Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

4/21/2020
10:00 AM
Shai Morag
Shai Morag
Commentary
Connect Directly
LinkedIn
LinkedIn
RSS
E-Mail vvv
100%
0%

7 Steps to Avoid the Top Cloud Access Risks

Securing identities and data in the cloud is challenging, but a least-privilege access approach helps.

According to the latest Cloud Security Alliance (CSA) report on the 11 biggest threats to cloud computing, misconfiguration and inadequate change control ranked second only to — you guessed it — data breaches.

The Capital One incident, in which data on 106 million credit card customers and applicants was exposed, is a good example. The attackers exploited a vulnerability in an open source web application firewall (WAF) that was being used as part of the bank's cloud-based operations in Amazon Web Services (AWS).

Through this vulnerability, the attacker could nab credentials to gain access into all the resources to which the WAF had access. Unfortunately, the WAF was assigned excessive permissions — namely, it (and the attacker) could list all the files in any bucket of data and read the contents of those files. This allowed the attacker to access a sensitive S3 bucket.

The most effective way to mitigate this type of identity abuse is by enforcing the principle of least privilege. [Editor's note: The author's company is one among many that use a least-privilege access approach to cloud security services.] Ideally, every user or application should be limited to only the exact permissions required.

The first step for implementing least privilege is understanding which permissions a user (whether human or machine) or application has been granted. The next step is to map all the permissions actually being used. Comparing the two reveals the permission gap, which exposes those that should be maintained and those that should be revoked. This process must be routinely performed on a continuous basis to maintain least privilege over time.

To illustrate how this process works in the cloud, let's use AWS because it is the most popular platform and offers one of the most granular identity and access management (IAM) systems available. AWS IAM is a powerful tool that allows administrators to securely configure more than 2,500 permissions (and counting) to achieve fine-grained control over which actions can be performed on a given resource.

Step 1: Examine Attached Policies
The first step is to examine policies attached directly to the user. There are two types of policies:

  • Managed policies, which come in two varieties: (a) AWS managed policies that are created and managed by the cloud service provider (CSP), and (b) customer-managed policies that an organization can create and manage in its AWS account. Customer-managed policies typically provide more precise control than AWS-managed policies.

  • Inline policies, which are created by the AWS customer and are embedded in an IAM identity (a user, group, or role). They can be embedded in an identity when the identity is initially created or added later.

Step 2: Analyze IAM Groups
The next step is to review each of the IAM groups to which a user belongs. These also have attached policies that indirectly grant a user access to additional resources. Just as with the user itself, groups may be attached to both managed and inline policies.

Step 3: Map IAM Roles
Now, all IAM roles attached to a user need to be mapped. A role is another type of identity that can be created in an organization's AWS account with associated policies that grant specific permissions. It is similar to an IAM user, but instead of being uniquely associated with a person, a role can be assigned to anyone who requires its permissions. Roles are often used to grant access permissions to applications.

Step 4: Survey Resource-Based Policies
Next, the focus of this exercise shifts from user policies to policies attached to resources such as an AWS bucket. These policies may grant a user permission to perform actions on a bucket directly, independent of all other policies (direct and indirect) that exist. It's extremely important to conduct a comprehensive review of all AWS resources and their policies, especially those that contain sensitive data.

Step 5: Analyze Access Control Lists
Once the policy review is complete, analysis should move to the access control lists (ACLs) linked to each resource. These are similar to resource-based policies and allow control over which identities in other accounts may access the resource. Since ACLs cannot be used to control access for identities within the same account, it is possible to skip all resources held in the same account as the user.

Step 6: Review Permission Boundaries
In this step, we need to review the permissions boundary for each user. This is an advanced feature that defines the maximum permissions a user, group, or role may have. In other words, a permission boundary for a user defines the actions they are allowed to perform based on both the attached policies and the permissions boundaries. It is important to note that permissions boundaries do not affect every policy the same way. For example, resource-based policies are not limited by the permissions boundary and an explicit deny in any of these policies overrides the allow.

Step 7: Check Service Control Policies
Finally, it's necessary to review service control policies (SCPs). These are conceptually similar to permission boundaries defined on all the identities (that is, users, groups, and roles) within an AWS account. An SCP is defined at the AWS organization level, and may be applied to specific accounts.

Enforcing Least-Privilege Access
As we've seen, securing identities and data in the cloud is challenging, and becomes increasingly more complex as organizations expand their cloud footprint. In many cases, users and applications tend to accumulate permissions that far exceed their technical and business requirements, which results in a permissions gap.

Often, the effort required to determine the precise permissions necessary for each user or application in a complex environment like AWS is prohibitively expensive and doesn't scale. Even simple tasks like understanding the permissions granted to a single human user can be extremely difficult.

In an attempt to automate some of these processes, a few years ago AWS released a tool called Policy Simulator that enables administrators to select any AWS entity (that is, an IAM user, group, or role) and service type (such as a Relational Database Service or an S3 bucket) and automatically assess the user permissions for a specific service.

Although Policy Simulator is a great tool, it's far from mature. For example, Policy Simulator does not review all the roles a user may assume and their policies (Step 3). It also does not consider ACLs (Step 5) or permission boundaries (Step 6). In most instances, organizations are forced to perform manual policy management or write proprietary scripts.

As we've seen, managing identities and access in cloud environments to enforce least privilege policies is complicated, labor intensive, and expensive. Since this discipline is still in its infancy, it lacks reliable native tools from cloud platform providers. As is usually the case, third-party solutions are emerging to fill the void.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Shai Morag is CEO of cloud identity and access security provider Ermetic. Previously, he was co-founder and CEO of Secdo, an incident response platform vendor acquired by Palo Alto Networks, and CEO of Integrity-Project, a software outsourcing company acquired ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29367
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
CVE-2020-26245
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
CVE-2017-15682
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2017-15683
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
CVE-2017-15684
PUBLISHED: 2020-11-27
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.