Why ‘Role’ Permissions Are So Dangerous To Your Cloud Environment

by Eyal Arazi on September 17, 2021

One of the key challenges facing organizations running in the cloud is how to reign in excessive permissions. Running in the cloud is all about agility and flexibility. Still, the problem is that benefits frequently come at a cost to security, leading to a proliferation of unnecessary and excessive permissions in the cloud.

This webinar aims to discuss the issue of excessive permissions in the cloud and how to get them under control.

Moving to the Cloud Changes Your Threat Boundaries

The fundamental problemorganizations have to deal with is moving to the cloud changes your threat boundaries.

In the ‘old world’ of the physical on-prem data center, network resources and administrators were located in the same physical location or within the same network. In those environments, they were protected against physical threats, and protection was focused on perimeter defenses (such as firewall, secure web gateway, WAF, etc.) against outsider threats. Administrators had full control over their resources, and in worst-case scenarios, if they detected a problem, they could walk over and disconnect the server, therefore, blocking off the problem.

Sponsorships Available

The world of public cloud, is very different. Workloads hosted on the public cloud are now remote. All-access is done via remote connection, using mechanisms and APIs provided by the public cloud hosting provider. Administrators no longer have physical control over their resources, and all access to their resources is performed remotely. However, hackers, malicious actors and other unauthorized 3^rd-parties can access those same resources using the same standardized protocols, APIs, and access methods.

Therefore, your workload security is defined by who has access – and what access they have. In effect, this means that your permissions = your threat surface.

Need for Speed Leads to Excessive Permissions

Running in the cloud is all about agility and flexibility. The speed and convenience of using the cloud allow for new resources, expanding capacity dynamically, deploying new code, and faster time to market.

There are several key reasons why excessive permissions are such a problem in the cloud:

Business requirements drive cloud activity. Digital transformation is all about faster time to market, and the public cloud is an enabler for that. Running in the cloud is all about agility and flexibility, and from an IT perspective, it is where “the rubber meets the road” of digital transformation. The problem is that in the name of expediency, IT managers frequently focus more on moving fast and fail to properly secure their cloud environments, leaving their workloads and customer data vulnerable to exposure and data breaches.
Users frequently don’t know what permissions they will need. They know what they want to get done, but they might not have an idea of all the small steps that take them there. As a result, they request many more permissions than they need. Consequently, this propagates a dangerous precedent whereby organizations grant credentials far more privileges than they should allow, raising the potential to expose the applications, configurations around built environments, and their security defenses.
Cloud admins don’t want to get in the way of the business. This human tendency but leads to administrators having a “quick hand” in handing out permissions.
Granting permissions in the cloud is easy. This is a key issue because it explains why cloud permissions can be handed out so easily. Cloud operations are frequently automated or based on scripts, which prioritize speed and ease of use. As a result, it is very easy to hand out permissions, so admins frequently don’t need to give it much thought.

[Like this post? Subscribe now to get the latest Radware content in your inbox weekly plus exclusive access to Radware’s Premium Content.]

While the exact reasons may vary between organizations, they all lead to the same place. Many permissions are being handed out unnecessarily. When you have so many permissions being issued, a percentage of these permissions can potentially be misused, leading to largescale breaches. Some of the leading causes for data exposure are over-provisioning of permissions, unused and unchecked privileges, which can lead to massive security vulnerabilities.

The Role of ‘Roles’ In Excessive Permissions

One of the permission types that has proven to be a particular concern is “role” permissions. Unlike the traditional “user” and “group” permissions, which are usually associated with actual physical users (or groups of users), “role” permissions are more flexible permissions that can be dynamically assigned to a user, applications, or services. Indeed, according to Radware’s own research, approximately 80% of excessive permissions observed in the cloud environment are ‘role’ permissions.

Unlike user permissions, which are typically associated with a single person, role permissions are intended to be assumed ad-hoc by anyone (or anything) who needs it for that specific session. Cloud account role permissions allow delegating access to users and services to cloud resources for which they normally do not have access.

While this provides a great deal of flexibility, it also creates a security challenge of very flexible permissions, which can be assumed by a wide range of people and services. The fluidity of these roles and the variety of use cases in which they are used frequently leads to the proliferation of access where there is no business need.

Reigning-in Excessive Permissions

Radware recently partnered with AWS on a webinar to discuss how cloud identity and access management (IAM) works and protecting it against accidental misuse and malicious abuse. The webinar also includes a testimonial from Perion Network, one of Radware’s long-time cloud customers, on how Radware helped fortify their cloud access and lock down their cloud security posture.

Click here to watch the joint webinar by Radware and AWS.