Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

11/25/2020
01:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Do You Know Who's Lurking in Your Cloud Environment?

A security researcher explains the dangers of poor visibility in the cloud and a new strategy to evaluate IAM exposure in Google Cloud Platform.

Most organizations don't have full visibility into what users can do in their cloud environment. They don't know who can assume other identities to escalate privileges or which permissions they'd be able to achieve – a lack of insight that could put the business at risk. 

Related Content:

As Businesses Move to Multicloud Approach, Ransomware Follows

The Changing Face of Threat Intelligence

New on The Edge: How Ransomware Defense Is Evolving With Ransomware Attacks

Colin Estep, senior security researcher at Netskope, started researching potential security holes in Google Cloud Platform (GCP) about a year ago. In that time, he has sought to learn how more organizations can evaluate their full identity and access management (IAM) exposure to be able to answer the question: Do you know what all your users can do in your cloud environment? 

"Overall, for any cloud platform that's what's been intriguing to me: asking this really basic question that nobody really has the answer to," says Estep. "The answer to that is largely, 'No, I don't know what every single user can do. I don't know what their full capabilities are.'"

The general issue of IAM in the cloud stems from the dynamic nature of cloud environments, he continues. Fast-moving resources are constantly changing – people are working on different projects and spinning things up, and new services are emerging. The rapidly evolving nature of the cloud makes it difficult for organizations to stay informed on what these new services are, how they work, and what the implications are for permissions to various resources in the cloud.

"It's just this monumental thing to get a handle on," Estep explains. "Identity, in particular, is really one of the critical areas because … if you don't have your identity solution figured out, then you could expose sensitive data, you could have resources be abused or deleted – all kinds of things could happen in your environment."

Estep, who had previously worked with Amazon Web Services (AWS), began working with GCP due to Netskope's heightened customer demand. He found Google's platform interesting and different in the way it structures and grants permissions to employees.

"I feel like Google had a lot more of a layout in mind … where they have a hierarchy within the environment and you can assign permissions in this hierarchy," he explains. GCP also does not have "deny" policies. While it tries to keep permissions policies simpler, Estep says things can get complex when admins have to put different layers together to figure out what's going on.

This is partly why he decided to focus his research on Google Cloud, which is also the topic for his upcoming Black Hat Europe talk, "Permission Mining in GCP."

What's the worst that could happen if an attacker gains too much access? "The sky's the limit," Estep says. As part of his research, he developed a proof-of-concept tool (PoC) for businesses to learn permissions granted to employees throughout their environments. When the tool was used in production environments, the findings were worse than what he expected to find.

For example, it discovered instances where the environment owners had no idea how many users were actually "shadow admins," meaning they could escalate privileges until they had full capabilities over the environment at an organizational level. GCP has a notion of an "organization," which is the topmost piece of the environment, Estep explains. Employees who have admin level of the organization inherit admin capabilities throughout all levels.

"They could go in and change logging, they could go in and create resources, they could delete things, access all the data, add users for themselves," he says. "They could probably do everything except delete the entire environment."

By learning who has which permissions, a business can address the risk before a data breach or another security incident happens.

Services Drive Complexity, Worsen Visibility
Google is keeping its eye on this issue, notes Estep, who says the company has done a good job on authentication versus authorization. However, there is a broad issue across cloud providers of too many services creating complexity. Instead of simplifying a process for customers, many will instead create more services to address the complexity in some way.

As an example, he describes additional controls that state permissions can only be used under certain circumstances or in a specific part of the organization. However, because these controls may fall under a different service, it's outside the normal permissions. This introduces a problem for admins who query permissions for users to see what they're capable of accessing.

"It's still not the full picture because now I have these outside controls that have some effect on it," Estep explains, noting again this issue is not unique to GCP. "And that introduces more complexity. In my mind it's more of a headache now because, as a customer, you have to take that into account, and maybe you don't know that it exists."

A Solution Comes Into Focus
GCP has many hierarchies and permissions. In order to understand their full effect, admins have to look at all the layers together – tough to do in the console, Estep notes. His solution aims to provide a simple way for businesses to map out permissions granted to members, GCP environment structure, and service accounts.

"This project was originally a PoC where I wanted to see if I could answer the question of, 'Do you know what all your users can do?'" he says. The first version, which will be released at BHEU, looks at users and their permissions to see which service accounts can be impersonated.

The solution uses a graph to map out the entities and relationships so admins can see which permissions are attached to GCP users. Once it obtains the relevant data via API calls, the graph maps out the information admins need in a way that's digestible. While he initially didn't want to use a graph, he says it was the best way to consider the many different layers together.

Estep's approach to solving the visibility problem is still young and doesn't yet consider other services, though it's a capability he'd like to integrate in the future. 

"Let's just get the permissions aggregated together in one spot first," he says. "Then we can start adding to that."  

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27941
PUBLISHED: 2021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the...
CVE-2021-29203
PUBLISHED: 2021-05-06
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gai...
CVE-2021-31737
PUBLISHED: 2021-05-06
emlog v5.3.1 and emlog v6.0.0 have a Remote Code Execution vulnerability due to upload of database backup file in admin/data.php.
CVE-2020-28198
PUBLISHED: 2021-05-06
** UNSUPPORTED WHEN ASSIGNED ** The 'id' parameter of IBM Tivoli Storage Manager Version 5 Release 2 (Command Line Administrative Interface, dsmadmc.exe) is vulnerable to an exploitable stack buffer overflow. Note: the vulnerability can be exploited when it is used in "interactive" mode wh...
CVE-2021-28665
PUBLISHED: 2021-05-06
Stormshield SNS with versions before 3.7.18, 3.11.6 and 4.1.6 has a memory-management defect in the SNMP plugin that can lead to excessive consumption of memory and CPU resources, and possibly a denial of service.