Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Raj Mallempati
Raj Mallempati
Connect Directly
E-Mail vvv

Back to Basics with Cloud Permissions Management

By using the AAA permissions management framework for cloud operations, organizations can address authentication, authorization, and auditing.

As I spend more time discussing the cloud with security customers and partners, it has made me think a lot about how the industry is continuously evolving to figure out new ways to layer on security and complexity while at the same time neglecting some of the basics.

A primary example is permissions management for identities and resources accessing cloud (private, public, or hybrid) infrastructure.One of the frequently quoted frameworks in security is a relatively simple AAA framework: authentication, authorization, and auditing. This framework is intended to help people understand the nuances of identity management and think specifically about how to reduce or mitigate risk by minimizing the attack surface. 

Specifically, enterprises need to manage all identities (human or nonhuman) based on what they are permitted to access (through authentication — e.g., passwords) as well as what tasks these identities can perform through authorization and privilege management. The framework also defines the actions performed by the identities through auditing and logs.

Although the threat vectors facing organizations have evolved significantly and increased in sophistication, I still believe this framework is easy to understand and deploy; it's also still essential to use as the foundation for enterprises to build their cloud security strategy.

Here's how this might work in a cloud-first or cloud-centric organization.

Authentication? Or Zero Trust?
With the continued adoption of cloud infrastructure, cloud applications, and mobile devices and applications, the concept of perimeter-based security for authentication is inadequate. In fact, I believe it's a very arcane way of looking at authentication. Over the past 10 years, this space has seen a much-needed shift in thinking and strategy led by vendors like Okta, Ping Identity, and Netskope. Customers are looking for an authentication solution that works across their existing data center infrastructure and their cloud infrastructure. The new authentication architecture and strategy is intended to focus on either "trust but verify" or "verify but never trust" in all authentication processes.

In the end, this just means more rigorous and comprehensive authentication that requires a fundamental rearchitecture of existing networks for organizations. This can take time to implement because there are a lot more basics to get right in authentication. First, multifactor authentication is no longer negotiable —  it needs to be implemented for all cloud-native services and infrastructure, so stop delaying and get it implemented for all your identities.

Right-Sizing Authorization
Authorization is the most overlooked permission management control in the security organization. This tends to be the case across all companies because in a cloud world, basic visibility requires deep knowledge on the underlying infrastructure, and there are tens of thousands of permissions and resources to manage. Imagine if every cloud infrastructure identity, human or machine, had the same ability to perform tasks and access to the same information, systems, and data.

Authorization is essential to restrict the actions of identities to only what they absolutely need to perform, thereby reducing unwanted, avoidable risk significantly. It should form the basis for every security program but can be daunting in complexity.

The key to getting the basics right is right-sizing permissions and focusing on the permissions that an identity requires based on what they require to do their job on a daily basis compared with identifying all the permissions they might possibly need. Augment this with delivering any additional permissions or privileges on demand when and only when identities need them. This delivers a comprehensive authorization model based on permissions used as opposed to permissions granted.

Auditing: Who Did What?
It sounds simple to most people, but it is surprisingly complicated and difficult to determine all the activities on which identities have executed. This is especially true when you consider the thousands of resources that these identities can access across multiple cloud infrastructure platforms.

It is essential to have auditing capabilities as a key building block to a robust cloud infrastructure security framework, however difficult or complex this may be. Knowing what resources are being accessed or attempted to be accessed is not enough. Knowing what every identity is doing or attempting to do inside your cloud infrastructure resources is mandatory for detecting threats and for robust incident response. This is also critical for continuous security and compliance controls across all your cloud infrastructure platforms.

The move to the cloud is daunting and made even more complex by the cloud infrastructure providers themselves. Each provider's services offer a bewildering number of options that all come with their own set of default permissions. This complexity is further compounded by the use multiple clouds. As this shift to the cloud occurs, and access control is the only thing preventing someone from accessing sensitive information on an S3 bucket or EC2 instance, pursuing a back-to-basics approach for authentication, authorization, and audit controls is important to protect data at scale.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Raj Mallempati is Chief Operating Officer at CloudKnox Security, where he is responsible for CloudKnox's overall business and go-to-market strategies. Prior to joining CloudKnox, Raj was most recently the Senior Vice President of Marketing at Malwarebytes. Raj has also held ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.