Guest Post

The security battle over entitlements and permissions creep

IT must continually keep track of entitlements and permissions for all their cloud services, with methods such as CI/CD tools, increased visibility and continuous monitoring.

The unrelenting expansion of cloud services has given organizations a lot of power and capabilities, but with those capabilities have come vulnerabilities. The spread of cloud services has led to coding at scale and deployment at great speed across an unbounded cloud infrastructure. This has fueled exponential growth in the number of developer identities and service accounts that security teams must manage and, concurrently, an increase in permissions that could be exploited at great damage and cost to an enterprise.

To protect their networks, infrastructure and data, organizations need to ask themselves: Who's controlling the code? The answer depends on gaining visibility into the cloud enterprise in several key areas.

The power of entitlements and permissions

The innovation spurred by DevOps and the amount of automation required to make a fast-moving, fast-changing cloud environment work has turbocharged the speed of software development and deployment. A new application or service may have once required a months-long team project of acquisition, development, testing and deployment. Today, with the advent of continuous integration and continuous delivery (CI/CD) pipeline tools and best practices to deliver applications, it can take as little as a couple weeks, or even a few days.

The CI/CD framework incorporates many best practices for speeding up the delivery of code, including:

  • using efficient deployment pipeline and orchestration tools, such as Jenkins, GitLab or Azure Pipelines;
  • using shared version control for all teams;
  • employing rigorous quality assurance checks and application testing;
  • having robust monitoring while collecting metrics about the software delivery process; and
  • working toward building up infrastructure as code as an organizational policy, where security is embedded as part of the development process instead of being bolted on after the fact.

CI/CD tools are great news for software development and deployment. But all those new applications add quite a bit of complexity to the environment. For example, new services today can use multiple platforms like Amazon Web Services, Microsoft Azure, Google Cloud Platform and VMware at scale. That in turn increases the number of identities -- both human and machine -- that organizations need to manage. Machine, or non-human identities, that must be managed and protected can include pieces of code, bots, access keys and compute functions, and in fact, non-human identities currently outnumber those belonging to humans in most networks by 20 to one.

The result: Organizations taking advantage of hybrid and multi-cloud environments have an over-provisioning problem. The infrastructure rife with "super identities" that -- though mostly unseen within the rest of the enterprise -- have the power to create or destroy a data center or the enterprise's cloud infrastructure with a single command. Enterprises that were managing fewer than 100 privileges could now be dealing with more than 20,000 high-risk permissions that are largely unutilized. Most identities require only about 1% of their permissions for daily operations. The remaining 99% are unused and left open to exploitation.

This unchecked spread of permissions and entitlements plays a part in several of the Cloud Security Alliance's Top Threats to Cloud Computing. Additionally, the Capital One breach in 2019 happened after attackers took advantage of an open source web application firewall that had been granted excessive permissions.

Detailed visibility

The real challenge in getting control of the permissions and entitlements sprawl is visibility -- specifically, visibility required to understand what actions identities are executing in a complex multi-cloud infrastructure environment. Without full visibility, organizations cannot implement any corrective measures, such as implementing and enforcing least privilege, zero-trust access policies for both human and machine identities.

Organizations need to undertake a thorough assessment of their cloud identity risks: identifying the identities within their infrastructure, defining the operations they're authorized to execute, tracking the actions they've taken -- particularly high-risk permissions or entitlements -- and listing the resources those actions have affected.

Monitoring the identities in the environment should also be an ongoing process, updated at regular (and short) intervals. It would allow organizations to identify their highest-risk entitlements and permissions, as well as gain an understanding of excessive entitlements and permissions. Continuous, comprehensive monitoring would also help track inactive identities, roles and groups, such as those that have never been used because they were over-provisioned, or have gone dormant because of an employee departure, a change in a cloud service, etc. Inactive roles, identities and groups -- which can easily go unnoticed -- represent a significant but certainly avoidable threat.

Continuous security

A good beginning policy for any enterprise is to know who the identities are. In the cloud environment, that list is growing fast, far and wide -- often involving users, both human and machine with unique identities and privileges. Understanding the actions they perform and the resources they interact with will go a long way toward closing hidden vulnerabilities spread throughout the enterprise that, if exploited, could have disastrous consequences.

Continuous assessment will allow security teams to manage the environment proactively, swiftly detecting any misuse or anomalies and mitigating identity risks.

About the author
Raj Mallempati recently joined CloudKnox Security as chief operating officer, where he is responsible for CloudKnox's overall business and go-to-market strategies. Prior to joining CloudKnox, Raj was most recently the SVP of Marketing at Malwarebytes. Raj has also held positions as the VP of Global Marketing at MobileIron, VP of Product Marketing at Riverbed Technology, and was the Director of Marketing and Business Strategy at VMware. Mallempati is on the Forbes Tech Business Council. He holds an MBA from The Wharton School, University of Pennsylvania, MS, Computer Science from the University of Texas, and a B.Tech from Indian Institute of Technology, Madras.

Dig Deeper on Identity and access management