An overwhelming majority of organisations lack the proper identity and access management (IAM) policy controls to effectively secure their sensitive data in cloud environments, according to Palo Alto Networks, which has today released a report that accuses 99% of organisations of taking an “overly permissive approach” to IAM policy.
Palo Alto analysed more than 680,000 identities across 18,000 cloud accounts at 200 organisations to understand configuration and usage patterns, and described its findings as “shocking”. John Morello, vice-president of the firm’s Prisma Cloud service, said: “Without effective IAM policies in place, an organisation can never expect to be secure in the cloud due to its very nature: dispersed, rapidly evolving and dynamically fluctuating within an organisation.”
The issue stems primarily from credential mismanagement, said Palo Alto. During the course of its research, it found that 44% of organisations allow IAM password reuse, and 53% of cloud services allow weak password usage.
However, coupled with this, the survey found that individual identities are empowered to do far more in the cloud than they need to. Palo Alto claimed that 99% of end-user organisations, roles, services and resources are granted excessive permissions that are either never used or left unused for long periods of time.
Added to this, end-user organisations have a tendency to misuse built-in cloud service provider (CSP) IAM policies, granting them 2.5 times more permissions on average than policies they manage themselves.
This combination of excessive permissions and permissive policies effectively hands over the keys to the safe to malicious actors, said Palo Alto.
When taken alongside the stratospheric adoption of cloud platforms during the pandemic, cloud environments have now a temptation that adversaries now find impossible to resist, opening the door to a new type of threat actor that “poses a threat to organisations through directed and sustained access to cloud platform resources, services or embedded metadata.”
Palo Alto said its Unit 42 research team believes cloud threat actors merit their own definition because they are now starting to deploy a substantially different set of cloud-tailored tactics, techniques and procedures (TTPs), and moreover they know very well that IAM policy mismanagement is a near-universal Achilles’ heel.
This has led them to elevate their capabilities from simply scanning for exposed or misconfigured cloud storage instances, or compromising exposed and vulnerable cloud-based apps, to incorporate zero-days or near zero-days (such as Log4Shell) that can help them get their hands on sensitive cloud metadata, such as CSP access and secret keys.
Having done this, they then find it a breeze to move laterally to the cloud service platform itself, evading siloed container or cloud virtual response monitoring tools because they appear legitimate. The full gated report, which can be downloaded here, contains examples of cyber criminal groups that are doing precisely this right now.
Palo Alto recommends that organisations focus on hardening IAM policies within a cloud environment to eliminate unnecessary or unused permissions. Best practice in this regard includes minimising the use of admin logins and long-term credentials; enforcing – not merely offering – multi-factor authentication; configuring strong password policies in line with official guidance from the likes of the National Cyber Security Centre (NCSC) or the US National Institute of Standards and Technology (NIST); using federated identity management to manage access control; conducting constant audits of user permissions starting from the principle of least privilege, and adding auto-remediation of such entitlement audits on the basis that cloud workloads change quickly and often; and finally, properly monitoring IAM activities to identify possibly brute-force attacks, or logins from unrecognised locations.
Organisations may also consider adopting cloud native application protection platforms (CNAPP), which are unified platforms that consolidate previously siloed capabilities, such as development artefact scanning, cloud security posture management, IaC (infastructure-as-code) scanning, entitlement management, and runtime cloud workload protection.