Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

11/25/2020
01:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Do You Know Who's Lurking in Your Cloud Environment?

A security researcher explains the dangers of poor visibility in the cloud and a new strategy to evaluate IAM exposure in Google Cloud Platform.

Most organizations don't have full visibility into what users can do in their cloud environment. They don't know who can assume other identities to escalate privileges or which permissions they'd be able to achieve – a lack of insight that could put the business at risk. 

Related Content:

As Businesses Move to Multicloud Approach, Ransomware Follows

The Changing Face of Threat Intelligence

New on The Edge: How Ransomware Defense Is Evolving With Ransomware Attacks

Colin Estep, senior security researcher at Netskope, started researching potential security holes in Google Cloud Platform (GCP) about a year ago. In that time, he has sought to learn how more organizations can evaluate their full identity and access management (IAM) exposure to be able to answer the question: Do you know what all your users can do in your cloud environment? 

"Overall, for any cloud platform that's what's been intriguing to me: asking this really basic question that nobody really has the answer to," says Estep. "The answer to that is largely, 'No, I don't know what every single user can do. I don't know what their full capabilities are.'"

The general issue of IAM in the cloud stems from the dynamic nature of cloud environments, he continues. Fast-moving resources are constantly changing – people are working on different projects and spinning things up, and new services are emerging. The rapidly evolving nature of the cloud makes it difficult for organizations to stay informed on what these new services are, how they work, and what the implications are for permissions to various resources in the cloud.

"It's just this monumental thing to get a handle on," Estep explains. "Identity, in particular, is really one of the critical areas because … if you don't have your identity solution figured out, then you could expose sensitive data, you could have resources be abused or deleted – all kinds of things could happen in your environment."

Estep, who had previously worked with Amazon Web Services (AWS), began working with GCP due to Netskope's heightened customer demand. He found Google's platform interesting and different in the way it structures and grants permissions to employees.

"I feel like Google had a lot more of a layout in mind … where they have a hierarchy within the environment and you can assign permissions in this hierarchy," he explains. GCP also does not have "deny" policies. While it tries to keep permissions policies simpler, Estep says things can get complex when admins have to put different layers together to figure out what's going on.

This is partly why he decided to focus his research on Google Cloud, which is also the topic for his upcoming Black Hat Europe talk, "Permission Mining in GCP."

What's the worst that could happen if an attacker gains too much access? "The sky's the limit," Estep says. As part of his research, he developed a proof-of-concept tool (PoC) for businesses to learn permissions granted to employees throughout their environments. When the tool was used in production environments, the findings were worse than what he expected to find.

For example, it discovered instances where the environment owners had no idea how many users were actually "shadow admins," meaning they could escalate privileges until they had full capabilities over the environment at an organizational level. GCP has a notion of an "organization," which is the topmost piece of the environment, Estep explains. Employees who have admin level of the organization inherit admin capabilities throughout all levels.

"They could go in and change logging, they could go in and create resources, they could delete things, access all the data, add users for themselves," he says. "They could probably do everything except delete the entire environment."

By learning who has which permissions, a business can address the risk before a data breach or another security incident happens.

Services Drive Complexity, Worsen Visibility
Google is keeping its eye on this issue, notes Estep, who says the company has done a good job on authentication versus authorization. However, there is a broad issue across cloud providers of too many services creating complexity. Instead of simplifying a process for customers, many will instead create more services to address the complexity in some way.

As an example, he describes additional controls that state permissions can only be used under certain circumstances or in a specific part of the organization. However, because these controls may fall under a different service, it's outside the normal permissions. This introduces a problem for admins who query permissions for users to see what they're capable of accessing.

"It's still not the full picture because now I have these outside controls that have some effect on it," Estep explains, noting again this issue is not unique to GCP. "And that introduces more complexity. In my mind it's more of a headache now because, as a customer, you have to take that into account, and maybe you don't know that it exists."

A Solution Comes Into Focus
GCP has many hierarchies and permissions. In order to understand their full effect, admins have to look at all the layers together – tough to do in the console, Estep notes. His solution aims to provide a simple way for businesses to map out permissions granted to members, GCP environment structure, and service accounts.

"This project was originally a PoC where I wanted to see if I could answer the question of, 'Do you know what all your users can do?'" he says. The first version, which will be released at BHEU, looks at users and their permissions to see which service accounts can be impersonated.

The solution uses a graph to map out the entities and relationships so admins can see which permissions are attached to GCP users. Once it obtains the relevant data via API calls, the graph maps out the information admins need in a way that's digestible. While he initially didn't want to use a graph, he says it was the best way to consider the many different layers together.

Estep's approach to solving the visibility problem is still young and doesn't yet consider other services, though it's a capability he'd like to integrate in the future. 

"Let's just get the permissions aggregated together in one spot first," he says. "Then we can start adding to that."  

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3318
PUBLISHED: 2021-01-27
attach/ajax.php in DzzOffice through 2.02.1 allows XSS via the editorid parameter.
CVE-2020-5427
PUBLISHED: 2021-01-27
In Spring Cloud Data Flow, versions 2.6.x prior to 2.6.5, versions 2.5.x prior 2.5.4, an application is vulnerable to SQL injection when requesting task execution.
CVE-2020-5428
PUBLISHED: 2021-01-27
In applications using Spring Cloud Task 2.2.4.RELEASE and below, may be vulnerable to SQL injection when exercising certain lookup queries in the TaskExplorer.
CVE-2021-20357
PUBLISHED: 2021-01-27
IBM Jazz Foundation products is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194963.
CVE-2020-4865
PUBLISHED: 2021-01-27
IBM Jazz Foundation products is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190741.