Mismanaged IAM Can Lead to Data Breaches

Without proper identity and access management (IAM) policies in place, organizations run the risk of deploying a wide range of security tools without achieving a comprehensive security stance.

This was among the chief findings of a report from Palo Alto’s Unit 42, which revealed that misconfigured IAM is opening the door to malicious actors targeting cloud infrastructure and credentials in attacks.

Nearly all (99%) cloud users, roles, services and resources were granted excessive permissions which were ultimately left unused, according to the report. Meanwhile, 44% of organizations allow IAM password reuse and 53% of cloud accounts allow weak password usage.

The study, which analyzed more than 680,000 identities across 18,000 cloud accounts from 200 different organizations, also found built-in cloud service provider (CSP) policies are not managed properly by users.

“With organizations allowing excessive permissions and overly permissive policies, attackers are too often welcomed into an organization’s cloud environment with keys to the kingdom,” the report warned. “Proper IAM configuration can block unintended access, provide visibility into cloud activities and reduce the impact when security incidents occur.”

Optimizing Cloud IAM is a Struggle

Jasmine Henry, field security director at JupiterOne, a provider of cyber asset management and governance solutions, explained that research and experience also confirm that many security organizations are struggling to optimize cloud IAM policies.

“IAM failures are a leading cause of avoidable data breach due to excessive permissions or poor access control,” she said. “Security practitioners are dealing with unprecedented scale and it requires new DevSecOps practices and processes as well as a new mindset that grasps the fact that this scale is not going away.”

She pointed out that the average organization has a ratio of one security policy for every 19 digital assets.

“This shows some efficiency of scale, but also points to the fact that many organizations are not at optimal efficiency when it comes to security governance,” Henry said. “A single cloud policy statement can create effective controls for tens of thousands of cloud assets, but that is not always the case, especially given Palo Alto’s findings of weak password controls and excessive permissioning.”

From her perspective, one-to-one relationships between security policy and assets are not realistic or effective, especially at cloud scale.

A Troubling Trend: Cloud Identity Complexities

Aaron Turner, vice president of SaaS posture at AI cybersecurity company Vectra, explained that Vectra’s cloud identity security research over the past two years was consistent with the findings from the Unit 42 report.

“In the interactions that our team has had with customers who rely on cloud identity services, we see a troubling trend,” he said. “The lack of awareness within IT operations teams about the complexities and risks of cloud identity management results in over-provisioning of identities across the board. This is for both standard users as well as privileged users.”

Turner said most concerning are the general lack of granularity around privileged user controls within cloud environments.

“This results in situations where a privileged cloud identity is compromised through a simple attack such as a browser exploit, but then is used to pivot within an enterprise’s cloud environment to obfuscate activity and persist in ways that become very difficult to detect over time,” he explained. 

For example, in cases where an administrator should only have access to a limited-service role, they instead are granted global administrative privileges. In another case, they are granted limited privileges but can self-elevate at will and without privilege management processes or controls.

Turner said in nine out of 10 cloud security posture management assessments performed in the last 18 months, Vectra has discovered not only over-privileged users but also a general lack of discipline about enforcing strong multi-factor authentication (MFA) across those accounts.

For example, MFA may be required through one interface into the cloud administrative portals, but maybe not through API or other means of accessing the cloud environment.

This has allowed attackers to find ways to bypass controls that organizations believed were in place, but which were not actually effectual.

“The bottom line is organizations need to pay much greater attention to the risks associated with the provisioning of cloud identities,” he said. “Then they need to implement processes and controls that constantly monitor cloud identities to assure their integrity and that unauthorized users are not abusing them.”