Expanding cloud environments and inadequate control over access policies and permissions are putting organisations at ever greater risk, as threat actors take advantage of Identity and Access Management (IAM) vulnerabilities.
This is according to experts addressing a webinar on IAM as the first line of defence, hosted by Palo Alto Networks in partnership with ITWeb.
Frans de Waal, Prisma Cloud sales specialist at Palo Alto Networks, said IAM was now a top-of-mind concern among customers as cloud adoption accelerated. “It should be one of the cornerstones of your strategy for cloud adoption,” he said.
“We see an increase of 13% of workloads being run in the cloud, and a 38% increase in organisations hosting the majority of their workloads in the cloud. This increases organisations’ attack surface. Users remain the weakest link in the chain, and if their credentials are stolen in this growing cloud environment, adversaries have an easy attack vector,” de Waal said.
He highlighted Palo Alto research, which found that IAM had become increasingly critical and complex. “To understand how IAM policies affect cloud security posture, Unit 42 researchers analysed 680,000 identities in 18,000 cloud accounts over 200 organisations. As organisations adopt more services, there are more roles and permissions within the environment – across the cloud environments there is a rough average of 3,400 identities per organisation and 40 identities per cloud account,” he said.
At the same time, organisations have insecure IAM practices, with 44% of cloud accounts allowing for password reuse, 53% allowing weak password usage and 99% of the cloud users, roles, services and resources granted excessive permissions.
Identity is complicated no matter what cloud you’re in.
Gordon Bailey-McEwan, Palo Alto Networks.
Polls of webinar participants found that when they use identities in the cloud, 40% create their own custom roles and permission sets and 59% use cloud managed roles/scopes/permission sets. 66% said user identities in the cloud are stored in an IDP and 33% stored them in the cloud itself.
Said de Waal: “Most organisations are still relying on prebuilt policies built by cloud providers for day-to-day operations, although the average permissions per policy are around 2300. Less than 1% of built-in policies provided by the service providers provision permissions that are actually used. If adversaries gain access to those accounts, they have a lot of leeway to move laterally compared to when organisations use custom policies and permissions.”
He noted that Palo Alto's threat intelligence advisory Unit 42 had found many threat actors are focusing on IAM as an easy way to access organisations. Unit 42’s threat actor index identified five key threat actors currently focusing on IAM as a vector: TeamTNT, WatchDog, Kinsing, Rocke and 8220.
“All five of these cloud threat actors collect container or cloud service credentials as part of their standard operating procedures. There aren’t enough humans to address all the risks at the speed of cloud, so we need to find a single source of truth for identity; implement strong password policies and limit reusable password use; enable multi factor authentication where possible, implement auto remediation for low hanging fruit and common use cases, and limit the use of cloud service provider managed IAM policies. Implement a Cloud-Native Application Protection Platform (CNAPP), reinforce and strengthen the connections between IAM weaknesses and misconfigurations, and cloud threat actor tactics and procedures,” de Waal said.
Gordon Bailey-McEwan, Prisma Cloud solutions architect at Palo Alto Networks, noted that according to Gartner, by 2023, 75% of security failures would result from inadequate management of identities, access, and privileges.
“There is still a lot of cloud adoption taking place, and this is why I think we’re seeing this uptick in security failures,” he said. “Identity is complicated no matter what cloud you’re in: a user may have individual permissions, as well as the permissions of a group they are tied to, and the organisation’s permissions and resources, and you have to fit all of these permissions together. This, with thousands of users and compute instances across hundreds of accounts, results in a lack of visibility, lack of governance and additional complexity at scale. If something is compromised, you don’t understand the blast radius.”
Bailey-McEwan demonstrated the Prisma Cloud single platform for complete cloud native security, with pre-built IAM policies and comprehensive user and entity behaviour analytics (UEBA), permission calculation and IDP integration.
Share