Securing your Cloud Identity and Access layer depends on your ability to achieve visibility over your environments and having the necessary insights to take decisive action.
We here at Authomize have released an updated Access Explorer that gives security teams the highly detailed view of access to their assets that makes it easy to investigate and resolve incidents.
Authomize’s Cloud Identity and Access Security Platform enables security teams to solve these challenges, providing comprehensive, granular and normalized visibility and monitoring via a single pane of glass across everything in your cloud environment.
Our Access Explorer Graph and Inventory pages play a key role by improving visibility and accelerating the investigation of security incidents.
This blog reviews how these capabilities can be used for incident investigation, threat hunting, and for building optimal Identity & Access security policies. It then reviews the Access Explorer and the Inventory pages.
Challenges to Securing Identity and Access in the Cloud
In the modern, highly distributed cloud environment, attaining the right level of visibility is far easier said than done — due in no small part to the scale of the adoption of cloud applications and services.
According to research in 2021, the average organization uses 110 Software-as-a-Service (SaaS) apps. This figure does not take into account the multitude of services that they are running in their Infrastructure-as-a-Service (IaaS), Platform-as-a-Service, Data-as-a-Service, or anything else they build, own, or are using in the cloud.
Each of these environments has its own disparate set of identities, access privileges, and Identity and Access Management (IAM) systems that have to be monitored and secured.
Understanding who has which access privileges to which assets and how they are using that access is exceedingly difficult due in part to the:
Diversity and scale of applications and services in use that each have their own IAM system that has to be interpreted and normalized for analysis and operationalization
Lack of visibility between siloed environments that make centralized tracking challenging
Complexity of IAM where groups, roles, and other management tools can obscure an identity’s access paths to assets.
Without this critical visibility, security teams struggle to:
- Detect and remediate risks like over-privileged identities (shadow admins) or partial offboarding
- Investigate security incidents on the identity and access layer effectively and efficiently
- Secure access controls for their development pipeline across environments
Individual IAM tools like IdPs, IGA, PAM, CIEM, and others are unable to provide the visibility to meet these needs, with each addressing particular aspects of the the identity and access space but not providing the comprehensive, actionable picture required to be truly effective in the hands of security professionals.
Leveraging Access Explorer’s Visibility for Incident Investigation
Authomize provides continuous monitoring to detect and mitigate Identity & Access risks across everything on your cloud. Our connectors pull rich data that tracks the access path from identity to asset, showing how that access is granted, and how it is used, all aiding in investigation of alerts and incidents.
When a risk is detected it is reported as an incident. These incidents can be investigated by reviewing the identity associated with the incident and by exploring access privileges in the Access Explorer graph.
The Access Explorer graph visually displays the relationships between identities, assets, and access policies. Customers can also drill down to get the most granular view of the assets.
Looking at this graph, we can easily understand exactly what Alex has access to, and how he has that access through different accounts, groups, drives, etc. We have here full visibility, regardless of how many “steps” it takes from his identity to the asset.
Customers can also use the graph to investigate incidents alerted by third party solutions. If there is an alert on a compromised asset (like a VM or a file), security team professionals can search the compromised asset to get all the details of who has access to it, with which privileges, and when it was last accessed to create a full picture for their investigation.
They can look at the Activities tab to explore who else may be compromised by it.
Example: Let’s assume that a third party contractor’s laptop was compromised (much like the Okta breach in early 2022). The attackers breached the computer for a few days, giving them access to your organization’s network and data.
Using Authomize, your investigators can:
- Identify who had access to the computer and who was using that access (with comprehensive visibility into all activities across the cloud)
- Go to any file that was accessed to search for backdoors and malware
- Investigate who else accessed the file and may have been compromised by the malware or backdoors that were implanted (in order to stop the attack)
Security teams can use the Access Explorer not only to investigate an incident after the fact, but also to proactively hunt and protect.
Threat Hunting Based on Superior Visibility
Authomize’s automated tagging identifies your most sensitive systems and assets, enabling you to prioritize your team’s valuable time.
One common use case of our tagging capability that we see is using Authomize to identify all the production servers and who has access to them.
You can download all activities on those servers to search for and identify actors who may have granted themselves access, either by joining groups or by defining a new group, and are using it for potentially malicious purposes.
With that information in hand, you can investigate the account responsible for such activities to identify potential breaches and stop the threat.
Leverage the Access Explorer Graph to Plan Protection for Sensitive Assets
Finally, your security architects can use the Access Explorer graph to:
- Identify the assets tagged as sensitive (your Crown Jewels)
- Run access review campaigns to establish the policy baseline of who should have access to these assets
- Investigate the graph for everyone who has access and is using it.
Utilizing these capabilities and insights, your security team can remove excessive access and configure policies that will alert on any excess access granted moving forward.
Authomize Inventory Pages
Authomize’s Inventory pages organize the data collected and normalize it in a way that is easy to understand, filter, and search.
There are three Inventory pages: Identities, Assets, Access Policies and Activities.
All the data in the Inventory pages can also be exported in CSV and by API to allow additional processing and importing into a third party system.
The Identities page displays the full list of identities (human and service accounts, internal and external) allowing customers to filter and search to fulfill a variety of use cases, such as:
- Finding all external users to make sure they do not have excessive access privileges
- Finding all the Admin users to verify they have MFA configured
Customers can drill down into any Identity to get detailed information about it and answer questions like:
- Which assets do they have access to?
- What access privileges do they have for this asset?
- How did they get these access privileges (directly, through an IdP, or through a group membership or role)?
You can also see the tags associated with the identity, review the access they are using (Activities), and open the Access Explorer graph for them.
The Assets page displays the assets in your organization in a simple table that shows what type of asset it is, how many incidents are open about it, and the tags that are associated with it.
The Access policies page provides information about how an identity received access and presents groups, roles and access policies that grant access to specific assets.
The Activities page displays the details about activities, such as the Identity that performed the activity, the asset that was affected, the source, the privilege that enabled the activity and more.
See More, Do More Securely
Authomize provides new capabilities that provide superior visibility into cloud identity and access and that help accelerate detection, investigation and remediation of identity-related risks and threats and thereby tighten security for everything in your cloud.
With these capabilities customers gain:
- Comprehensive visibility across IaaS, SaaS, and IAM solutions
- Outstanding granularity enabling you to view every identity and access to every asset (including every file, VM, and code repository)
- Normalization identities, assets, access privileges, and activities across platforms
- Merging of identities based on advanced analytics
- ML-generated rich context to help determine who should have access (SmartGroups)
- Graph visualization of effective access paths across cloud infrastructure, applications and IdPs
To learn more, Sign up for a Free Assessment to try it for yourself.