Cloud IAM Done Right: How LPA Helps Significantly Reduce Cloud Risk

Originally published by Rapid7 here.

Written by Sanjeev Williams, Senior Director, Cloud Security Products, Rapid7.

Today almost all cloud users, roles, and identities are overly permissive. This leads to repeated headlines and forensic reports of attackers leveraging weak identity postures to gain a foothold, then moving laterally within an organization’s modern cloud environment.

This has become a prevalent theme in securing the cloud, where identity and access management (IAM) plays a much larger role in governing access than in traditional infrastructure. However, the cloud was built for innovation and speed, with little consideration as to whether what has been granted is appropriate. The end result is an ever-growing interconnected attack surface that desperately needs to be tailored down.

Permissions Can’t Become a Point of Friction for Developers

In today’s world of continuous, fast-paced innovation, being able to move quickly and without friction is a key ingredient to delivering for customers and remaining competitive within our industries. Therefore, developers are often granted “godlike” access to leverage cloud services and build applications in an effort to eliminate the potential that they will hit a roadblock later on. Peeling that back is a daunting task.

So how do you do that? Adopt the principle of least privilege access (LPA), which recommends that a user should be given only those privileges needed for them to perform their function or task. If a user does not need a specific permission, the user should not have that permission.

Assessment and reporting of permission requirements is a must-have to be successful.

Identity LPA Requires Dynamic Assessment

The first step to executing on this initiative of LPA is to provide evidence to your dev teams that there is a problem to be solved. When first collaborating with your development partners, having a clear report of what permissions users have leveraged and what they have not can help move the discussion forward. If “Sam” has not used [insert permission] in the past 90 days, then does Sam really need this permission?

Having a solution that can track permission usage and provide reporting over time on all your clouds becomes a very handy tool to start this discussion, and lays the groundwork for continuous evaluation of the delta between used and unused permissions. This is critical, because while unused permissions may seem benign at first glance, they play a significant role in expanding your organization's attack surface.

Effective Cloud IAM Requires Prioritization

The continuous evaluation of cloud user activity compared to the permissions they have been previously granted will give security teams visibility into what permissions are going unused, as well as those that have been inappropriately escalated. This then provides a triggering point to investigate and ultimately enforce the principle of least privilege.

Cloud security tools that go beyond cloud security posture management (CSPM) will be able to proactively alert you to overly permissive access. This way, security teams are able to proactively establish controls, but also respond to risk in real time based on suspicious activity or compliance drift.

Like with most security problems, prioritization is a key element to success. Cloud security solutions should go beyond detection and help teams prioritize which users to focus on by identifying which unused permissions pose the greatest risk based on business context. Not all permissions issues are equal from a risk perspective. For example, being able to escalate your privileges, exfiltrate data, or make modifications to security groups are considered privileged actions, and are often leveraged by threat actors when conducting an attack.

Taking Action

Ultimately, you want to modify the policy of the user to match the user's actual needs and access patterns. To ensure the insights derived from dynamically monitoring cloud access patterns and permissions are actionable, teams require a tool with comprehensive reporting capabilities (JSON, report exports, etc.) that help streamline the response process to harden your IAM risk posture.

Ideally, setting up automation that can immediately take action on those insights can streamline the process even further by reducing dependency on manual intervention. This in turn reduces the likelihood of human error.

When Done Right, LPA Significantly Reduces Cloud Risk

When done right, establishing and enforcing least privilege access enables security teams to identify unused permissions and overly permissive roles and report them to your development teams. This is a key step in providing evidence that there is an opportunity to reduce your organization’s attack surface and risk posture. Minimizing the number of users that have been granted high-risk permissions to the ones that truly need them helps to reduce the blast radius in the event of a breach.