Access Control as the Second Line of Defense

In security, there is a popular saying that the likelihood of a breach is “when, not if.” The same could be said of cloud usage. With 94% of enterprises using at least one public or private cloud[1], and the number of resources running in the cloud increasing consistently, securing those resources is business critical. While cloud providers hold responsibility for securing the infrastructure, security for what resides in the cloud and how the cloud is accessed is left to the organizations using cloud services, better known as the Shared Responsibility Model.

The above is no surprise to cyber security practitioners, and has been a topic of conversation since the late 2000s. Yet as cloud evolves and the way in which companies operate, namely, as microservices and application development and usage permeate companies’ strategies, how we think about security needs to shift. Left, preferentially.

Without a defined network perimeter, identity thus becomes the focus of organizations’ access control strategies. And rightly so. However, the term “identity” often conjures up a human user, the entity at the end of the keyboard. While user access is obviously very important—the recent publication of the Verizon Data Breach Investigations Report hammers home this point—there is another aspect to identity that must be considered: workload identity.

Workload identity

Applications, virtual machines, services, and processes (a.k.a., workloads) running in the cloud all have identities, too, and these identities must be protected. Further, access to internal resources, either by a person or a process/service, must be strictly monitored and controlled so that unauthorized, unverified access is automatically denied. Reality is, though, that in the cloud, service accounts are commonly overly permissioned and allow for entitlements that facilitate undetected malicious lateral movement.

A major factor in the ability to use service accounts to exploit cloud resources is the responsibility of the user/organization to properly configure access controls. Cloud misconfigurations have been a cause of many breaches, most notably the Capital One breach. Of even greater concern, Help Net Security estimates that 99% of cloud misconfiguration incidents go unnoticed[2], creating massive risk and leaving the door open for exploit. One misconfiguration error could provide just the right access for cyber criminals to dump entire databases or inject malicious code.

Another concern, said Shai Morag, Co-founder and CEO of cloud identity startup Ermetic, is that “the responsibility for controlling access in and to the cloud is shifting from IT teams to development teams,” in other words, individuals who are often not fully trained in security and whose goals and responsibilities may be counter to those of security. Yet, he said during a recent briefing, “securing access to data in the cloud requires hermetic management of controls at scale. Cloud was built for development, not security, and managing permissions at scale requires a deep level of knowledge that many organizations do not have at present.”

Visibility and control

Ermetic’s platform is designed to give cloud administrators a complete view into all access permissions to and from all users, applications, and resources and the ability to enforce least privilege across clouds. At present, Ermetic works in AWS environments, with Google Cloud Platform and Azure available soon. Morag told me that Ermetic can be deployed in under five minutes through simple integration to the customer environment(s). All the platform needs is access to configuration data and logs, with permissions for meta data access. Ermetic also integrates with industry-leading endpoint identity providers for full visibility into federated users, offering a layered approach: access control from the endpoint through resources and data.

Once configured, Ermetic has visibility into workload identities, entitlements, and data, which are displayed in the administrative console. There, admins can see an IAM score calculated based on access activity and data sensitivity, and an access graph that shows permissions of all service accounts, systems, applications, compute resources, etc., plus associated policies. When a given resource is scored as high risk, Ermetic allows the user to eliminate unnecessary access and/or privileges through provided remediation steps. At present, admins must make the necessary changes manually (though the code can be copied and pasted), but Morag said automated remediation is due for release soon. A little farther down the line, the goal is to implement a “fix me” button, making it even easier for admins to drive down risk.

Reduced friction

Because Ermetic was born in the cloud with developers in mind, the platform connects to the CI/CD pipeline, removing some of the historic friction between security and development. “Early on,” said Morag, “we knew we wanted to build a tool that connected to code, integrated with the CI/CD pipeline, and addressed access risk for the entire development lifecycle.” As such, Ermetic starts with visibility into and analysis of access permissions based on identity and activity patterns, and then allows admins to apply granular, least privilege policies, detect suspicious behavior, and continuously monitor for unintended or unauthorized access—all without disrupting the development workflow.

I asked why Ermetic doesn’t use the term “zero trust” in their marketing, given that their tool conforms to several zero trust principles—least privilege access, contextual and adaptive access based on identity, the ability to apply policy at a granular level. Amy Ariel, the company’s CMO, told me that they are concerned about jumping on the zero trust buzzword bandwagon, but that zero trust is a driver for their current product and future versions.

While Ermetic is in early stages as a company, the executive team have impressive backgrounds and verifiable success as entrepreneurs. They are up against a very crowded market and the fact that endpoint identity and access control is a bigger market at present. That said, iterative access control at all layers of the stack is the best strategy for preventing unauthorized usage and compromise. In a space with few direct competitors, Ermetic may face adoption challenges, but the concept is sound and their future plans look promising.

_____________________________________________________________________________________________

[1] and the amount of sensitive systems and data running in the cloud increasing everydayhttps://resources.flexera.com/web/media/documents/rightscale-2019-state-of-the-cloud-report-from-flexera.pdf?elqTrackId=372b6798c7294392833def6ec8f62c5c&elqaid=4588&elqat=2&_ga=2.75255952.381106268.1556868633-1445624021.1556868633

[2] https://www.helpnetsecurity.com/2019/09/25/cloud-misconfiguration-incidents/