t cht lk
Eyal Arazi , Radware
“
IT ADMINISTRATORS AND HACKERS NOW HAVE IDENTICAL ACCESS TO PUBLICLY HOSTED WORKLOADS , USING STANDARD CONNECTION METHODS , PROTOCOLS AND PUBLIC APIS .
Workload security , therefore , is defined by the people who can access those workloads , and the permissions they have .
One of the primary reasons for migrating to the cloud is speeding up time-to-market and business processes . As a result , cloud environments make it very easy to spin up new resources and grant wide-ranging permissions , and very difficult to keep track of who has them , and what permissions they actually use .
All too frequently there is a gap between granted permissions and used permissions . In other words , many users have too many permissions , which they never use . Such permissions are frequently exploited by hackers , who take advantage of unnecessary permissions for malicious purposes .
As a result , cloud workloads are vulnerable to data breaches ( i . e theft of data from cloud accounts ), service violation ( i . e completely taking over cloud resources ) and resource exploitation ( such as cryptomining ).
• The built-in mechanisms of public clouds usually provide fairly basic protection , and mostly focused security on the overall computing environment , they are blind to activity within individual workloads . Moreover , since many companies run multi-cloud and hybrid cloud environments , the built-in protections offered by cloud vendors will not protect assets outside of their network .
• Compliance and governance tools usually use static lists of best practices to analyze permissions usage . However , they will not detect ( and alert to ) excessive permissions and are usually blind to activity within workloads themselves .
• Agent-based solutions require deploying ( and managing ) agents on cloud-based servers and will protect only servers on which they are installed . However , they are blind to overall cloud user activity and account context , and usually cannot protect non-server resources such as services , containers , serverless functions , etc .
• Cloud access security brokers ( CASB ) tools focus on protecting Software-as-a-Service ( SaaS ) applications , but do not protect Infrastructure-as-a-Service ( IaaS ) or Platform- as-a-Service ( PaaS ) environments .
New approach
Modern protection of publicly-hosted cloud environments requires a new approach .
• Assume that an organization ’ s credentials are compromised : Hackers acquire stolen credentials in a plethora of ways , and even the largest companies are
Such promiscuous permissions are frequently mis-characterised as ‘ misconfigurations ’ but are actually the result of permission misuse or abuse by people who shouldn ’ t have them .
Therefore , protecting against those promiscuous permissions becomes the number one priority for protecting publiclyhosted cloud workloads .
Piecemeal solutions
The problem , however , is that existing solutions provide incomplete protection against the threat of excessive permissions .
76 INTELLIGENTCIO www . intelligentcio . com