Assuming Roles in the Public Cloud: The Good, The Bad, and the Insecure
Migrating resources to the public cloud, also known as the “shift-left” mentality, helps organizations to optimize ...
Migrating resources to the public cloud, also known as the “shift-left” mentality, helps organizations to optimize their infrastructure, resources, and staffing, as well as reduce overhead.
The public cloud also allows for enhanced accessibility for today’s hybrid/remote workforce by allowing individuals to access critical infrastructure remotely from anywhere, at any time.
But what if a Public Cloud capability meant to help organizations with initiatives such as implementing least privilege, security, and efficiency, could potentially add security risks if not secured correctly?
The Public Cloud
Moving resources to the public cloud with public cloud providers such as AWS, Azure, GCP, and Oracle, offers organizations a multitude of benefits.
The public cloud ensures enhanced scalability and elasticity by allowing you to effectively scale resources up or down to meet the needs of your organization, as well as the ability to quickly adapt to changes in security requirements or access to resources for instance, on the fly.
Additionally, the backend resources supporting the public cloud are maintained by the public cloud providers, meaning that the responsibility of maintaining a strict security posture of these resources falls on the Public Cloud Provider.
Given this, the public cloud providers strive to maintain strict access controls, redundancy, and DR measures, as well as main a level of strict industry compliance with industry certifications and frameworks, such as HIPAA, GDPR, PCI DSS, SOC2, Zero Trust, Security Audits, etc.
These compliance metrics are dynamically maintained by cloud providers, a level of security that would be difficult to replicate in an on-prem environment.
Lastly, public cloud services typically provide centralized security management tools and dashboards, which allow you to monitor and manage security settings, access controls, and configurations from a single interface, greatly simplifying the security management of your resources.
Scotty, beam (our resources) up to the cloud.
Easy to Implement, Easy to Secure, Right?
With great capability comes great complexity. The public cloud’s ease of use and deployment can also allow for variable risk.
The ability for one user to assume a different role, for instance, opens the door for potential security risks, such as:
Unauthorized Access: If an attacker gains access to a user's account, they could use the assumed role to access resources in other accounts. This could result in unauthorized access to sensitive data, such as personal identifiable information (PII), financial data, and intellectual property.
Resource Exhaustion: If a user assumes a role in another account and then performs resource-intensive operations, it could lead to resource exhaustion and impact the availability of other services.
Compromised Credentials: If a user's credentials are compromised, an attacker could assume a role in another account and potentially gain access to sensitive data or resources.
Data Leakage: Users may inadvertently expose data across accounts when assuming a role.
For example, if a user assumes a role in a production environment and accidentally writes data to a non-production environment, it could expose sensitive information to unauthorized users.
Compliance and Governance: Allowing users to assume roles between accounts can make it difficult to maintain compliance and governance requirements. For example, if a user in one account assumes a role in another account that is subject to different compliance requirements, it could create compliance violations.
Public Cloud providers such as AWS provide a broad range of security controls, such as IAM policies, resource policies, and AWS Organizations centralized management, as well as monitoring and auditing tools, all of which will help to circumvent risk, however, the underlying factor of human error is always looming.
For instance, what if a developer gives themselves and their intern full admin rights to another environment in a pinch so that they can push code, but forgets to delete the interns’ access?
What if this same developer created a cross-functional assumed role into the prod environment for both himself and his intern to meet a deadline, but didn’t realize that it created an identity path from sandbox to production that could potentially be compromised the network if infiltrated by a hacker?
Ensuring that users only have access to the resources that they require to perform their job function, a.k.a Least Privilege, is even more pertinent when moving to the Public Cloud.
This is not true when referring to the cloud, Spock!
In the public cloud, every user’s access needs to be evaluated and constantly maintained in order to ensure that these users/ roles can’t be compromised, abused, or utilized by hackers to infiltrate and gain control of the network.
Role-Assumption in AWS
The ability to assume roles is both a compelling and differentiating feature in the AWS Public Cloud.
Role-assumption greatly enhances the security of your public cloud infrastructure by providing features such as Segregation of Duties, Simplified Management, Ease of Implementation of Zero Trust in the Cloud, Enhanced Security, as well as support for Federated Identities. Role assumption allows for:
• Least Privilege implementation via IAM roles, allowing users to only have access to the resources required to perform their job function, as well as features such as assuming roles to allow temporary access temporary access to certain resources, without the need to allow the user permanent access indefinitely.
• Segregation of Duties by allowing roles to be segmented by function, i.e. admin, dev, prod roles, forcing user access to stay within the confines of their job function, while also allowing users to assume roles in other environments should the user require it.
• Simplified Management via assigning roles to specific users and/or services, therefore allowing you to grant/or revoke privileges to certain services.
• Enhanced Security Efficacy by allowing users to authenticate themselves with their own credentials, while temporarily inheriting the permissions of the assumed role, which in turn will reduce risk by eliminating the need for static credentials to be created for the same function.
• Audit and compliance to enhance auditing capabilities and aid in compliance requirements, allowing you to understand who and what accessed specific resources, from which assumed role, and when.
• Resource Sharing and Collaboration across multiple AWS accounts with the aforementioned temporary or permanent access to enable cross-functional, cross-team collaboration, and simplified resource sharing workflows, allowing you to effectively scale the environment.
Keep your cloud out of Security Trouble with Cloud Security Posture Management (CSPM)
Given all of the potential security risks that can come with moving resources to the public cloud, layering on a purpose-built Cloud Security Solution, such as a Cloud Security Posture Management (CSPM), in addition to the baked-in security from Public Cloud Providers, can help to uncover hidden cloud risks that originate from access issues.
Gartner Defines CSPM as a solution that “consists of offerings that continuously manage IaaS and PaaS security posture through prevention, detection, and response to cloud infrastructure risks.
The core of CSPM applies common frameworks, regulatory requirements, and enterprise policies to discover and assess risk/trust of cloud services configuration and security settings proactively and reactively. If an issue is identified, remediation options (automated or human-driven) are provided.”
Simply put, a CSPM solution is able to determine who and what has access to resources, as well as uncover risks such as privilege escalation, lateral movement, and cross-account access permissions, to name a few.
Does Cisco have a Solution that can Help?
Absolutely. On March 29th, 2023, Cisco announced it’s acquisition of the CSPM solution, Lightspin.
Cisco Lightspin is a cloud security platform that helps organizations identify and remediate security risks in their cloud environments.
Lightspin applies machine learning algorithms to your existing cloud infrastructure, including workloads, services, and network traffic, to identify potential security vulnerabilities, misconfigurations, and compliance issues.
This solution provides real-time visibility into an organization's cloud environment, allowing your security teams to prioritize cloud security events by the severity of the impact that they may have on the environment, as well as suggest actionable remediation efforts that are ready to be pushed out into the CI/CD.
Lightspin integrates with all three of the major public cloud platforms, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), as well as with Kubernetes, to provide comprehensive security coverage across an organization's cloud infrastructure.
It also provides automated security assessments and continuous monitoring of the cloud environment, which enables security teams to stay ahead of evolving threats and maintain a strong security posture in the cloud.
Cisco Lightspin is a powerful cloud security platform that can help organizations mitigate the risks associated with moving compute resources to the Public Cloud, as well as ensure the security of their sensitive data and applications.
Does securing your public cloud resources sound overwhelming? Reach out to the experts at ModernCyber to learn how we can help you implement Least Privilege as a first step to securing your on-prem and cloud infrastructure via our Zero Trust Assessments!