Crystal Morin, Cybersecurity Strategist at Sysdig, explains why identity is the biggest challenge for security, and how reducing cloud permissions can prevent threats.
Cloud computing makes it easier to get IT services set up and operating than traditional methods, and cloud services can also scale to meet demand. Rather than spend the time to scope out servers, provision hardware and storage, and rack everything up on a case-by-case basis, you can go from zero to fully functional pretty much instantly in the cloud. But with this great ease of access also comes great risk. Here in the 21st century, we are now accustomed to speed and ease of access, and any impediments are a problem.
You want your developers working on new code and building applications at 21st-century speed, so why would you put hurdles in their sprints? It’s this mindset of ease of access and speed for application delivery that has led many companies to overprovision cloud identities and permissions. According to the Sysdig 2024 Cloud-Native Security and Usage Report, 98% of permissions in the cloud are unused. This has increased over the previous year, so we’re getting worse — not better — at identity management.
The open door policy
In the cloud, user permissions are the tools that we use to control access and the ability to carry out specific actions for every human and non-human user (devices, applications, services, etc.). Each granted permission is like an open door, allowing you to move throughout a restricted room. Lock too many doors, and the task of going from one place to another becomes impossible to complete. When your developers have tasks to complete, they want doors open so they can get the job done without hindrance.
Conversely, when you leave too many doors open, anyone can wander through. This is one of those great risks that come with ease of access in the cloud, because these overly permissive accounts are a gold mine of opportunity for an attacker to move laterally within an environment. Attackers may find initial access to an environment or account through a software vulnerability or stolen credentials and, once in, an attacker will either start looking for and gathering valuable data or deploying malware packages like ransomware and cryptomining. Attackers are often most successful when they find overly permissive user accounts.
Attackers may also find credentials held within application components that provide the application, a non-human identity, with permission accesses. It’s never a good idea for account details to be hard-coded or written in plain text within that application or service component, but it happens often enough that it is a risk worth noting. Attackers will dig through non-human user accounts for those credentials, but that’s not even the worst of it. Sysdig’s report also notes that a majority of organisations use public repositories. When those components and corresponding credentials are stored in public registries like GitHub, they are available to anyone with the inclination to look for them. While developers might benefit from the workflow speed this convenience offers, it again represents a significant unnecessary risk.
Shut the front door
While speedy delivery is ideal for developer productivity, poor security is bad for business. To get ahead of these potential issues, start closing doors – in other words, review cloud accounts and permissions on a regular basis. What cadence is your organisation using for identity management review and can it be improved? Keep your account permissions up-to-date for current projects and consider how many remote access opportunities exist with your various connected services.
Consider secret management tools too, so account credentials and other details aren’t exposed within the account. In addition, a cloud infrastructure entitlement management (CIEM) tool can help enforce least privilege access policies and reduce the risk of misconfiguration and privilege escalation attack opportunities, essentially automating an analysis process that can be quite taxing if done manually.
When an attacker does manage to get into your organisation’s environment, limiting access and having closed doors will limit what they can do and give you more time to find them while they snoop around. There is something very satisfying in limiting attacks to the digital equivalent of a front porch, before removing them from the building. This should be part of a wider approach to managing identities, restricting access where it is no longer needed, and keeping an eye on in-use permissions for potentially malicious behaviours.
Countdown to response
According to Sysdig’s Threat Research Team, the average time it takes for a threat actor to make an impact is 10 minutes from the initial breach. That 10-minute window to first detect an actively developing incident through alerts of unauthorised activity or unusual traffic and then respond to it before the attacker causes real damage is a short one.
To deliver this kind of response, security teams must have real-time insight into what is taking place at any time within the cloud environment, including other connected cloud instances, running software containers, and all human and machine accounts with access to the environment. It is imperative that this detection process works in real-time so defenders can see and correlate relative data and trace an attacker’s actions and take the appropriate remediation steps in time. To do this in that 10-minute window requires automation. Attackers also use automation to discover accounts and privileged accesses across an environment.
Wrap it up
One way to reduce your risk of a speedy attack is to reduce and maintain the number of permissions each human or nonhuman user has to only what is needed. Similarly, keep an eye on your in-use permissions so you can differentiate and alert on abnormal activities for each user. Lastly, use automation to connect the dots between vulnerabilities, account permissions and use, and real-time detection to uncover hidden attack paths and risks. These efforts should enable you to keep your whole environment more secure.
