SlideShare una empresa de Scribd logo

Stack Identity OWASP Shadow Access Transform Cloud IAM.pdf

Stack Identity
Stack Identity

OWASP meeting, discussing the topic of "Shadow Access" - an emerging attack vector in the cloud that creates exploitable pathways to an organization's crown jewels. Cloud identities, roles, permissions, policies, entitlements and vulnerabilities combine to create exploitable access pathways to data and applications aka "Shadow Access" impacting CI CD systems. Cloud data breaches, data exfiltration is easily generated by untenable volumes of data and dynamically changing cloud environments. Programmatic access upends existing IAM processes and must transform Cloud IAM. Presented by CEO Venkat Raghavan at Bay Area OWASP meeting Jan 2023

Tecnología
1 de 17
Descargar para leer sin conexión
STACK IDENTITY ELIMINATE SHADOW ACCESS TO CLOUD INFRASTRUCTURE AND DATA
“ The existence of hundreds or sometimes thousands) of identities - both human and programmatic - across the CI/CD ecosystem, paired with a lack of strong identity and access management practices and common usage of overly permissive accounts, leads to a state where compromising nearly any user account on any system, could grant powerful capabilities to the environment, and could serve as a segue into the production environment. “ Verbatim from OWASP Top 10 CI CD SEC-2
The Mathematics of Access Combinations source: https://aws.permissions.cloud/ 10% of methods & permissions used = 1 million access combinations
Problem: Shadow Access The proliferation of data stores containing sensitive information in cloud environments has led to a new problem called Shadow Access. Shadow Access is unauthorized, invisible and unsafe access that can be quickly weaponized to exfiltrate data and breach cloud environments. Shadow Access results from a collection of identities and permissions, called toxic combinations, that create live and active pathways to attack and exfiltrate data. Shadow Access breaks cloud security, data security, cloud audit, compliance and governance.
Where does Shadow Access live and how does it manifest? 1. Shadow Access lives across multiple systems in the ecosystem 2. Shadow Access credentials live across multiple systems and are used in a large variety of contexts. 3. 1 and 2 are amplified by the general practice of overly permissive IAM.
1. Shadow Access lives across multiple systems in AWS & CI/CD Cloud Identities Cloud Systems Cloud Data Stores Each system provides multiple methods of access and integration: username & password, personal access token, marketplace application, oauth applications, plugins, SSH keys “In a typical environment, the average user account of an SCM or CI is highly permissive. These identities are mostly used by engineers that require the flexibility to be able to create major changes in code and infrastructure. “
2. Shadow Access credentials live across multiple systems and are used in a large variety of contexts.
3. The Stack Effect of Identities/IAM/Permissions = Unwanted Entry to Cloud = Security Blind Spots = Breaches Identities + Poor IAM + Over Permissions
Explosive growth of cloud data stores housing sensitive data Terraform and CFT provisioning Growing vulnerability of CI/CD and supply chains Status quo is under tremendous stress Multiple IAM systems Multiple credentials living in different context Multiple Security tools Major gaps in detection Unmanageable volume of alerts
Shadow Access Attack Vectors Impacting Deployments
Identities + Poor IAM + Over Permissions = Unwanted Entry to production = Security Blindspot = Breaches
Stack Identity: Exposing Shadow Access Pathways
State of the Art Approach Cloud IAM Meta Data Source of Truth Shadow Access Source of Truth Continuous Risk Assessment Data identifies all Shadow Access variables and pathways Detection continuously monitors for active and new Shadow Access and the pathways used. Governance & Shift Left DATA DETECTIONS RISK - IMPACT PRIORITIZATION
State of the Art: Cloud IAM Meta Data Lake
Detection Engineering Applied to Shadow Access • Detection engineering is the process of identifying Shadow Access threats before they can do significant damage - threat detection logic. • At its core, threat detection logic is any rule, query, or tool used to detect activity that is either malicious, unexpected, or increases the risk that malicious activity will occur. • Detection-as-Code (DaC) is a modern, flexible, and structured approach to writing detections that apply software engineering best practices to detection engineering.
Risk - Impact and Prioritization
Summary Shadow Access is a “new problem’ - a byproduct of Cloud Native & Data-centric Apps that will increase in frequency and complexity We illustrated Shadow Access using the AWS Cloud as an exemplar. To solve this problem, we require a very different approach that can: Recognize that Shadow Access is a DATA problem Have a deep understanding of “access pathways” Apply Detection Engineering on DATA - prioritize threats and vulnerabilities Operationalize with workflows

Recomendados

Security in cloud computing kashyap kunal
Security in cloud computing kashyap kunalSecurity in cloud computing kashyap kunal
Security in cloud computing kashyap kunal
Kashyap Kunal
 
Iaetsd cloud computing and security challenges
Iaetsd cloud computing and security challengesIaetsd cloud computing and security challenges
Iaetsd cloud computing and security challenges
Iaetsd Iaetsd
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Arunvignesh Venkatesh
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security Presentation
Ajay p
 
Cloud security privacy- org
Cloud security privacy- orgCloud security privacy- org
Cloud security privacy- org
Dharmalingam S
 
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORKCYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
CloudExpoEurope
 
Brighttalk Challenges In Cloud Security
Brighttalk Challenges In Cloud SecurityBrighttalk Challenges In Cloud Security
Brighttalk Challenges In Cloud Security
guestc416cd26
 

Recomendados

Security in cloud computing kashyap kunal
Security in cloud computing kashyap kunalSecurity in cloud computing kashyap kunal
Security in cloud computing kashyap kunal
Kashyap Kunal
 
Iaetsd cloud computing and security challenges
Iaetsd cloud computing and security challengesIaetsd cloud computing and security challenges
Iaetsd cloud computing and security challenges
Iaetsd Iaetsd
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Arunvignesh Venkatesh
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security Presentation
Ajay p
 
Cloud security privacy- org
Cloud security privacy- orgCloud security privacy- org
Cloud security privacy- org
Dharmalingam S
 
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORKCYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
CloudExpoEurope
 
Brighttalk Challenges In Cloud Security
Brighttalk Challenges In Cloud SecurityBrighttalk Challenges In Cloud Security
Brighttalk Challenges In Cloud Security
guestc416cd26
 
Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...
IAEME Publication
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Cryptzone
 
N017259396
N017259396N017259396
N017259396
IOSR Journals
 
Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...
iosrjce
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUD
Sweta Kumari Barnwal
 
Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...
Venkatesh Prabhu
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
Sreerag Gopinath
 
project 11
project 11project 11
project 11
K L University
 
Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Cloud security Deep Dive 2011
Cloud security Deep Dive 2011
Kim Jensen
 
Cloud security
Cloud securityCloud security
Cloud security
Niharika Varshney
 
Cloud Security and their classifications
Cloud Security and their classificationsCloud Security and their classifications
Cloud Security and their classifications
KENNEDYDONATO1
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
Commit Software Sh.p.k.
 
Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...
Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...
Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...
United States Cybersecurity Institute (USCSI®)
 
UNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdf
UNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdfUNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdf
UNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdf
United States Cybersecurity Institute (USCSI®)
 
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
Amazon Web Services
 
Cloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security MetricsCloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security Metrics
Sandeep Saxena
 
FOGCOMPUTING
FOGCOMPUTINGFOGCOMPUTING
FOGCOMPUTING
Anvesh Kolluri
 
Analysis of classical encryption techniques in cloud computing
Analysis of classical encryption techniques in cloud computingAnalysis of classical encryption techniques in cloud computing
Analysis of classical encryption techniques in cloud computing
redpel dot com
 
UNIT -V.docx
UNIT -V.docxUNIT -V.docx
UNIT -V.docx
Revathiparamanathan
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the Cloud
SafeNet
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
FIDO Alliance
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
iSEO AI
 

Más contenido relacionado

Similar a Stack Identity OWASP Shadow Access Transform Cloud IAM.pdf

Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...
Venkatesh Prabhu
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
Sreerag Gopinath
 

Similar a Stack Identity OWASP Shadow Access Transform Cloud IAM.pdf (20)

Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
 
N017259396
N017259396N017259396
N017259396
 
Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUD
 
Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
 
project 11
project 11project 11
project 11
 
Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Cloud security Deep Dive 2011
Cloud security Deep Dive 2011
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cloud Security and their classifications
Cloud Security and their classificationsCloud Security and their classifications
Cloud Security and their classifications
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...
Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...
Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...
 
UNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdf
UNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdfUNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdf
UNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdf
 
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
 
Cloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security MetricsCloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security Metrics
 
FOGCOMPUTING
FOGCOMPUTINGFOGCOMPUTING
FOGCOMPUTING
 
Analysis of classical encryption techniques in cloud computing
Analysis of classical encryption techniques in cloud computingAnalysis of classical encryption techniques in cloud computing
Analysis of classical encryption techniques in cloud computing
 
UNIT -V.docx
UNIT -V.docxUNIT -V.docx
UNIT -V.docx
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the Cloud
 

Último

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Skynet Technologies
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
UK Journal
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 

Último (20)

Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 

Stack Identity OWASP Shadow Access Transform Cloud IAM.pdf

  • 1. STACK IDENTITY ELIMINATE SHADOW ACCESS TO CLOUD INFRASTRUCTURE AND DATA
  • 2. “ The existence of hundreds or sometimes thousands) of identities - both human and programmatic - across the CI/CD ecosystem, paired with a lack of strong identity and access management practices and common usage of overly permissive accounts, leads to a state where compromising nearly any user account on any system, could grant powerful capabilities to the environment, and could serve as a segue into the production environment. “ Verbatim from OWASP Top 10 CI CD SEC-2
  • 3. The Mathematics of Access Combinations source: https://aws.permissions.cloud/ 10% of methods & permissions used = 1 million access combinations
  • 4. Problem: Shadow Access The proliferation of data stores containing sensitive information in cloud environments has led to a new problem called Shadow Access. Shadow Access is unauthorized, invisible and unsafe access that can be quickly weaponized to exfiltrate data and breach cloud environments. Shadow Access results from a collection of identities and permissions, called toxic combinations, that create live and active pathways to attack and exfiltrate data. Shadow Access breaks cloud security, data security, cloud audit, compliance and governance.
  • 5. Where does Shadow Access live and how does it manifest? 1. Shadow Access lives across multiple systems in the ecosystem 2. Shadow Access credentials live across multiple systems and are used in a large variety of contexts. 3. 1 and 2 are amplified by the general practice of overly permissive IAM.
  • 6. 1. Shadow Access lives across multiple systems in AWS & CI/CD Cloud Identities Cloud Systems Cloud Data Stores Each system provides multiple methods of access and integration: username & password, personal access token, marketplace application, oauth applications, plugins, SSH keys “In a typical environment, the average user account of an SCM or CI is highly permissive. These identities are mostly used by engineers that require the flexibility to be able to create major changes in code and infrastructure. “
  • 7. 2. Shadow Access credentials live across multiple systems and are used in a large variety of contexts.
  • 8. 3. The Stack Effect of Identities/IAM/Permissions = Unwanted Entry to Cloud = Security Blind Spots = Breaches Identities + Poor IAM + Over Permissions
  • 9. Explosive growth of cloud data stores housing sensitive data Terraform and CFT provisioning Growing vulnerability of CI/CD and supply chains Status quo is under tremendous stress Multiple IAM systems Multiple credentials living in different context Multiple Security tools Major gaps in detection Unmanageable volume of alerts
  • 10. Shadow Access Attack Vectors Impacting Deployments
  • 11. Identities + Poor IAM + Over Permissions = Unwanted Entry to production = Security Blindspot = Breaches
  • 12. Stack Identity: Exposing Shadow Access Pathways
  • 13. State of the Art Approach Cloud IAM Meta Data Source of Truth Shadow Access Source of Truth Continuous Risk Assessment Data identifies all Shadow Access variables and pathways Detection continuously monitors for active and new Shadow Access and the pathways used. Governance & Shift Left DATA DETECTIONS RISK - IMPACT PRIORITIZATION
  • 14. State of the Art: Cloud IAM Meta Data Lake
  • 15. Detection Engineering Applied to Shadow Access • Detection engineering is the process of identifying Shadow Access threats before they can do significant damage - threat detection logic. • At its core, threat detection logic is any rule, query, or tool used to detect activity that is either malicious, unexpected, or increases the risk that malicious activity will occur. • Detection-as-Code (DaC) is a modern, flexible, and structured approach to writing detections that apply software engineering best practices to detection engineering.
  • 16. Risk - Impact and Prioritization
  • 17. Summary Shadow Access is a “new problem’ - a byproduct of Cloud Native & Data-centric Apps that will increase in frequency and complexity We illustrated Shadow Access using the AWS Cloud as an exemplar. To solve this problem, we require a very different approach that can: Recognize that Shadow Access is a DATA problem Have a deep understanding of “access pathways” Apply Detection Engineering on DATA - prioritize threats and vulnerabilities Operationalize with workflows