OWASP meeting, discussing the topic of "Shadow Access" - an emerging attack vector in the cloud that creates exploitable pathways to an organization's crown jewels. Cloud identities, roles, permissions, policies, entitlements and vulnerabilities combine to create exploitable access pathways to data and applications aka "Shadow Access" impacting CI CD systems. Cloud data breaches, data exfiltration is easily generated by untenable volumes of data and dynamically changing cloud environments. Programmatic access upends existing IAM processes and must transform Cloud IAM.
Presented by CEO Venkat Raghavan at Bay Area OWASP meeting Jan 2023
2. “ The existence of hundreds or sometimes thousands) of identities - both human and
programmatic - across the CI/CD ecosystem, paired with a lack of strong identity and
access management practices and common usage of overly permissive accounts, leads to a
state where compromising nearly any user account on any system, could grant powerful
capabilities to the environment, and could serve as a segue into the production
environment. “
Verbatim from OWASP Top 10 CI CD SEC-2
3. The Mathematics of Access Combinations
source: https://aws.permissions.cloud/
10% of methods & permissions used = 1 million access combinations
4. Problem: Shadow Access
The proliferation of data stores containing sensitive information in cloud environments has led
to a new problem called Shadow Access.
Shadow Access is unauthorized, invisible and unsafe access that can be quickly
weaponized to exfiltrate data and breach cloud environments. Shadow Access results
from a collection of identities and permissions, called toxic combinations, that create live and
active pathways to attack and exfiltrate data.
Shadow Access breaks cloud security, data security, cloud audit, compliance and governance.
5. Where does Shadow Access live and how does it manifest?
1. Shadow Access lives across multiple systems in the ecosystem
2. Shadow Access credentials live across multiple systems and are used in a large
variety of contexts.
3. 1 and 2 are amplified by the general practice of overly permissive IAM.
6. 1. Shadow Access lives across multiple systems in AWS & CI/CD
Cloud Identities Cloud Systems Cloud Data Stores
Each system provides multiple methods of access and integration: username & password, personal access token, marketplace application, oauth applications, plugins, SSH keys
“In a typical environment, the average user account of an SCM or CI is highly permissive.
These identities are mostly used by engineers that require the flexibility to be able to create major
changes in code and infrastructure. “
8. 3. The Stack Effect of Identities/IAM/Permissions
= Unwanted Entry
to Cloud
= Security
Blind Spots
= Breaches
Identities
+
Poor IAM
+
Over Permissions
9. Explosive growth of cloud data
stores housing sensitive data
Terraform and CFT provisioning
Growing vulnerability of CI/CD
and supply chains
Status quo is under tremendous stress
Multiple IAM systems
Multiple credentials living in different context
Multiple Security tools
Major gaps in detection
Unmanageable volume of alerts
13. State of the Art Approach
Cloud IAM Meta Data
Source of Truth
Shadow Access
Source of Truth
Continuous Risk
Assessment
Data identifies all Shadow Access
variables and pathways
Detection continuously monitors for active and
new Shadow Access and the pathways used.
Governance & Shift Left
DATA DETECTIONS RISK - IMPACT PRIORITIZATION
15. Detection Engineering
Applied to Shadow
Access
• Detection engineering is the process of identifying
Shadow Access threats before they can do significant
damage - threat detection logic.
• At its core, threat detection logic is any rule, query, or
tool used to detect activity that is either malicious,
unexpected, or increases the risk that malicious
activity will occur.
• Detection-as-Code (DaC) is a modern, flexible, and
structured approach to writing detections that apply
software engineering best practices to detection
engineering.
17. Summary
Shadow Access is a “new problem’ - a byproduct of Cloud Native & Data-centric Apps that will increase
in frequency and complexity
We illustrated Shadow Access using the AWS Cloud as an exemplar.
To solve this problem, we require a very different approach that can:
Recognize that Shadow Access is a DATA problem
Have a deep understanding of “access pathways”
Apply Detection Engineering on DATA - prioritize threats and vulnerabilities
Operationalize with workflows