-prem (compute, network & storage), there are some rigorous conversations, policies, and processes in place to ensure "what" and "who” will be consuming these limited resources. For all intents and purposes, in a cloud paradigm, this “scarcity” is effectively removed. This lack of scarcity, coupled with the “move fast and break things” approach to the DevOps movement, creates a vast potential for "IT infrastructure sprawl” (Shadow IT) and, by definition, a massive headache from a risk perspective.

The Challenge of Over Provisioning Admin Privileges Across Cloud Services

Cloud environments are, by nature, extremely flexible in the “pure-play” services (Kinesis, RedShift, Quicksight, etc) they offer - last count, AWS had over 175. Combine each service with a capability level access control (could be 100’s for some services) and then multiply this by the number of employees that have been granted access, and the number of permutations quickly becomes impossible to maintain and manage. Most enterprises remove this complexity by merely over provisioning access and controls. While this will off course, remove the admin overhead in constantly managing access it presents far bigger problems downstream.  The bullets below highlight exactly how potentially damaging over provisioning can be: 

• 50% of issued permissions could destroy infrastructure 
• 95% of identities are over permissioned and have the permissions that can adversely impact the adverse effects of infrastructure / services 
• < 5% of permissions granted are actually used for daily operations 

_{Source: Cloudknox Research, 2019}

The Cloud Permissions Gap 

From the diagram below you can see there is a huge delta (i.e. permissions gap ) between what has been “granted” and what is "actually used”.  This delta also causes massive potential exposure to the SecOps teams in trying to reduce the attack surface.  

_{Source: Cloudknox Research, 2019}

Now you start to get a better understanding of why the problem statement outlined at the start is a super hard problem to address.  

As luck would have it at the same time I was doing research on this blog our friends at Cloudknox released their debut Splunk integration on our App Store.  At the highest level Cloudknox approaches the problem by enforcing the age-old principle of “least privilege”.      

Monitoring and Enforcement of Least Privilege Policies 

_{Source: Splunk App for Cloudknox} 

Cloudknox has 2 Modes of Operation: 

• Passive: Observes and baselines “normal” user behaviour with respect to what roles/capabilities are ACTUALLY being used on your AWS, GCP, Azure, VMWare environments.  It basically visualises “Cloud Permission Gap” as illustrated above. 
• Active: One-Touch remedial action by effectively “right sizing” the permission gap and drastically reduce the attack surface.

Aside from freeing up potentially 100’s of man hours from the security side of the house on “least privilege” hygiene Cloudknox also adds another highly curated and rich data set to add to your security data lake.  When combining with say CTI and network telemetry you start to get a force multiplier on your data lake whereby you get highly enriched insights that you can actually take action on. It’s also fair to say depending on the data set you can not only add value to the security and risk teams but also for the business itself.