Addressing the challenges of least privilege access
Article by Radware vice president of technologies for APAC and Japan, Yaniv Hoffman.
Excessive permissions have been the starting point of a breach in many instances where permissions are provisioned by administrators to users beyond their requirement, without understanding the context of user privileges based on granular access, location, nature, or frequency of access.
This has a cascading effect on cloud workloads as these permissions are likely to be misused in several ways, for instance cross-account takeovers, escalation and more.
More importantly, with the level of automation seen in cloud workloads and cross-application interactions, these permissions tend to take a much larger shape, potentially spiralling into a potential security risk.
In their effort to address the challenges around excessive permissions, organisations turn towards the least privilege access principle. This is a technique employed where all the local administrative credentials are removed at once, including hard-coded and hidden users. This method allows only enough access to perform the required task, no more, no less.
In a cloud environment, adhering to the principle of least privilege significantly reduces the risk of threat vectors getting access to sensitive assets or data by taking advantage of a vulnerable user account or application. Implementing the least privilege access helps to reduce potential breaches, stopping them in their tracks from spreading to a bigger segment of the environment.
However, the policy of least privileges brings its own set of challenges. Issues like running all applications under one roof, such as single account, highlight the complexity for large enterprises that run several applications in different cloud ecosystems. Patch management and upgrades become bigger challenges for user accounts needing elevated privileges to perform these activities.
Enterprise and SMEs run many applications, sometimes thousands at a time, including some custom or privileged applications that may be developed internally. These applications need elevated or administrative privileges and wouldn’t necessarily run under a standard account with common privileges. Some of these may be one-off projects that may not require maintenance.
Such applications may require lowering down the permissions, risking potential vulnerabilities. On the flip side, a similar problem is encountered with the least privilege method for applications that are not distributed centrally. These applications require administrative privileges, and the standard user credentials would not suffice. This becomes not only a security risk but also a more significant issue with application and user efficiency.
This highlights the need for a holistic solution that can solve an ever-increasing problem of excessive permissions, especially with distributed cloud environments. A comprehensive cloud workload solution that can provide the requisite granular visibility and observability is essential.
This helps address the burgeoning problem of excessive permissions through AI-based detection and triggers that can handle downstream use cases of excessive permissions.
For example, data exfiltration challenges such as an AWS S3 bucket replication to an unknown account is a standard method leveraged to exfiltrate data out of S3 buckets by replicating the data into their buckets.
New age workloads carry enormous context around the behavioural patterns of the usage. Static permissions present significant harm in risking unwanted access. Enforcing the right privilege policies across the environment with the right visibility and observability will ensure that the policy mandates hold tight against any behaviour changes.