The rise of the cloud has made business more agile, flexible, and streamlined, which are all solid reasons why over 90% of enterprises have committed to a multicloud strategy. But complexity creates seams where secrets leak out. Recent high-profile breaches at Microsoft and at airports have made misconfigured S3 buckets a cybersecurity trope. However, configuration issues aren’t the only problem: Access creep is just as dangerous and common, according to recent figures.
Overprivileging happens when a service or account requests or requires all the permissions it might possibly ever use, usually in order to avoid having to go back and request new permissions if the need arises later. This would not be a not great situation even at a single-server level, but as various services and vendors interact, each granted its own high level of permissions, the chance of compromise builds.
In its end-of-year summary for 2022, cloud security company Permiso reported that cloud security posture management (CSPM) vendors use a mere 11% of the permissions they are granted. This shrinks to 5.3% across all users and roles. That’s a lot of unlocked doors that nobody needs to open.
The results of its analysis jibe with the results from a CloudKnox survey from two years ago, which found that 90% to 95% of identities on Amazon Web Services, Microsoft Azure, Google Cloud Platform, and vSphere used no more than 2% to 5% of the permissions granted.
“Most teams assume that these secrets are only being used by the individuals or workloads they have been provisioned to, but in reality, these secrets are often shared, rarely rotated, are long-lived and not single-use, so just like passwords, they become more vulnerable as they age,” the Permiso team wrote.
And therein lies the problem. Organizations are usually pretty strict about setting up permissions for human users, but they tend to allow the requested default permissions for machine identities. This leads to a situation in which threat actors need only find a way into one overly broadly permissioned account in order to gain privileged access over much of the corporate cloud.
“You may have your database perfectly locked down, but if a service that has access to that database has the permissions for anyone to get in, your database is as good as compromised,” warned Kendall Miller, president of Kubernetes governance service FairWinds, in 2021.
And for the year 2022, Permiso flatly declared, “All of the incidents we detected and responded to were a result of a compromised credential,” rather than a misconfigured cloud resource.
The key to managing this risk is to audit permissions and institute strong identity access management (IAM) policies for all users, not just humans. That begins with determining what data an application actually needs access to — and what it doesn’t. A software org chart might prove helpful in tracing out the routes of access among apps and assigning or restricting permissions.