Universal IAM policy failures put cloud environments at risk
“An overwhelming majority of organizations lack adequate identity and access management (IAM) policy controls to effectively protect their sensitive data in cloud environments,” Palo Alto Networks, which released a report today, said “an “explicit permissive” approach to IAM policy.
Palo Alto analyzed more than 680,000 identities across 18,000 cloud accounts at 200 organizations to understand configuration and usage patterns, and described its findings as “shocking”. John Morello, vice president of the company’s Prisma Cloud Services, said, “Without effective IAM policies, an organization can never expect to be secure in the cloud because of its nature: dispersed, rapidly evolving, and dynamically fluctuating within an organization.”
The problem stems primarily from mismanagement of credentials, Palo Alto said. During its research, it found that 44% of organizations allow IAM password reuse and 53% of cloud services allow the use of weak passwords.
Coupled with this, however, the survey found that individual identities in the cloud can do far more than they need to. Palo Alto claimed that 99% of end-user organizations, roles, services, and resources receive excessive permissions that are either never used or remain unused for long periods of time.
Additionally, end-user organizations tend to abuse built-in IAM policies from Cloud Service Providers (CSP), granting them on average 2.5x more permissions than policies they manage themselves.
This combination of excessive permissions and permissive policies effectively gives the keys to the vault to malicious actors, Palo Alto said.
Coupled with the stratospheric adoption of cloud platforms during the pandemic, cloud environments now have a temptation adversaries can’t resist, opening the door to a new breed of threat actors that “through targeted and sustained access to the cloud, create a threat to… Enterprises represent platform resources, services or embedded metadata”.
Palo Alto said the Unit 42 research team believes that cloud threat actors deserve their own definition, now that they are beginning to employ and know more about a significantly different set of cloud-specific tactics, techniques and procedures They do very well that mismanaged IAM policies are a near-universal Achilles’ heel.
This has led them to expand their capabilities from simply scanning for exposed or misconfigured cloud storage instances, or compromising exposed and vulnerable cloud-based apps, to incorporating zero-days or near-zero-days (like Log4Shell), which can help them get their sensitive cloud metadata such as CSP access and secret keys passed.
Having done so, they then find it a cinch to sidetrack to the cloud service platform itself, bypassing tools to monitor isolated containers or virtual cloud responses because they appear legitimate. The full closed report, which can be downloaded here, provides examples of cybercriminal groups doing just that right now.
Palo Alto recommends organizations focus on hardening IAM policies in a cloud environment to eliminate unnecessary or unused permissions. Best practices in this regard include minimizing the use of administrative logins and long-term credentials; Enforce multi-factor authentication – not just offer it; the configuration of strong password policies according to official guidelines from organizations such as the National Cyber Security Center or the US National Institute of Standards and Technology; Using federated identity management to manage access control; Conducting constant audits of user permissions based on the principle of least privilege and adding automatic remediation of such permissions audits based on cloud workloads changing rapidly and frequently; and finally, properly monitoring IAM activity to identify possible brute force attacks or logins from unknown locations.
Organizations may also consider adopting cloud-native application protection platforms, which are unified platforms that consolidate previously siled capabilities, such as: