The Threat Posed by Overprivileged Identities

By Marcos Colon

Organizations have struggled to gain control over privileged identity management—a challenge that has tripped up many security and risk departments and has caused major cyber incidents. In a recent study conducted by security firm Preempt, 72 percent of the organizations analyzed in the report had “stealthy admins,” which are users with excessive administrative privileges. With a flood of devices connected the enterprise network, third-parties involved in the day-to-day performance of the business, and a slew of employees stating their case as to why they need access to certain data, getting a handle on identity management in the modern-day enterprise is an uphill battle.

If the title of this article caught your eye, chances are you’re grappling with this issue and are looking for some insights that will make your life a little easier. That’s why we caught up with Balaji Parimi, founder & CEO of cloud security firm CloudKnox, to shed more light on the obstacles you’re likely facing, but more importantly, how to take steps to overcome them.

InfoSec Insider: Are we still finding that identity is still at the center of major cyber incidents? If so, why?

Balaji Parimi (BP): If the first month of the year is any indication, 2019 is, unfortunately, shaping up to be a very busy year for identity privilege misuse (both accidental and malicious). We anticipate that identity will remain at the forefront of major cyber incidents for a long time.  

One reason we continue to see this trend is because the definition of “identity” has evolved and expanded beyond the traditional, human user, increasing the number of possible adversaries. In addition to humans, a modern identity can take the form of a service account, API or bot. In fact, it’s estimated there’s now an average of six non-human identities (and growing) for every human identity.

If you multiply the unprecedented levels of automation by the rapid growth of human and non-human identities – it becomes very evident how difficult (or impossible) it is for security and infrastructure teams to get a handle on who can do what and where to their critical infrastructure. This creates the perfect storm for cyber incidents.

InfoSec Insider: Why are organizations still taking the privileged identity approach to security? 

BP: Because cloud infrastructure is the foundation of virtually every enterprise – any crack to the foundation layer, regardless of how trivial, can cause significant damage. The best and most overused example of this is the AWS outage of 2017 whereby one incorrect command knocked dozens of websites and applications offline, impacting hundreds of thousands of business and caused millions of dollars in lost revenue.

The reason we are seeing such disproportionate reactions to what appears to be innocuous commands such as the AWS outage is the unprecedented levels of automation and innovation that have taken place over the past few years. Consider the fact that an entire data center can be created or destroyed with a few lines of script. What this means is that today’s privileged identity has essentially become what we like to refer to as a “Super Identity” with massive power and responsibility, and if this power falls into the wrong hands it can be destructive to the organization.

InfoSec Insider: How can businesses today minimize exposure of sensitive activities and information? 

BP: Recognize that the complexity of managing your environment will increase exponentially over time. Consider that the various permutations of identities, privilege types and resources across multiple cloud platforms will run into the millions and will make it virtually impossible to administer manually. 

In order for you get ahead of this, I recommend getting a true understanding of your risk posture by gaining the right level of visibility and insight into your environment.

Some questions to keep in mind include:

  • Who can touch the infrastructure?
  • How many identities have access to the infrastructure?
  • What privileges do they have?
  • What can they do with those privileges?
  • What privileges are they actually using? Not using?
  • Which resources are they performing actions on?

Based on your findings, implement a risk mitigation plan by identifying identity privilege right-sizing opportunities. Continuously monitor and assess your identities’ activity and behavior across your infrastructure to assess your risk profile on a regular basis. 

Have the ability to quickly produce a forensic trail of all privileged identity activity and resources impacted. This is not only mandatory for compliance and auditing requirements, but it also empowers your security organization to swiftly detect and remediate incidents and put preventive measures in place.

InfoSec Insider: What process should organizations have in place to ensure the integrity of your administrators’ moral code? 

BP: The process that should be put in place to ensure the integrity of an organization’s administrators’ moral code should not be any different than any other employee in your organization. I would argue that you should not depend on the moral code of your privileged identities but instead, I would make sure that every privileged identity (especially the identities that can touch your infrastructure) have the exact privileges they need to perform their day-to-day jobs and nothing more. At CloudKnox, we like to say, “you can’t abuse what you don’t have.”

InfoSec Insider: What are some of the challenges and threats posed by overprivileged identities? 

BP: What we have found is that most identities use less than 1 percent of the privileges that they have been granted to perform their day-to-day jobs. The other 99 percent of those privileges remain unused and expose organizations to avoidable risks by unnecessarily expanding the identity threat surface.

With over-privileging in the general state that we see it now, the potential blast radius of accidental or malicious misuse of credentials is much greater than it needs to be. That basically means that 80 percent of an organization’s privileged identities could destroy their infrastructure with a single click of a button. 

We have seen this happen as recently as a few weeks ago when an email provider’s credentials were compromised and were used to reformat every disc of every server in the company, wiping out 18 years of customer data.

The bottom line is that organizations must recognize how vulnerable their critical workloads are in today’s modern infrastructure. They need to always remember that a one-line script or a click of a button by a human or non-human identity can result in the most catastrophic damage whether it is through simple negligence (e.g. typo error) or malevolence (e.g. compromised credential or malicious insider). 

InfoSec Insider: For security and risk departments that currently heavily rely on privileged identity approach to security, what can they do to thwart these challenges? Where should they pivot? 

BP: Organizations are still depending on a 30-year-old mechanism called Role-based Access Controls or RBAC that was created in the pre-cloud era and is fundamentally flawed when applied in a dynamic cloud environment. 

With RBAC, identities belong to a static role such as “administrator” and that role comes with an extensive set of privileges that will never completely be used by the identity, as previously noted.  In fact, over 50 percent of these unused privileges are referred to as “high-risk” which means they could be used to exfiltrate or destroy data or infrastructure or degrade performance. 

The problem is that organizations are still choosing to err on the side of a weaker security posture. They continue to over-provision identities with privileges (many high-risk) that they will never use because they have an inherent fear of revoking (“right-sizing”) privileges in case the identity might need those privileges down the road to perform his/her job.

That is why we believe that the paradigm has to shift from using static roles like RBAC, which is essentially trying to anticipate (AKA guess) what privileges identities need based on their job title, to a dynamic, data-driven, usage-based approach that takes into account the actual actions that the identity performed over a set period of time.

Photo by José Martín Ramírez C on Unsplash

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.