A New Perimeter Redefined by “the Cloud”

In this article, we’ll look at how the cloud has put more emphasis on managing identities which can be considered the new perimeter. There are two elements within this concept: authentication and authorization. Authentication is solid as there are numerous providers that offer solutions to manage authentication into cloud, on-premise, and SaaS environments.

Authorization in the public cloud however is the more complicated half in the make-up of identity management. If you analyze the cloud data breaches that have happened over the last few years, the factor that led to the major exploit was poor authorization in the cloud environment. When the malicious actor obtained credentials, the security threat was magnified because the environment had weak authorization controls protecting sensitive assets. In other words, once they were “in” the network, the attacker had access to more than they should have without being detected.

When you look at the traditional network infrastructure in the days of a brick and mortar data center, there was an IDS and IPS, firewalls, databases, applications, and more. All of those components were encompassed within the four walls of a data center which was most likely surrounded by a fence with security guards. There were multiple layers of physical and logical security that a malicious actor would have to breach to access that environment. When attempted remotely, there were firewalls and other network security controls that protected the assets. 

Today, those walls have disappeared and access is easier. Physical security and network security controls aren’t as strong as they once were. Those former “walls” are all controlled by a Cloud API which can be used to access your “data center” from any place where there is an internet connection. Access is also possible through the Cloud Provider as well. Anything you trust or have previously trusted can all be bypassed and can be manipulated through the cloud service provider’s API if and when an identity is compromised.

Traditionally, authorization is simpler. It’s centered around reading, writing and executing (rwx) on files and folders. But in today’s world, it’s magnified – you have to define the service, the action, the resources, and if you want to put in a conditional access requirement you can do that as well. This creates a lot of complexity as there are now hundreds of services, thousands of actions, countless resources and numerous conditions.

As part of the continued evolution of cloud security, there are solutions coming to market that address the need for better control around authorization. Many are in a state of evolution themselves.  Whether it’s a native solution like AWS Access Analyzer or a third party platform, they currently report on poor authorization. While this is good for visibility, it still puts the burden of remediation on the technical teams that are writing the IAM or RBAC policies. In a world that is moving very quickly, cloud infrastructure and identity management teams need all the help they can get to address the challenge of creating truly least privilege entitlement policies.