One of the most difficult cybersecurity threats to prevent is that posed by the insider. No amount of firewalls or penetration tests can stop someone with access to sensitive corporate information from sharing documents, installing malware, or simply abusing access privileges and leaking information. Traditionally, these threats have been rooted at the physical access or corporate network level. However, as corporations shift their workloads to cloud providers, the threat of the insider gains yet another foothold that must be defended against.
As large corporations migrate to the cloud, and newer, leaner companies start from scratch on cloud technology, it is important to understand the risk that access to these environments entails. Unlike traditional networks, where physical separation of environments or large corporate firewalls partition access to resources, most cloud-level access control is software-based. Access policies, defined in languages like JSON or YAML, determine who or what can make changes to the cloud account, who can launch or delete resources, and who can modify the policies of other users.
With simple misconfigurations, an insider with access to a cloud provider account such as Amazon Web Services, could destroy the entire environment, or, less destructively, root themselves with backdoor access to every resource created in the future. Take Amazon’s Identity Access Management service for example – a highly customizable, scalable security service that controls which users and resources in an account can make changes to the rest of the environment by way of a policy defined by the user’s creator. If that creator is not careful to selectively restrict the access policy of the user, the user can easily escalate his or her privileges to become an administrator.
The threat of an insider in the cloud is not always malicious. An accidental exposure of credentials by a power user can wreak havoc in the environment, especially since those credentials can often be used from anywhere in the world and not just from a corporate VPN. Combined with other potential misconfigurations, such as over-exposed security groups allowing access from unknown IPs to the network, and poor account-level security such as lack of multi-factor authentication device requirements or strong password policies, a cloud user’s account is a goldmine for disgruntled employees and outside cyber criminals alike.
Protecting against these threats is an ever-growing and complicated process for administrators and security teams. Continuous configuration and security audits, as well as clearly defined security policies are key components to securing cloud environments. No user should be allowed to create other users or resources with sweeping sets of permissions; tightly defined control is critical. Open source and commercial tools can help audit cloud environments for the misconfigurations and risks that would enable the attacks described here. Ultimately, the security of the cloud is the responsibility of the provider, while security in the cloud belongs to the user. The insider threat landscape is shifting, but with the proper controls in place, its scope can be restricted and the risk mitigated.
If you’re in the Mid-Atlantic the NCCoE hosts an excellent cybersecurity speaker series that could help educate your employees. The topic for December 6 is Understanding, Detecting, and Mitigating Insider Threats. Click here for more details about this event.
Article by, Matt Fuller, DevOps and Security Engineer.
Founder of CloudSploit, an open source project that provides automated AWS security and configuration monitoring.Posted on