The Governance and Risk Horror Show
Autumn is absolutely my favorite season. The crisp, spicy scent of leaves, the brisk chill in the air, and best of all, Halloween! I unabashedly love Halloween. It’s the time of year when spooks and bogeys, ghouls and monsters abound! There’s nothing like a bit of nervous titillation to make fall perfect, especially when I know my friends are behind the mask doing the Monster Mash.
But that fun can pale when it’s a company party. Is the person behind the mask of a keyboard a friend or a foe? Suddenly, the spike of adrenaline isn’t fun, it’s uncomfortable. Is it a concern to worry about?
Using this Halloween analogy, I’d like to demonstrate a way to think about attack surfaces within enterprise organizations. Someone you think is a faithful, friendly employee, could actually be a bad actor out to execute some gruesome torment upon your organization. This area of risk management can be dangerous territory and can leave your infrastructure as vulnerable as the cute-but-terminal sidekick in every horror movie, ever.
We live in exciting times, where the landscape of our old server rooms is a graveyard of dark and silence. Now, the ground beneath your feet isn’t shaky, it’s completely absent because you are living in the Cloud!
It’s easy to see the value to the easy elasticity of workloads, the shift of maintenance burden, the distributed environment. AWS, Azure, Google Cloud, whatever your flavor may be, the end result is the same: some automation tools and some configuration tools and assorted black magic result in physical servers going >poof< and the ghost is evicted from the shell, now dwelling in the ether. Boil, boil, toil and trouble, fire burn and cauldron bubble.
But there is a dark side to this transformation, one which can easily send your organization into dangerous territory. The Cloud Security Alliance surveyed to find the greatest security issues with the cloud, and number one was data breaches. Research showed that between January and March of this year over 100 million files were found exposed on Amazon S3 buckets. 100 million. And even Verizon, publisher of the annual Data Breach Investigation Report, suffered embarrassment as a publicly accessible Amazon bucket exposed confidential data to the world at large.
All of this sounds like nightmares for a company! How do we deal with these horror show set of risks visited upon us by cloud-friendly practices? We have a few principles to face down these demons.
As in the physical, so in the ethereal. Accounts for AWS, Azure or Google Cloud administrators have to be wrapped into the same identity and privileged account management procedures you use for on-premises accounts. Admin accounts for your cloud services should be granted when needed through a privileged account request process for just-in-time access and revoked when activities are complete. The request and access should be auditable and the role which enables an employee to request this sort of elevated account should be included in regular certifications. That same process needs to be applied to the personnel who are storing your infrastructure or source code on automation and versioning sites such as GitHub.
Exorcise ghosts. Accounts left unmanaged, perhaps even ghosts lingering after one of your employees has left the company, are the equivalent of building your house on top of a graveyard; bad things will probably happen. Besides the privileged access requests, the ability to even request access should be locked down to identities tied to lifecycle management. Automate account creation, access change, and deactivation so an employee who has left the organization is truly locked out.
Watch for possession. As in, learn your user behavior and apply analytics to it so you can see when someone is acting in a strange fashion. Both monitoring of privileged activity and gathering of logs to gain baselines for expected behavior are part of the best practices to banish threats from your environment.
Light kills vampires. Of course, the best way to keep the shadows at bay is to shine a bright light and see what’s going on. Visibility, getting a view of the landscape can help you find the vampires crawling out of the grave. In this instance, that landscape is shown best in clear dashboards showing configuration which violates internal security policies or industry standards. Whether it’s unrestricted inbound connections to active instances, EC2 Security Groups with Open Access, or unrotated credentials, having clear insight into risks identified by industry best practices and CIS AWS Foundations Benchmark can help you know where you need to drive the stake to remove the threat. Continuous monitoring for the sort of vigilance necessary to manage monsters.
Don’t go out alone. You don’t want your organization to be the cautionary tale with blood splashed across the headlines. Saviynt is the friend who can walk through the haunted house with you, helping you enact each of these principles. Let us partner with you and help you navigate safely in the new landscape, fraught with danger. For more information, see our solutions for survival in the cloud. Also, like every good horror movie, there’s a sequel to this blog here.
Additionally, we will cover this topic at Saviynt Converge ‘18, our complimentary event that is exclusive to Saviynt customers, partners and prospects. To learn more or to register for the events, click here.
IBM X-Force Threat Intelligence Index 2018
Too Much Information: Misconfigured FTP, SMB, Rsync and S3 Buckets Exposing 1.5 Billion Files · www.digitalshadows.com