Spot on with all.5 points. Also great observation that Shadow Access is an antipattern. A few additional points.
1) As a scope, in AWS alone there are 13,000 permissions providing access to 12,000 cloud services. The access combinations even at a 5% usage is huge problem
2) Not really practical to implement least privilege, let alone stay in least privilege. A better way approach is to continuously rightsize against the desired baseline>
3) How do you baseline? As you say codify desired state. Track operational drift in permissions.
4) Monitor your drift continuously and integrate drift signals into your ops processes - with context - privilege escalation, unused permission activity, new permission activity, exception access, breakglass
5) Couple continuous rightsizing and drift with always on governance workflows -
6) Continuously identify Risky Roles, Risky Policies, Risky Identities and put them under governance.
7) Shadow Access will happen given the speed and scale of cloud. But we can leverage the power of automation and IaC and governance to proactive address Shadow Access Risks.
------------------------------
Venkat Raghavan
CEO
Stack Identity
------------------------------
Original Message:
Sent: Mar 01, 2023 07:55:59 AM
From: Jonathan Flack
Subject: IAM and Shadow Access
From my perspective there are far, FAR better mechanisms for providing admin level access on a temporary basis, and shadow permissions are probably the riskiest and most dangerous from an organizational security perspective. I've personally lost count of the number of incidents I am aware of that were rooted in compromised shadow admin accounts.
1) In a cloud environment click-ops should be highly discouraged, this is what IaC is for, especially for the management of privileged accounts and their role bindings.
2) Account with escalated privileges should be dedicated, and not used for day to day work (non-admin tasks)
3) Role bindings for accounts with escalated permissions should be in IaC, and those should be RARE, this is what service accounts are for.
4) Sensitive role grants should be temporary, and withdrawn within a specific time frame to limit risk, and ensure a pull request and merge of the grant memorialise the event in the source tree.
5) In security sensitive environments those merges that trigger configuration automation for the application of those privilege escalations should trigger actions that alert secops teams of the temporary privilege escalation
Shadow access is an antipattern that has been allowed to infect cloud native environments and should be actively discouraged.
Jonathan
Original Message:
Sent: 2/28/2023 2:31:00 PM
From: Ryan Gifford
Subject: IAM and Shadow Access
Hello Everyone,
Make sure you check out last week's IAM WorkGroup meeting (link below)! Our new volunteer, Venkat, gave a presentation on Shadow Access and how it affects IAM in cloud environments. Keep an eye out for more on Shadow Access coming from the IAM working group, and as always, join us on Thursdays at 11am PST/2pm EST for our weekly meetings!
Shadow Access IAM Presentation
------------------------------
Ryan Gifford
Research Analyst
Cloud Security Alliance
------------------------------