Headline
Cloud Apps Still Demand Way More Privileges Than They Use
Hackers can’t steal a credential that doesn’t exist.
The rise of the cloud has made business more agile, flexible, and streamlined, which is why over 90% of enterprises has committed to a multicloud strategy. But complexity creates seams where secrets leak out. Recent high-profile breaches at Microsoft and airports have made misconfigured S3 buckets a cybersecurity trope. However, configuration issues aren’t the only problem: access creep is just as dangerous, and common, according to recent figures.
Overprivileging happens when a service or account requests or requires all the permissions it might possibly ever use, usually in order to avoid having to go back and request new permissions if the need arises later. This would not be a not great situation even at a single-server level, but as various services and vendors interact, each granted its own high level of permissions, the chance of compromise builds.
In its end-of-year summary for 2022, cloud security company Permiso reported that cloud security posture management (CSPM) vendors use only a fraction of the permissions they are granted: just more than 1/10th, or 11%. This shrinks to 5.3% across all users and roles. That’s a lot of unlocked doors that nobody needs to open.
The results of its analysis jibe with the results from a CloudKnox survey from two years ago, which found that 90%-95% of identities on AWS, Azure, Google Cloud Platform, and vSphere use no more than 2%-5% of the permissions granted.
“Most teams assume that these secrets are only being used by the individuals or workloads they have been provisioned to, but in reality, these secrets are often shared, rarely rotated, are long-lived and not single-use, so just like passwords, they become more vulnerable as they age,” the Permiso team wrote.
And therein lies the problem. Organizations are usually pretty strict about setting up permissions for human users, but they tend to allow the requested default permissions for machine identities. This leads to a situation in which threat actors need only find a way into one overly broadly permissioned account in order to gain privileged access over much of the corporate cloud. “You may have your database perfectly locked down, but if a service that has access to that database has the permissions for anyone to get in, your database is as good as compromised,” Kendall Miller, president of Kubernetes governance service FairWinds, warned in 2021.
And for the year 2022, Permiso flatly declared, “All of the incidents we detected and responded to were a result of a compromised credential,” rather than a misconfigured cloud resource.
The key to managing this risk is to audit permissions and institute strong identity access management (IAM) policies for all users, not just humans. That begins with determining what data an application actually needs access to — and what it doesn’t. A software org chart might prove helpful in tracing out the routes of access among apps and assigning or restricting permissions.