Addressing Cloud Security Risks: Part 3 - Unauthorised Access

In this multi-part series, I explore the top five cloud security risks that I've seen early stage startups encounter, along with common causes and mitigation best practices. In a previous post, I covered Top 5 Cloud Security Risks for Startups - today, I'll address one of the key risks - unauthorised access.

Least privilege / segregation of duties

• Implement the principle of least privilege; grant privileged access only to individuals who need it to perform specific tasks, for the duration necessary.
• If services within an application require separate trust boundaries, create separate service accounts for each service and grant permissions accordingly.
• Default or basic roles tend to be overly permissive (e.g. in Google Cloud, default service accounts are granted the highly permissive Editor role on projects); avoid them, and use curated or custom roles instead. Note: in this context, a role refers to a collection of permissions assigned to a principal.
• Assign roles to groups instead of individual users - when a user leaves your organisation, you can simply remove them from the groups, instead of scrambling to find the access grants. See this guide for using IAM securely on Google Cloud, and this guide for AWS.

Resource / service restrictions

• Set restrictions on resources and specify how they can be configured e.g. restrict physical location, limit resource sharing, limit use of service accounts etc. Google Cloud offers the organization policy service to do this, while service control policies offer equivalent (but not the same) capabilities on AWS.
• Connect your virtual private cloud (VPC) to managed services via a private connection, instead of traversing the public internet. AWS PrivateLink and Google Cloud Private Service Connect allow you to do exactly this.
• Restrict resource access and mitigate exfiltration risks with public, managed services with Google Cloud VPC Service Controls, establishing virtual security perimeters around critical resources. At the time of writing, AWS does not seem to have an equivalent capability.
• On a related note, connecting to cloud-based virtual machines (VMs) with manual SSH keys can be problematic, requiring you to track expired keys and user movement, and update VM metadata accordingly. Google Cloud offers OS Login, simplified SSH access management by linking a Linux user account to your Google identity. If you aren't using privileged identity management solutions, consider this option for Google Cloud Compute Engine.

Conditional / context-aware access

• Use conditional, attribute-based access control to cloud resources where possible e.g. use IAM conditions on Google Cloud or AWS to grant permissions to principals only when certain conditions are met.
• Grant access on a temporary or expiring basis, especially in break-glass scenarios or when granting access to third parties, or on a just-in-time basis.
• Secure the Google Cloud console and APIs using context-based access rules with IP address, geolocation, and end-user device attributes. Note that device-based access control does require an additional license. At the time of writing, AWS does not seem to have an equivalent capability.
• Identity-Aware Proxy (IAP), a software-defined reverse proxy making context-aware access possible in Google Cloud, can be configured to enforce these access rules for applications hosted on Google Cloud as well as on-premise and on other clouds like AWS.
• IAP also offers a unique TCP forwarding feature that lets you wrap traffic for admin services like SSH and RDP in HTTPS, and control who can access your backends remotely. This can be used in lieu of VPNs and bastion hosts, especially if you do not have onerous session recording requirements.

Identity governance / access reviews

• Establish robust processes for user onboarding and deprovisioning in your cloud environment. Where possible, automate the identity lifecycle management processes to reduce manual errors and improve efficiency.
• Where possible, implement self-service workflows for privileged access management, with built-in security controls and approval mechanisms.
• Review access grants periodically. Google Cloud offers Policy Analyzer to track account usage, and role recommendations to understand over-granted and unused permissions. AWS offers IAM Access Analyzer to generate least-privilege policies based on access activity.
• Implement comprehensive monitoring and auditing mechanisms to track user activities, and detect unauthorised or suspicious access. Augment the detection capabilities with robust response procedures.
• Educate users and provide specific guidance on the default access controls as well as your approved access management procedures for the cloud.

If you found this post useful, feel free to read others in this series:

• Top 5 Cloud Security Risks for Startups
• Addressing Cloud Security Risks: Part 1 - Misconfiguration
• Addressing Cloud Security Risks: Part 2 - Credential Theft/Leakage
• Addressing Cloud Security Risks: Part 3 - Unauthorised Access (this post)
• Addressing Cloud Security Risks: Part 4 - Insecure Software Development & Deployment (coming soon)
• Addressing Cloud Security Risks: Part 5 - Sensitive Data Disclosure (coming soon)