Identity and Access Management

 View Only
  • 1.  IAM and Shadow Access

    Posted Feb 28, 2023 11:31:00 AM
    Edited by Ryan Gifford Mar 06, 2023 08:08:39 AM

    Hello Everyone,

    Make sure you check out last week's IAM WorkGroup meeting (link below)!  Our new volunteer, Venkat, gave a presentation on Shadow Access and how it affects IAM in cloud environments.  Keep an eye out for more on Shadow Access coming from the IAM working group, and as always, join us on Thursdays at 11am PST/2pm EST for our weekly meetings!

    Shadow Access IAM Presentation

    Passcode: =eSaRvv5

    Ryan Gifford
    Research Analyst
    Cloud Security Alliance

  • 2.  RE: IAM and Shadow Access

    Posted Mar 01, 2023 07:57:00 AM
    From my perspective there are far, FAR better mechanisms for providing admin level access on a temporary basis, and shadow permissions are probably the riskiest and most dangerous from an organizational security perspective.  I've personally lost count of the number of incidents I am aware of that were rooted in compromised shadow admin accounts.

    1) In a cloud environment click-ops should be highly discouraged, this is what IaC is for, especially for the management of privileged accounts and their role bindings.
    2) Account with escalated privileges should be dedicated, and not used for day to day work (non-admin tasks)
    3) Role bindings for accounts with escalated permissions should be in IaC, and those should be RARE, this is what service accounts are for.
    4) Sensitive role grants should be temporary, and withdrawn within a specific time frame to limit risk, and ensure a pull request and merge of the grant memorialise the event in the source tree.
    5) In security sensitive environments those merges that trigger configuration automation for the application of those privilege escalations should trigger actions that alert secops teams of the temporary privilege escalation

    Shadow access is an antipattern that has been allowed to infect cloud native environments and should be actively discouraged.


  • 3.  RE: IAM and Shadow Access

    Posted Mar 03, 2023 08:05:00 AM

    Spot on with all.5 points. Also great observation that Shadow Access is an antipattern.  A few additional points.

    1) As a scope, in AWS alone there are 13,000 permissions providing access to 12,000 cloud services. The access combinations even at a 5% usage is huge problem
    2) Not really practical to implement least privilege, let alone stay in least privilege. A better way approach is to continuously rightsize against the desired baseline>
    3) How do you baseline? As you say codify desired state. Track operational drift in permissions. 
    4) Monitor your drift continuously and integrate drift signals into your ops processes - with context - privilege escalation, unused permission activity, new permission activity, exception access, breakglass
    5) Couple continuous rightsizing and drift with always on governance workflows - 
    6) Continuously identify Risky Roles, Risky Policies, Risky Identities and put them under governance. 
    7) Shadow Access will happen given the speed and scale of cloud. But we can leverage the power of automation and IaC and governance to proactive address Shadow Access Risks.

    Venkat Raghavan
    Stack Identity

  • 4.  RE: IAM and Shadow Access

    Posted Mar 03, 2023 08:33:00 AM

    Hi Jonathan - a follow up on your 3 - " Sensitive role grants should be temporary, and withdrawn within a specific time frame to limit risk, and ensure a pull request and merge of the grant memorialise the event in the source tree."

    a) Sensitive role grants  - By this you mean the ability to track IAM policies (that has sensitive access)  attached to a IAM role?
    b) In the workflow you are envisioning (using PR to track role grants) is this role grant also initiated via Infra as Code or some human action or both? 
    c) Something/someone has to define a time frame for when the role access has to be removed. How is this operationalized ?

    Thanks Venkat 

    Venkat Raghavan
    Stack Identity