CLOUD SECURITY - SHOULD CLOUD ACCESS BE CONSIDERED AS PRIVILEGED ACCESS?

Should Cloud Access be considered as Privileged Access? Thoughts around Cloud Access Management Strategies from CSCIS.

Digital transformation has led to a significant rise in cloud adoption by organisations of all sizes and across all industries. The adoption of cloud computing has enabled businesses to leverage new technologies and platforms, such as Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS), to improve their operations, enhance customer experiences, and gain a competitive edge. However, this transformation also introduces new security risks that organisations must address to protect their data and assets.


In this blog post, we will explore one of the security risks that arise from digital transformation and discuss strategies for mitigating these risks.

What's the security risk

Cloud consoles have become an attractive target for cybercriminals due to the single point of access they provide to an organization's cloud infrastructure. Cybercriminals can exploit vulnerabilities in cloud console authentication mechanisms, such as weak passwords or compromised credentials, to gain unauthorised access to the console. Once they have access, they can carry out a range of malicious activities, such as deleting or modifying data, creating new user accounts, or launching new instances. It's worth noting that rogue employees with access to cloud consoles can also cause significant harm to an organization's security. In addition to the above threats, session cookie stealing is a type of attack that poses a significant and persistent threat.


How real the risk is?

• According to Sysdig, a significant number of DevOps users (27%) still rely on root user accounts for daily tasks, and a concerning 45% of accounts lack protection through multi-factor authentication.

• Given the potential damage that unauthorised access to cloud environments can cause, Gartner notes that "All IaaS accounts are privileged."

• Furthermore, the problem is compounded by Microsoft's State of Cloud Permissions Risk report, which indicates that identities use only 1% of their granted permissions, with over 50% of these permissions being high-risk and capable of causing catastrophic damage if used improperly.

• Most organisations have Dozens to hundreds of accounts across various cloud platforms such as AWS, Azure, or GCP. Organisations typically grant users access to entire Org or OU, creating a standing access problem. This means that anyone with access to credentials or session cookies can obtain the same level of access at any time, 24x7x365.


What Organizations can do to contain the risk:-

• Consider implementing Multi-Factor Authentication (MFA) for all users, including root users. The selection of a secure MFA method can be discussed in a separate blog post.

• Least privilege approach can be leveraged by reviewing the permissions used by identities in the last 90 days and assigning only necessary permissions to reduce the risk of unauthorised access.

• To improve access management, organisations can consider adopting the following practices:

  1. Utilize Daily Operation Roles to carry out routine tasks and reduce the need for high privilege access.
  2. Use Highly Privileged Roles such as AWS Administrator, Azure Global Admin, Azure Subscription Owner, or GCP Project Owner with a proper workflow to ensure controlled access.
  3. Do not allow Standing Access at all for Production Accounts or Production OU’s.
  4. Require Proper Workflow Approval with Appropriate Justification for any access to the production environment to ensure security and accountability.


What Technologies organisations can leverage upon?

Least Privilege Permissions- Use Cloud Infrastructure Entitlement Management (CIEM) solutions or Cloud Native tools such as AWS Access Analyzer or GCP IAM Recommender to enforce the principle of least privilege and reduce the risk of over-privileged access.

Access Management:- Top Cloud Service Providers offer extensive API-driven approaches to manage access. Use automation tools to create custom workflows or consider commercial solutions to facilitate efficient and controlled user management to the specific role or permission sets, mitigating the risk of standing access.


Benefits of mitigating such risks:

• Reduction of the blast radius of attacks.
• Progress towards a Zero Trust-based approach to security.

In our upcoming blog series, we will discuss upon the Cloud APIs provided by AWS, Azure and GCP. Stay Tuned.


Author



Rajnish Garg, CISSP CSCIS Cloud Security Member