On Zero Trust

 Elements of Zero Trust

Closing the Cloud Permissions Gap to Achieve Zero Trust: An AWS Risk Assessment  by Sarah on January 26, 2021   Author: Raj Mallempati, COO of CloudKnox

Whether it is to adapt to remote work, improve innovation, or build agile teams, organizations continue to prioritize digital transformation for myriad reasons. And, while there are many business benefits to digital transformation strategies—from boosted productivity to tools that unlock new functions—there are also significant cloud infrastructure security risks that enterprises must mitigate to benefit from their investments fully.

An organization must also carefully balance this emphasis on digital transformation with Zero Trust. A major pillar of the Zero Trust model is the ability to limit excessive user entitlements. Yet, in the cloud, this is very difficult to accomplish when cloud service providers are adding new services and permissions, developing at such a fast pace and attempting to understand the complexity of thousands of permissions daily.

A major cloud security risk, as an example, is associated with the human and non-human identities operating within organizations’ hybrid and multi-cloud environments. In fact, through extensive research and analysis evaluating organizations using Amazon Web Service (AWS), CloudKnox Security Research Labs has discovered a significant delta between permissions granted and permissions used in these environments. This delta is called the Cloud Permissions Gap, and it is a contributing factor to the rise of both accidental and malicious insider threats impacting enterprises of all sizes. Here, attackers are able to exploit an identity with elevated permissions and access across the organization’s critical cloud infrastructure while the organization is unable to implement and manage Zero Trust policies.

Since the Cloud Permissions Gap is challenging to navigate and poses an immediate threat, CloudKnox takes a deeper look into the AWS risk assessment for cloud permissions management to outline where the risks are and offer best practices to mitigate them.

What is the Cloud Permission Gap, and why is it dangerous?

The Cloud Permissions Gap exists across any organization that has adopted public cloud or hybrid cloud infrastructures, making the organization incredibly vulnerable to both accidental and malicious threats. How does this happen, and why is it universally prevalent? Although identities should only have the permissions they need for their specific job functions, a CloudKnox assessment of more than 150 global enterprises uncovered that more than 95% of all identities accessing their organizations’ AWS infrastructure are using less than 2% of their permissions granted. Even worse, 40% of all AWS roles were reported as inactive or over permissioned.   ... "