As organizations evolve in the cloud, you will find the number of cloud services their teams use and identity permissions that need to be managed increase significantly. These services teams used to build and deliver applications are referred to as assets or resources. Configuring cloud assets, roles, and permissions doesn’t take long to become tedious, time-consuming, and error-prone.
The leading causes of security incidents are misconfigurations of assets and over-privileged identities, therefore, it essential to diligently manage these.
To keep up with the cloud’s constant state of change, complexity, and scale a programmatic approach is needed. Manual processes will leave you with blind spots exposing your business to an increased risk of missing an exposed asset that has weak security controls and configuration.
Misconfigurations can be the result of both unintentional (legitimate users) and malicious (attacker) actions. Regardless of the nature of the actor, it’s crucial to pay attention to security posture by checking the status of dynamic cloud configurations.
Cloud Security Posture Management (CSPM) solutions offer cloud configuration management capabilities. For industry best practices, visit the Center for Internet Security (CIS) and review the CIS Benchmarks.
Identifying overprivileged users
Overprivileged entitlement of human and non-human identities is a top cause of data breaches. Applying the principle of least privilege — the concept of providing no more permissions than necessary to perform required actions — is wise, but difficult to implement. Cloud providers make permissions granular, which in theory would lead to least-privilege policies. However, the reality is much more complex.
In practice, permissions aren’t assigned in a precise manner. Often, existing rules are reused, noting only if the permissions are broad enough to avoid disruption. Nothing should get in the way of speed and performance — not even security. So, IT and developers often err on the side of excess. Manual fine-tuning would be excessively time-consuming and still not precise.
Cloud Infrastructure Entitlements Management (CIEM) is a key tool to have in your cloud security toolbox. Look for solutions that can discover excessive permissions across active and inactive cloud identities and provide guided remediation to implement the least-privilege principle.
Threats can be seen as the activities of cybercriminals, such as phishing, data exfiltration, cryptomining, DDoS attacks, and so on. Cloud threats today are complex and have become completely out of the reach of siloed security solutions that use coarse, out-of-context, and non-real-time data. To detect and contain attacks effectively, you need real-time visibility of the full spectrum of malicious activities applied in the attack. This includes monitoring cloud security controls.
One way to detect threats in the cloud is to monitor cloud audit logs for anomalous activities and malicious actions, such as unexpected configuration changes and permission escalations.
Threat risk doesn’t always result from malicious activity. Cloud configurations are changing constantly and must be monitored for impact to risk. When developers make configuration or permission changes as they debug or deploy applications, they may not consider the additional risk this adds to the organization, so cloud and security teams must continually evaluate configurations against best practices and their organization’s policies.
An efficient way to detect cloud activity threats is to apply stream detection. As the cloud audit records are generated, they’re analyzed against defined runtime policies. If a suspicious action is detected, a security event is triggered in real-time. Only the security event data is sent out, not all logged records. Also, each newly recorded log is analyzed against the conditions of the detection rules, not the entire audit logs storage.
Tampering with cloud security controls, configurations, and permissions can just be a tactical step in an attack scenario that starts with the exploitation of a vulnerability in a workload, and being stealthy is the modus operandi. Adversaries adopt evasion techniques to get around legacy tools’ defenses and also take advantage of visibility gaps left by siloed solutions.
Siloed solutions slow down detection, and you may even miss the threat. If you can’t see the threat, you can’t stop it from spreading. As malicious activities could be happening in your applications, containers, Kubernetes, cloud assets, servers, and serverless platforms, a unified approach to threat detection is critical.