Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Raj Mallempati
Raj Mallempati
Connect Directly
E-Mail vvv

Back to Basics with Cloud Permissions Management

By using the AAA permissions management framework for cloud operations, organizations can address authentication, authorization, and auditing.

As I spend more time discussing the cloud with security customers and partners, it has made me think a lot about how the industry is continuously evolving to figure out new ways to layer on security and complexity while at the same time neglecting some of the basics.

A primary example is permissions management for identities and resources accessing cloud (private, public, or hybrid) infrastructure.One of the frequently quoted frameworks in security is a relatively simple AAA framework: authentication, authorization, and auditing. This framework is intended to help people understand the nuances of identity management and think specifically about how to reduce or mitigate risk by minimizing the attack surface. 

Specifically, enterprises need to manage all identities (human or nonhuman) based on what they are permitted to access (through authentication — e.g., passwords) as well as what tasks these identities can perform through authorization and privilege management. The framework also defines the actions performed by the identities through auditing and logs.

Although the threat vectors facing organizations have evolved significantly and increased in sophistication, I still believe this framework is easy to understand and deploy; it's also still essential to use as the foundation for enterprises to build their cloud security strategy.

Here's how this might work in a cloud-first or cloud-centric organization.

Authentication? Or Zero Trust?
With the continued adoption of cloud infrastructure, cloud applications, and mobile devices and applications, the concept of perimeter-based security for authentication is inadequate. In fact, I believe it's a very arcane way of looking at authentication. Over the past 10 years, this space has seen a much-needed shift in thinking and strategy led by vendors like Okta, Ping Identity, and Netskope. Customers are looking for an authentication solution that works across their existing data center infrastructure and their cloud infrastructure. The new authentication architecture and strategy is intended to focus on either "trust but verify" or "verify but never trust" in all authentication processes.

In the end, this just means more rigorous and comprehensive authentication that requires a fundamental rearchitecture of existing networks for organizations. This can take time to implement because there are a lot more basics to get right in authentication. First, multifactor authentication is no longer negotiable —  it needs to be implemented for all cloud-native services and infrastructure, so stop delaying and get it implemented for all your identities.

Right-Sizing Authorization
Authorization is the most overlooked permission management control in the security organization. This tends to be the case across all companies because in a cloud world, basic visibility requires deep knowledge on the underlying infrastructure, and there are tens of thousands of permissions and resources to manage. Imagine if every cloud infrastructure identity, human or machine, had the same ability to perform tasks and access to the same information, systems, and data.

Authorization is essential to restrict the actions of identities to only what they absolutely need to perform, thereby reducing unwanted, avoidable risk significantly. It should form the basis for every security program but can be daunting in complexity.

The key to getting the basics right is right-sizing permissions and focusing on the permissions that an identity requires based on what they require to do their job on a daily basis compared with identifying all the permissions they might possibly need. Augment this with delivering any additional permissions or privileges on demand when and only when identities need them. This delivers a comprehensive authorization model based on permissions used as opposed to permissions granted.

Auditing: Who Did What?
It sounds simple to most people, but it is surprisingly complicated and difficult to determine all the activities on which identities have executed. This is especially true when you consider the thousands of resources that these identities can access across multiple cloud infrastructure platforms.

It is essential to have auditing capabilities as a key building block to a robust cloud infrastructure security framework, however difficult or complex this may be. Knowing what resources are being accessed or attempted to be accessed is not enough. Knowing what every identity is doing or attempting to do inside your cloud infrastructure resources is mandatory for detecting threats and for robust incident response. This is also critical for continuous security and compliance controls across all your cloud infrastructure platforms.

The move to the cloud is daunting and made even more complex by the cloud infrastructure providers themselves. Each provider's services offer a bewildering number of options that all come with their own set of default permissions. This complexity is further compounded by the use multiple clouds. As this shift to the cloud occurs, and access control is the only thing preventing someone from accessing sensitive information on an S3 bucket or EC2 instance, pursuing a back-to-basics approach for authentication, authorization, and audit controls is important to protect data at scale.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Raj Mallempati is Chief Operating Officer at CloudKnox Security, where he is responsible for CloudKnox's overall business and go-to-market strategies. Prior to joining CloudKnox, Raj was most recently the Senior Vice President of Marketing at Malwarebytes. Raj has also held ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.