Modeling Azure roles like Indiana Jones
No, we won't need to resort to the whip to tame Entra...

Modeling Azure roles like Indiana Jones

When faced with cohorts of over-privileged SPNs, measuring the de-escalation effort as we did with Warda is one thing, but rolling up one's sleeves to do the actual roles re-shaping is a completely different story.

In this article, I would like to share a Cloud native solution that helps streamline this process a lot.

Reconstructing the past

Imagine you are in the shoes of an archaeologist who has just discovered a new excavation site in Peloponnese. This site is holding vestiges of an ancient Mycenaean pottery workshop; the ground is littered with small fragments of vases featuring the typical black and white patterns of the time.

Sampling various fragments, you quickly build up a conviction about the artistic style of local craftsmen: "the vases feature horizontal strips of geometric patterns".

Here is a vase you manage to reconstruct entirely after a few months of patience:

A vase reconstructed by DALL-E-ndiana-Jones, the famous e-archaeologist


Your conviction holds until you reconstruct two more vases with slanted motto:

Two anomalous samples: or is it our thinking which is biased?


As typical of the scientific process, you promptly amend your conviction to accommodate the newly gathered information: "the vases feature strips of geometric patterns, in various orientations".

Then, after a few more months (and one solid acre of excavated dirt...), one of your peers makes a striking discovery: a few fragments are handle fragments, they are attached to vase fragments featuring human characters. What’s more, you are also now faced with a mix of geometric and human fragments.

You amend your conviction for a second time. But, what is this new conviction of yours?

  • option A (revisiting): "the vases feature strips of geometric patterns and human characters, in various orientations, some of which have handles"
  • option B (additive): "the vases feature strips in various orientations. Some vases, without handles, always display geometric patterns while others, with handles, always display human characters"

Scientific integrity requires you to follow a conservative approach, so you choose option A even if its description is less accurate: you must leave open the field of possibilities until proven otherwise. B is just unsupported by evidence at this stage, yet B is not disproven either: it is included into A.

Here is an example of a reconstruction that would definitely disprove option B:

A vase with handles featuring geometric patterns and human characters


If reconstructing vases from fragments is truly an art, the underlying scientific method followed by archaeologists is progressive, conservative, and inductive.

Modeling Azure roles of service principals from log fragments

A common, non-nonsensical approach for minimizing SPN permissions is to observe Azure activity logs over a long period of time (3 months or more). We may consider these activity logs as our "vase fragments" from which we hope to construct a minimized role corresponding to the full "reconstructed vase".

But, like in real-life excavation sites, the number of logs generated by SPNs looks extremely chaotic: some principals generate hundreds of thousand entries, while others generate as few as 5.

SPNs grouping by similarity

This is where SPNs clustering is advantageous: when I launched my open-source tool Silhouette , I explained how to group SPNs by similarity using unsupervised Machine Learning.

Unless you are out of luck, using this technique most of your clusters should mix principals generating a lot of activity logs and principals generating very few logs (even no logs at all!). We leverage it to build one minimized role, a condensate, for the whole cluster.

Put it another way: we reconstruct a single vase from fragments originating from multiple vases. Some of the shattered vases contribute to the reconstructed vase with many fragments, others contribute with only a handful of them.

The technology used behind the scenes is a branch of automated reasoning which I have already discussed many times in my newsletter: Equality Theory.

Indiana Jones and the Lost Automated Reasoning Theory, 1943

Equality Theory sports all three good features we need for our archaeology work: it's progressive, conservative and inductive.

Let's see how.

Progressive role-shaping

Starting from an empty partition and scanning all principals in a cluster, we equate all Azure permissions scoped to the same subscription / resource group, and we also equate all scopes (subscriptions, resources groups...) which have a permission in common.

The things that we equate, permissions and scopes, are called the terms of the partition. And the things that gets equated are called... -guess what?- the equalities of the partition.

Equalization of terms grows the partition into various equivalence classes, in a stepwise fashion, the same way as we do when we fill in bins with clothes, one piece of clothing (equality) at a time, using different bins (equivalence classes) for different colors (IAM roles).

Here is an example:

Suppose we have identified the following permissions at some point during our cluster scan:

Permissions granted to various SPNs in a cluster

The automated reasoning process has outlined 3 equivalence classes so far (resource providers omitted for brevity):

  1. listkeys/action = extensions/write = delete/action = resourceGroup1
  2. manualupgrade/action = /write = resourceGroup2
  3. loadBalancers/write = nsg/write = resourceGroup3

To illustrate the progressive nature of equalization, suppose the scanner finds a new "extensions/write" permission assigned to resourceGroup2:

A new permission, extension/write, is found to be assigned to RG2

This results in the following equalization (to the right, in bold):

manualupgrade/action = /write = resourceGroup2 = extension/write


Conservative role-shaping

A critical property of Equality Theory is that it always builds the finest possible partition of scopes and permissions. By this, we mean that the equivalence classes are not "too big", so the roles are actually minimized!

In basic math talk, the conservative property of Equality Theory comes from the fact that equality is the congruence closure of terms modulo equalities. Sounds weird but trust me, it's pretty awesome!


Inductive role-shaping

Equivalence classes build up as we equalize more terms, and, all of a sudden, two classes coalesce into a single, bigger one: it may happen to any class combination: huge & huge, huge & tiny, ...

This inductive feature comes from a key property of equality: transitivity. Say you have a tiny class made of a single equality, a=b, standing next to a big class containing c=d=e=f=g=h=i=j=k=l=m=n=o=p=q=r=s=t=u=v=w=x=y=z.

If you add b=c to the set of equalities, what's going to happen?

Both equivalence classes are going to merge abruptly into one, because transitivity says that if a=b and b=c, then a=c.


To see why, let's get back to our example:

Remember we added extensions/write to resourceGroup2?

Since extensions/write is also part of resourceGroup1, Equality Theory performs a transitive merge between resourceGroup1 and resourceGroup2:

Before the transitive merge: two equivalence classes share the same terms


Eventually, because of the merge, we end up with only two equivalence classes:

The two equivalence classes are:

  1. listkeys/action = extensions/write = delete/action = manualupgrade/Action = resourceGroup1 = resourceGroup2
  2. loadBalancers/write = nsg/write = resourceGroup3


Finally... the condensates

Once we have scanned all SPNs in a cluster, generating per-cluster minimized role definitions (its "condensates") is a no-brainer:

  1. we derive one role definition from each equivalence class, and park this condensate at tenant level;
  2. we assign the role definitions to every single SPN in the cluster, adjusting scope to the specifics of each particular SPN.

He always gets the upper hand!

Getting back to our example, we would naturally assign the first equivalence class to resource groups 1 and 2 of each SPN (or to the parent subscription if it contains only these two groups), and the second equivalence class to resource group 3 of each SPN.

These two equivalence classes would form the cluster's condensate.


Auditability and explainability: the dendrogram

I found a nice and powerful data visualization to trace this process of transitive merge, to check for potential least-privileges violations. It's called a dendrogram.

A dendrogram is just great for representing data lineage. In our case, the data lineage we want to represent is the shaping up of equivalence classes as they get filled-in by equalization.

Take the real-life sample condensate below, which is quite extreme and uncommon in terms of complexity:

  • equalities are depicted as colored squared.
  • for each equality, the left term can be found on the horizontal axis, and the right term on the vertical one.

The aggregation of equalities can be finely followed by looking at the tree-like structures on the top and left-hand side of the picture:

A rather extreme but real-life condensate, made explainable with a dendrogram.



Limitations & opportunities

I’m not going to oversell the approach: equality theory is far from 100% accurate.

Occasionally, too many equivalence classes percolate into a single, meaningless piece of junk.

That's why IAM experts must review each condensate one by one.

Despite the limitations, I believe that letting automated reasoning do the grunt "archeological" work is a neat accelerator for streamlining SPN roles minimization.


Condensates are implemented in Silhouette, a tool I open-sourced in 2023 , in a function called "reason_clusterwide": https://gist.github.com/labyrinthinesecurity/4b939510ef73e23d75b6d41cd9725d14


Tim Fergestad

Neuroscientist turned Investor | Multifamily Syndicator | Podcast Host | Partnering with busy professionals to invest in top real estate deals.

8 个月

Can't wait to explore the innovative fusion of technology and tradition in your latest Azure approach!

Michael Thomas Eisermann

?? 中国广告创新国际顾问 - 综合数字传播客座教授 - 140 多个创意奖项 ?????

8 个月

Intriguing mix of modern tech and ancient wisdom. How does this streamline cybersecurity roles?

回复

?? Groundbreaking concept! How do you maintain a perfect balance between modernity and tradition?

Jean-Francois Faye

Président de NYSTEK Editions SAS & Gérant de NYSTEK Consulting SARL En recherche d’une mission…

8 个月

Thank you . Really interesting

要查看或添加评论,请登录

社区洞察

其他会员也浏览了