Scaling Least Privilege for the Cloud
Scaling least privilege in the cloud remains challenging. Throwing more people at the problem isn't feasible, so how are you managing it?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series , and Geoff Belknap , CISO, LinkedIn . Joining us is our sponsored guest, Sandy Bird , co-founder and CTO, Sonrai Security .?
A roadmap for scale
You need to have a plan to achieve least privilege in the cloud. But that doesn’t mean you need to do everything at once. Jonathan Waldrop , CISO of The Weather Company laid out a sensible roadmap, saying, "Start small. Select one permission in your environment to test the plan. Once you find success in not breaking things, continue and expand that process. You must have a solid process for requesting the permission.” Automation tools can be part of this, but you also need to account for contingencies where they lock out legitimate users.
The least privilege planes of existence
Organizations need to apply least privilege to both the control and data planes for it to be successful. But this comprehensive approach can create bottlenecks if you don’t plan ahead. "If you have hundreds or thousands of services and want to avoid the identity and access management (IAM) team becoming the bottleneck, you need to enable each service team to manage the permissions. Use permission boundaries to set the maximum permissions allowed," said Clement Chen of HiddenRoad Studios . Managing permissions isn’t just a mechanical action. Samarth Rao of LinkedIn reminds us that this depends on having effective communication to keep it up. "Identify your most critical resources in the cloud and discover who has privileged access to its control and data plane. Enforce policies by opening a communication channel with owners and involving them in authoring proper JIT policies. It's easy for IAM teams to automate this as they know the lay of the land,” said Rao.
The role of access controls
The utility of role-based access control (RBAC) might be on the wane. Vaughan Shanks of Cydarm Technologies pointed out that years of experience with RBAC shows that it leads to unwieldy role proliferation, saying, "An alternative approach is Attribute-Based Access Control (ABAC). You can apply ABAC to manage access to cloud-based resources by utilizing tags as attributes on resources, and group memberships as attributes on user principals and service principals." None of this is possible though if you don’t know what you have. "To secure or limit access to something effectively, you must have a solid data inventory. Then you can work on your IAM policies with a least privilege principle mindset," said Mauricio Ortiz, CISA of 默克 .
Least privilege in the cloud requires diligence?
It can be easy to wish for a simple solution to enable least privilege. But Amit Arora of Amazon Web Services (AWS) points out that the principles are well known, we just need the diligence to stick with them, saying,"Guardrails and more guardrails and monitoring and more monitoring and evaluation and more evaluation. Then have a break glass mechanism because no one wants a bottleneck when your developer wants to debug a compute instance which is infected with malware in production. And the guardrails around break glass and monitor and more monitor."
Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.
Huge thanks to our sponsor, Sonrai Security
Capture the CISO! Season 2 Episode 3 Out Now!
Capture the CISO, Season 2 is back! Listen to the third episode available now and see the contestant’s videos!
Join us TOMORROW, Friday [05-03-24], for "Hacking the Value of GRC"
Join us Friday, May 03, 2024, for?“Hacking the Value of GRC: An hour of critical thinking of how compliance can kickstart your risk program.”
It all begins at 1 PM ET/10 AM PT on Friday, May 03, 2024?with guests Kim Elias , senior compliance specialist, Vanta and Norman Hunt , deputy CISO, GEICO .?We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.
Thanks to our Super Cyber Friday sponsor, Vanta
PREVIEW: CISO Series Podcast LIVE in San Francisco 5-5-24
The CISO Series Podcast returns once again to the Bay Area on the eve of RSA Conference as part of the entertainment at BSidesSF! Joining me on stage will be Mike Johnson , CISO, Rivian and Steve Zalewski , co-host, Defense in Depth.
Tickets for BSidesSF are available here.
WHERE: Metreon, theater 13 (135 Fourth Street, San Francisco, California, 94103)
Thanks to sponsor Devo , Eclypsium, Inc. , and NetSPI
领英推荐
HUGE thanks to our sponsors, Devo, Eclypsium and NetSPI
CISO Series Game Show LIVE during RSA week
Going to the RSA Conference? Looking forward to having some fun, win prizes, and enjoy lunch? Then come to our CISO Series game show that will be happening on Tuesday, May 7th, 2024 from 12:30pm – 1:30pm on the second floor of the W Hotel – directly across the street from the Moscone Conference Center. All thanks to our host, Veracode .
COME EARLY and grab lunch!
Check out this video where we highlight some of the games we’ll be playing.
If you want to come, you have to register. Do it right here.
Huge thanks to our sponsor Veracode
Cyber Security Headlines - Week in Review
Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino.?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be Phil Beyer , former CISO, Etsy. Thanks to Dropzone AI .
Thanks to our Cyber Security Headlines?sponsor, Dropzone AI
Jump in on these conversations
"Do Security Engineers and GRC people like each other or is it a secret dislike?" (More here)
"Taking over as the head IT/Cybersecurity guy for a small company"?(More here)
"Where do you get your news? Breaches, Threat Reports, how do y'all stay informed?"?(More here)
Coming up in the weeks ahead?on?Super Cyber Friday?we have:
?Save your spot and register for them all now!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com.
Interested in sponsorship,?contact me,?David Spark
Great dad | Inspired Risk Management and Security Profesional | Cybersecurity | Leveraging Data Science & Analytics My posts and comments are my personal views and perspectives but not those of my employer
7 个月Thank you David Spark and CISO Series for featuring my comment in today’s show. As I reflect on your conversation with Jeff and Sandy, I realize there are three levels to a solution: the perfect, the worst, and the “just right” solution. I have to admit that you opened my eyes that often we go to the extreme instead of looking for something in the middle that could be more achievable and effective. That is the silver lining. Great show as always!
Such a pleasure!
Cloud and AI Security | AWS | Helping AI Startups | Mentoring Cloud Engineers
7 个月David Spark Liked my comment into your newsletter .. Again!!!!