Last updated at Tue, 13 Jun 2023 17:09:32 GMT
In modern cloud environments, roles and permissions are assigned not just to human users, but to machines, resources and services, as well. The massive scale of cloud environments leads to teams potentially managing millions of distinct identities. As a result, security teams often struggle to implement and manage access policies that balance the integrity and security of their organization’s network, users and data with the efficiency and effectiveness of their counterparts in the development and DevOps teams.
Ideally, teams work to enforce least privilege access (LPA) strategies that focus on limiting access and privileges to only those that a given user, resource or service needs to do their respective work—and nothing more than that. This is easier said than done in many cases, as it can be exceedingly difficult to consistently identify the right level of permissions for any given account or resource. Change happens fast in the cloud, especially when you’re managing containerized workloads that spin up and down on a minute to minute basis. It doesn’t take much to drift out of compliance and overly-permissive roles to be assigned.
Identifying Overly-Permissive Roles and Excessive Privileges
There are a myriad of ways that various users and resources can be granted excessive permissions, especially when you take into account the sheer scale of these environments. When development teams are provisioning workloads, it’s not always clear what types of permissions will be needed. Similarly, when you’re not quite sure what permissions a new user will need in the long run, it may be more convenient to over-provision said user in the off-chance that they will need those permissions in the future.
However, it can be easy to forget to go back and adjust those policies when it has become clear they aren’t all needed. The result is that you’ve now got an entity that, should they be compromised in the future, could have wide-reaching implications that increase the blast radius and impact of a breach.
To solve this without creating friction in the development process, you need a solution that continuously monitors your cloud identities and their corresponding permissions and automatically adjusts those permissions when they’re misaligned. To do this, the solution you choose needs to be able to establish a baseline of what normal activity looks like, which can be accomplished by tracking actual activity over a set period of time. Once you’ve established a baseline, you can correlate that ‘normal’ activity with the permissions granted to a given entity and surface any delta that may exist and adjust the permissions accordingly to adhere to LPA.
Managing Identity-Related Risk in Cloud Environments with Identity Analysis
We are pleased to introduce our next advancement of identity-related risk management and remediation in Rapid7's InsightCloudSec: Identity Analysis.
Now generally available, Identity Analysis provides a unified view into identity-related risk across your cloud environments, enabling you to achieve LPA at scale. With Identity Analysis, security teams can:
- Gain visibility identity-related risk signals such as overly permissive roles in real time across all your cloud environments.
- Narrow the scope of your assessment to prioritize remediation with advanced search and filtering capabilities. This enables users to narrow the scope of their investigation to individual principals to prioritize remediation efforts based on potential impact.
- Enforce LPA based on real-time usage patterns by continuously reviewing permission usage and intelligently recommending remediation policies based on insight into unused permissions and anomalous activity.
For more information on how you and your teams can use InsightCloudSec to manage identity-related risks in your cloud environments, check out the Identity Analysis docs page!