Modeling Azure roles like Indiana Jones
When faced with cohorts of over-privileged SPNs, measuring the de-escalation effort as we did with Warda is one thing, but rolling up one's sleeves to do the actual roles re-shaping is a completely different story.
In this article, I would like to share a Cloud native solution that helps streamline this process a lot.
Reconstructing the past
Imagine you are in the shoes of an archaeologist who has just discovered a new excavation site in Peloponnese. This site is holding vestiges of an ancient Mycenaean pottery workshop; the ground is littered with small fragments of vases featuring the typical black and white patterns of the time.
Sampling various fragments, you quickly build up a conviction about the artistic style of local craftsmen: "the vases feature horizontal strips of geometric patterns".
Here is a vase you manage to reconstruct entirely after a few months of patience:
Your conviction holds until you reconstruct two more vases with slanted motto:
As typical of the scientific process, you promptly amend your conviction to accommodate the newly gathered information: "the vases feature strips of geometric patterns, in various orientations".
Then, after a few more months (and one solid acre of excavated dirt...), one of your peers makes a striking discovery: a few fragments are handle fragments, they are attached to vase fragments featuring human characters. What’s more, you are also now faced with a mix of geometric and human fragments.
You amend your conviction for a second time. But, what is this new conviction of yours?
Scientific integrity requires you to follow a conservative approach, so you choose option A even if its description is less accurate: you must leave open the field of possibilities until proven otherwise. B is just unsupported by evidence at this stage, yet B is not disproven either: it is included into A.
Here is an example of a reconstruction that would definitely disprove option B:
If reconstructing vases from fragments is truly an art, the underlying scientific method followed by archaeologists is progressive, conservative, and inductive.
Modeling Azure roles of service principals from log fragments
A common, non-nonsensical approach for minimizing SPN permissions is to observe Azure activity logs over a long period of time (3 months or more). We may consider these activity logs as our "vase fragments" from which we hope to construct a minimized role corresponding to the full "reconstructed vase".
But, like in real-life excavation sites, the number of logs generated by SPNs looks extremely chaotic: some principals generate hundreds of thousand entries, while others generate as few as 5.
SPNs grouping by similarity
This is where SPNs clustering is advantageous: when I launched my open-source tool Silhouette , I explained how to group SPNs by similarity using unsupervised Machine Learning.
Unless you are out of luck, using this technique most of your clusters should mix principals generating a lot of activity logs and principals generating very few logs (even no logs at all!). We leverage it to build one minimized role, a condensate, for the whole cluster.
Put it another way: we reconstruct a single vase from fragments originating from multiple vases. Some of the shattered vases contribute to the reconstructed vase with many fragments, others contribute with only a handful of them.
The technology used behind the scenes is a branch of automated reasoning which I have already discussed many times in my newsletter: Equality Theory.
Equality Theory sports all three good features we need for our archaeology work: it's progressive, conservative and inductive.
Let's see how.
Progressive role-shaping
Starting from an empty partition and scanning all principals in a cluster, we equate all Azure permissions scoped to the same subscription / resource group, and we also equate all scopes (subscriptions, resources groups...) which have a permission in common.
The things that we equate, permissions and scopes, are called the terms of the partition. And the things that gets equated are called... -guess what?- the equalities of the partition.
Equalization of terms grows the partition into various equivalence classes, in a stepwise fashion, the same way as we do when we fill in bins with clothes, one piece of clothing (equality) at a time, using different bins (equivalence classes) for different colors (IAM roles).
Here is an example:
Suppose we have identified the following permissions at some point during our cluster scan:
The automated reasoning process has outlined 3 equivalence classes so far (resource providers omitted for brevity):
To illustrate the progressive nature of equalization, suppose the scanner finds a new "extensions/write" permission assigned to resourceGroup2:
This results in the following equalization (to the right, in bold):
manualupgrade/action = /write = resourceGroup2 = extension/write
领英推荐
Conservative role-shaping
A critical property of Equality Theory is that it always builds the finest possible partition of scopes and permissions. By this, we mean that the equivalence classes are not "too big", so the roles are actually minimized!
In basic math talk, the conservative property of Equality Theory comes from the fact that equality is the congruence closure of terms modulo equalities. Sounds weird but trust me, it's pretty awesome!
Inductive role-shaping
Equivalence classes build up as we equalize more terms, and, all of a sudden, two classes coalesce into a single, bigger one: it may happen to any class combination: huge & huge, huge & tiny, ...
This inductive feature comes from a key property of equality: transitivity. Say you have a tiny class made of a single equality, a=b, standing next to a big class containing c=d=e=f=g=h=i=j=k=l=m=n=o=p=q=r=s=t=u=v=w=x=y=z.
If you add b=c to the set of equalities, what's going to happen?
Both equivalence classes are going to merge abruptly into one, because transitivity says that if a=b and b=c, then a=c.
To see why, let's get back to our example:
Remember we added extensions/write to resourceGroup2?
Since extensions/write is also part of resourceGroup1, Equality Theory performs a transitive merge between resourceGroup1 and resourceGroup2:
Eventually, because of the merge, we end up with only two equivalence classes:
The two equivalence classes are:
Finally... the condensates
Once we have scanned all SPNs in a cluster, generating per-cluster minimized role definitions (its "condensates") is a no-brainer:
Getting back to our example, we would naturally assign the first equivalence class to resource groups 1 and 2 of each SPN (or to the parent subscription if it contains only these two groups), and the second equivalence class to resource group 3 of each SPN.
These two equivalence classes would form the cluster's condensate.
Auditability and explainability: the dendrogram
I found a nice and powerful data visualization to trace this process of transitive merge, to check for potential least-privileges violations. It's called a dendrogram.
A dendrogram is just great for representing data lineage. In our case, the data lineage we want to represent is the shaping up of equivalence classes as they get filled-in by equalization.
Take the real-life sample condensate below, which is quite extreme and uncommon in terms of complexity:
The aggregation of equalities can be finely followed by looking at the tree-like structures on the top and left-hand side of the picture:
Limitations & opportunities
I’m not going to oversell the approach: equality theory is far from 100% accurate.
Occasionally, too many equivalence classes percolate into a single, meaningless piece of junk.
That's why IAM experts must review each condensate one by one.
Despite the limitations, I believe that letting automated reasoning do the grunt "archeological" work is a neat accelerator for streamlining SPN roles minimization.
Condensates are implemented in Silhouette, a tool I open-sourced in 2023 , in a function called "reason_clusterwide": https://gist.github.com/labyrinthinesecurity/4b939510ef73e23d75b6d41cd9725d14
Neuroscientist turned Investor | Multifamily Syndicator | Podcast Host | Partnering with busy professionals to invest in top real estate deals.
8 个月Can't wait to explore the innovative fusion of technology and tradition in your latest Azure approach!
?? 中国广告创新国际顾问 - 综合数字传播客座教授 - 140 多个创意奖项 ?????
8 个月Intriguing mix of modern tech and ancient wisdom. How does this streamline cybersecurity roles?
?? Groundbreaking concept! How do you maintain a perfect balance between modernity and tradition?
Président de NYSTEK Editions SAS & Gérant de NYSTEK Consulting SARL En recherche d’une mission…
8 个月Thank you . Really interesting