Effective Privilege Management in the Cloud – Mission Impossible?
Ofir Stein
September 20, 2022
TLDR: Overprivileged access is a natural consequence of manually granting and revoking access to cloud assets and environments. What DevOps teams need are tools to automate the process. Apono automatically discovers cloud resources and their standing privileges, centralizing all cloud access in a single platform so you don’t have to deal with another access ticket ever again.
How much access to cloud resources do your developers really need?
In the ideal world, you would give access to whoever needs it just for the time they need it, and the “Least Privilege,” (meaning both “Just-in-Time,” and “Just Enough”) access policies would be the norm.
But we don’t live in an ideal world.
Cloud infrastructure is dynamic and constantly changing. Some resources, such as cloud data sets, may include more than one database, each with its own set of access requirements. For example, a user could require read/write rights for one and read-only rights for another.
In theory, you should keep track of all these access rights and revoke and grant them as needed. But in practice, we don’t have the tools to automate cloud access management, which leads us to give more access than we should.
What is overprivileged access?
Overprivileged access is when an identity is granted more privileges than the user needs to do their job. In the cloud, this happens all the time.
For example, a developer needs access to an S3 bucket for a couple of hours each Monday in June to do some testing. After they are done, they won’t need that access again until a sprint with a task requiring it comes up.
If you were to go by the book, you would need to manually give them access and then manually revoke it on Mondays for four weeks.
This is simply not sustainable. The ratio between DevOps and engineers is already 1 to 10, and It’s not possible for DevOps engineers to be constantly dropping what they are doing to provision or revoke access. We’ve got other stuff to do.
When a developer needs access to a sensitive S3 bucket that contains customer data, it’s often not clearly defined what permissions will be enough for the user to do their job. We address this problem by providing more access than we should in order to avoid becoming a bottleneck. As a result, the whole role gets over-privileged permissions. What we’re left with, is an Overprivileged Role Level Access that affects a large number of users, and is not likely to ever be revoked.
Another common way overprivileged access creeps into your cloud stack is when “Read/Write” access is granted to users who need only Read rights for a limited time. An overprivileged identity with Write access can do great damage if it’s compromised.
To make matters worse, managing access is kind of dull. Nothing is less exciting than dealing with another access ticket. Managing access is the task you want to get over with as quickly as possible.
Without automation, it’s impossible to implement granular access provisioning, revoke access in a timely manner, or even just keep tabs on existing policies. And that, folks, is how overprivileged access to cloud resources became the norm.
Why overprivileged access is a problem
Today, overprivileged access is everywhere. And it’s a serious problem for several reasons:
1) Attack Surface = Permissions x Sensitive Cloud Resources
Overprivileged access is one of the biggest security risks in the cloud. In recent years, the vast majority of breaches (81%) are directly related to passwords that were either stolen or too weak.
But it’s not just about passwords. It’s about the way cloud resources are accessed and used.
Overprivileged access significantly increases the blast radius of an attack. When an attacker obtains a set of valid credentials, the permissions linked to those credentials determine what they can and cannot do in your environment. The more permissions a compromised identity has, the bigger the attack surface.
In the cloud era, permissions are your last line of defense: the right permissions are what prevent unauthorized identities from accessing your company’s sensitive data. Therefore, tailoring access to the task at hand will drastically reduce the risk.
2) Complexity & Lack of Visibility
Another issue with overprivileged access is that it makes cloud environments more complex than they need to be. When everyone has full access to everything, it’s very difficult to keep track of what’s going on.
This can make it hard to troubleshoot issues, diagnose problems, and comply with regulations.
The harm that can come from overprivileged access is not coming just from malicious actors. All humans make mistakes, and your employees are human.
3) Mistakes will happen
According to 2022 Data Breach Investigations Report, human error is to blame for eight out of 10 data breaches. Overprivileged access significantly increases the risk of such mistakes and the resulting fallout.
The burden of access management falls onto the DevOps teams.
Traditionally, access management has been the domain of IT security, but as cloud adoption increased, the burden of managing cloud access has fallen upon the shoulders of those responsible for the cloud infrastructure.
More and more DevOps engineers are finding themselves in charge of their organizations’ access management policies.
In today’s public cloud reality, provisioning of access is becoming an ever more important part of DevOps engineers’ day-to-day work. And that’s where the balancing act begins:
- You want to give developers the freedom to work on whatever they need to get the job done.
- You know that overprivileged access is a dangerous thing, but you can’t spend every hour of every day stopping what you are doing to give and then revoke access to cloud resources.
A cloud-native approach to access provisioning
Moving to the cloud is a transition towards a more agile way of working, which necessitates a subsequent shift to dynamic permission management.
So what are we to do?
The answer, as with most things in a DevOps engineer’s life, lies in automation. We need to find a way to automate cloud access management so that DevOps engineers can focus on their actual jobs and not spend all their time managing access.
We need a tool that is:
– Easy to use
– Scalable
– Seamless
And that is where Apono comes in.
Apono simplifies cloud access management. Our technology discovers and eliminates standing privileges using contextual dynamic access automation that enforce Just-In-Time and Just Enough Access.
With Apono, It is now possible to seamlessly and securely manage permissions and comply with regulations while providing a frictionless end-user experience.
Are you ready to never have to worry about cloud access provisioning again? Get in touch with us today.