Delinea, a leading provider of solutions that extend Privileged Access Management, acquires Authomize. Learn More

6 Top Emerging IAM Security Risks

01/02/2021 • Gabriel Avner

And our recommendations on how to mitigate these risks

Long before COVID-19 took the world by surprise, companies understood the advantages and endless possibilities of transferring data and services to the cloud. As employees began working remotely, the unprecedented demands of the pandemic forced organizations to migrate their data to the cloud, even faster than expected. This transition across the three main cloud deployment models (SaaS, IaaS and PaaS) not only enhanced flexibility and efficiency within organizations, but also presented new risks. As security breaches become a even bigger reality, it is crucial that cloud protectors consider the importance of safeguarding their information and strengthening their Identity and Access Management, all while recognizing the top security risks that have risen to the surface.

Excessive Permissions

Excessive permissions are policies that are overly granted to users beyond what is necessary. Controlling each identity (human and non-human identity) permission in the cloud is extremely difficult due to its dynamic nature. Additionally, each cloud application and system has its unique permission model, which further complicates the assignment and removal of permissions. Excessive permissions can be divided into two levels: used excessive permissions and unused excessive permissions.

Examples of excessive permissions:

  • Access from an old department lingers after an employee has moved to a new department.
  • A user’s temporary admin privilege was never revoked.
How to mitigate this risk:

This solution lies on the notion that while not every permission granted is needed, not all infrequently used permissions must be removed. As a result, companies should consider using an AI-based entitlement analysis tool that automatically and consistently grants exact privileges based on what users truly need. In addition, this solution must secure the life cycle and governance of a company’s assets by securing the changes in who has access and ensuring they are properly governed.

External Sharing of Data

Controlling access to shared resources is extremely difficult due to the simplicity of data sharing via cloud services. In consequence, organizations are unaware of sensitive data and resources being shared. Third party apps like Google Drive, Dropbox, etc. make it so simple to share data, that in many cases, when data is shared outside the company’s IT environment, the data’s privacy settings are no longer in control of the enterprise.

Examples of excessive permissions:

  • A customer still has lingering access to a SharePoint product catalogue, even two years after having left the company (real life example).
  • Sensitive documents are accidentally saved in the wrong folder.
How to mitigate this risk:

Organizations must seek a solution that continuously monitors its data, identities, and permissions. This solution entails giving companies profound visibility into what has been intentionally or unintentionally exposed. Furthermore, solutions should support internal tagging systems or integrate already existing tagging systems like the Microsoft tagging system. In addition to delivering deep visibility, the best solution should also automatically alert companies of any abnormal behavior outside of its “identity perimeter”. By implementing these solutions, organizations will gain a better understanding of where their data has been shared and as a result be able to better mitigate potential risks.

Misconfigurations

Misconfigurations are the result of insufficient supervision or implementation over security controls in servers or web applications. Due to the mishandling or lack of security controls, what is supposed to be an impenetrable environment, has dangerous holes which put companies in jeopardy. Most misconfigurations are undetectable to the naked eye and are more common than many would like to admit. Misconfigurations are more common than ever in the cloud era and are a prevalent problem that can take place at any level of the application stack. A famous example being the Capital One data breach of 2019. As the multi-cloud continues to complexify, human error increases, and misconfigurations become more prevalent.

Examples of excessive permissions:

  • Not enabling the “IAM passthrough” in Databricks can lead to imprecise permissions, thus warranting excessive access to the bucket. When this occurs, the bucket is exposed beyond the parameters of the organization.
  • Misconfigured Google Groups settings
How to mitigate this risk:

Companies must implement a solution that is able to detect both malicious and accidental misconfigurations in cloud settings from any access point, all while supporting a multi-cloud environment. Not only should this solution be able to detect a misconfiguration, but it must also recommend how to properly fix it.

Lack of Visiblity

The cloud is a dynamic and complex environment to operate in. As applications and infrastructure mature and become sophisticated, they generate massive amounts of data needed to be monitored. It becomes even harder to attain visibility when projects are created and completed in a brief period. The lack of tools given by cloud providers to view a company’s lowest level of data, applications, and assets, make it impossible for companies to correctly decipher who has access to assets among different clouds or if sensitive material was exposed. Additionally, this lack of visibility also prevents companies from establishing and maintaining segmentation in policies as considered best practices by most security methodologies like Zero Trust, NIST and MITRE.

Examples of excessive permissions:

  • Existing tools cannot show how and where access is being granted. For example, access to a certain file can be given either via direct assignment, group membership, or even to make matters worse, through a combination of multiple policies.
  • Gaining a centralized view of multi cloud environments such as Azure, AWS and private clouds, is impossible with CSPs tools.
  • Existing tools lack visibility into crown jewel assets, which prevent IT teams from establishing Zero Trust Micro-perimeters.
How to mitigate this risk:

Adopting solutions with a graph identity and entitlement view is the way to go. This is a more optimal approach for providing a simplified and intuitive view of the relationship between identities and entitlements (a picture is worth a thousand words). Since access can be granted both directly and indirectly, relationships are more easily characterized through graph models. The ability to freely dice and slice data is essential as each organization structure and needs are unique. Moreover, continuously maintaining a “zero trust” micro-segmentation approach can be achieved by using tools to gain and leverage deep visibility.

Privileged Access

Just as there are privileged accounts in on-premises environments, the cloud too has its own way of granting privileged access depending on the cloud vendor. These accounts can be associated with human and non-human accounts and vary between all cloud deployment models (IaaS, SaaS, PaaS, Data, etc.). The privilege-related attack surfaces in modern business environments is becoming more prevalent as systems, applications, and identities continue to grow.

The SolarWinds attack in 2020, showed a key example of targeting privileged access. When it came to privileged access, traditional solutions that did not “reverse provision” of the actual effective access to privileged permissions (in any manner) and validate them based on recorded system logs, did not provide the coverage needed to protect the cloud estate. Privileged access is not just a direct grant of a role or permission, it is also any control over groups or attributes that can grant the role, as well as any role that contains such privileges , whether or not it is officially an “admin” role.

Examples of excessive permissions:

  • eDiscovery permissions in Microsoft 365 (Office 365) can provide access to any mailbox or file, which therefore should be monitored to grant age and removal.
  • Roles that seem less critical, such as the “editor” role in the Google Cloud Platform, in reality consist of multiple roles that are considered to be “administrative.” Even if they are granted at an organizational or even sensitive project/folder level, the risks could still be profound.
  • Control over a specific group that grants access to other Domain Admins.
  • Control (e.g., HRBP) over user attributes such as rank, manager, or an organizational role, may grant relevant privileged access in most ABAC / “HR as Master” SSO type of deployments.
How to mitigate this risk:

At the end of the day “you can’t protect what you can’t see.” Implementing an efficient solution that delivers deep visibility into risky access points, such as Super Admin and other privileged accounts, can apply guardrails around the usage, activity, and behavior of the accounts. Finding a solution that allows 360° visibility on how permissions are granted, applying guardrails on access and suspicious activity, making sure that privileged accounts are not used on a day-to-day purpose, and that abnormal historical data can be viewed, is crucial to mitigate this risk.

Offboarding Employees

One of the main challenges for IT managers is handling offboarding. As employees leave organizations, it is becoming harder to ensure full removal of all permissions and access. Some of these risks can be remediated by using strict SSO solutions as the source of truth, however gaps are still likely to exist for multiple reasons. Revoking access from SSO or any other identity provider can evade systems outside their coverage, which leave abounded accounts posing immense security and compliance threats to organizations.

Examples of offboarding employees:

  • Employee was offboarded troguht the HR systems but had valid account in other non-HR-connected systems
  • Account ownership wasn’t transferred from departed employee
How to mitigate this risk:

Organizations must continuously monitor partial removal across all critical applications. This monitorization depends on the integration in the IDP, the source of truth, and/or on applications. It is important to monitor key rotation, service account ownerships, as well as information that may have been shared externally, prior to departure.

Cloud Security is an Ongoing Journey

The endless possibilities of transferring data and services to the cloud has never been clearer. As organizations are pushed to migrate to the cloud quicker than considered, strengthening Identity and Access Management is no task to be left for “tomorrow.” The potential security breaches of an insecure IAM could result in permanent damage beyond repair. It is in this reality and rate of migration, that cloud protectors need to familiarize themselves with potential risks and hacks. Enterprises must focus on strategies to safely harness their information in order to fully reap the benefits of the cloud. Not only will this make businesses more secure, but it will also give organizations a leg up well beyond after COVID-19.

Next read

Download
Solution Brief

Learn how Authomize's solution is changing the way companies are managing authorizations

Download