Nearly all cloud users, 99%, have cloud identities that are too permissive, according to research by Palo Alto Network's Unit 42 research group. Pictured: A symbolic data cloud is seen at the 2014 CeBIT technology trade fair on March 10, 2014, in Hanover, Germany. (Photo by Nigel Treblin/Getty Images)

The Unit 42 research group from Palo Alto Networks on Tuesday found that 99% of cloud users surveyed have cloud identities that are too permissive, meaning that the users, roles, services, and cloud resources are granted excessive permissions.

In doing the research on how identity and access management (IAM) policies affect an organization’s cloud posture, Unit 42 analyzed more than 680,000 identities across 18,000 cloud accounts from 200 organizations to understand their configuration and usage patterns.

The researchers also found that 44% of organizations allow IAM password reuse; 53% of cloud accounts allow weak password usage; and built-in policies from cloud service providers (CSPs) are granted 2.5 times more permissions than customer-managed policies — and most cloud users opt for the built-in policies. Unit 42 researchers say while users can reduce the permissions given, they often don’t.

"Most organizations are unprepared for an attack through the exploitation of weak IAM policies,” wrote the Unit 42 researchers. “Adversaries know this as well, and that’s why they target cloud IAM credentials and are ultimately able to collect these credentials as part of their standard operating procedures.”

Alex Ondrick, director of security operations at BreachQuest, said Unit 42’s report matches what his team has seen in the trenches. Ondrick said misconfigured security controls and incomplete IAM deployments are often difficult to identify, and thereby difficult to secure. 

“They can occur on-premises, in the cloud, and anywhere in-between,” Ondrick said. “Security leadership should prioritize efforts towards securing IAM and should expect to find  ‘unknown unknowns’ as they progress through their IAM journey. Even though IAM is difficult to fully secure, an organization that begins the journey of securing IAM will find low-hanging fruit along their path, and ultimately, organizations that dig into their IAM policies and configuration, are better-positioned than an organization that has not planned, developed or implemented an IAM solution.”

Avishai Avivi, CISO at SafeBreach, said while it’s not surprising that cloud users tend to provision roles that are overly permissive, he finds it alarming that Unit 42 found such a high percentage of users with these excessive permissions. Avivi said cloud threat actors are already actively working to exploit this fact, adding that companies must treat IAM with extreme due diligence.

“If a malicious actor can leverage a weak IAM posture to compromise a cloud account, they would be able to create substantial damage moving laterally through the entire cloud environment," Avivi said. “With IAM being a basic cyber-hygiene practice, a weak cloud IAM practice is an indicator of other potentially weak security control practices in that same cloud environment. We join Unit42 in the recommendations they make at the end of their report. We specifically recommend that companies follow the principle of least privilege and that they leverage automation where possible to test and evaluate their IAM and cloud security controls."

David Berliner, director of security strategy at SimSpace, added that recent vulnerabilities such as Log4Shell and the Okta breach have shown easy ways threat actors can gain account permissions.

Berliner said Unit42's cloud research shows the particular risk such account compromise can have in cloud environments, as attackers take advantage of the overly broad cloud access settings found in the vast majority of organizations and accentuated by default policies by cloud vendors that are overly permissive.

“Research like this is a necessary double-edged sword,” Berliner said. “It should hopefully rattle organizations, increasing adoption of stricter cloud security permission policies and more holistic cloud security monitoring solutions. At the same time, it shows attackers just how at risk the majority of organizations are when it comes to their cloud infrastructure, which could lead copycat groups to mimic the approaches and target strategy of the very "cloud threat actor" groups Unit42 profiles.”