Identity-first Cloud Security
- Find and fix operational risks
- Automate governance and compliance
- Secure cloud data
Stack Identity Research Report
The biggest risk to protecting cloud data is securing who has access to it, and in an overly-permissioned environment with multiple identities involved, data exfiltration can occur through multiple shadow access pathways. Continuous visibility with rich context is essential to empower security and engineering teams to audit, govern, and promptly rightsize access.
Sean Ventura, Head of Security & Compliance, KinderCare
Managing the inventory of what is out there in the Cloud and who has access to what, will be a big challenge with the containerized and microservices based deployment in Public Cloud.
Top 5 US Bank, NY
Our AWS cloud ecosystem is a mix of automated DevOps and manually managed infrastructure. “Stack Identity gives continuous visibility into our data exposure risks with the ability to automate least privileged enforcement for both our security and engineering operations teams.”
Transform IAM across your Clouds
Shadow Access is unauthorized, invisible or unmonitored access to cloud data, applications, and software.
Shadow Access is caused by toxic combinations of identities and permissions used to breach cloud environments and exfiltrate data.
AWS alone has 12,800 API connections with 13,800 permissions to access cloud data and services
Our approach quickly revealed
PROGRAMMATIC ACCESS TO AN EXTERNAL VENDOR WAS COMPROMISED
THAT CAUSED S3 TO BE USED FOR CRYPTO MINING AND MALWARE HOSTING
SERVER-LESS (LAMBDA) FUNCTION REPLACED WITH MALICIOUS CODE THAT
ADDED AN IAM USER FOR AN ATTACKERS ACCESS FROM OUTSIDE
ABUSED IAM PERMISSIONS ATTACHED TO AN APPLICATION INSTANCE OR APPLICATION RUNNING ON
COMPROMISED RESOURCE BASED POLICY TO
INVISIBLE ACCESS FOR AN ATTACKER
Cloud security demands a new approach to cloud IAM operations
Continuously monitor all identities, cloud services and data
Prioritise, remediate and govern risks across all access and breach pathways
Create the foundation for Cloud IAM Operations
Consolidate all things access onto a single IAM data platform
Take control of your access and fix all your gaps across the security lifecycle:
Audit & Compliance – Data Security – IAM Governance
Key Use Cases
Continuous access monitoring of third party access
Detect and remove “Shadow Access Risks” in the Cloud
Rightsizing permissions and entitlements to cloud data (CIEM)
Automatic cloud permission and access drift detection (CAPM)
Automating Quarterly Cloud Access Audit
Identify and remove vulnerabilities in cloud datastores (DSPM)
Cloud Identity and Access Governance
An identity would be given some permissions initially, but it might use only a subset of the attached permissions.
• Full admin permissions are given to an identity, but it only does management operations on specific resources
• Read/write access given to an identity, but it only uses read access
• MFA not enabled for a user with admin permission
• Login/access attempts from an IP blacklist
• A role being assumed from a compute which is directly exposed to the internet or running a vulnerable software
• An administrator with tons of powerful access (wide scope of resources)
• A password not rotated in last
An identity would be given some permissions initially, but it might not be using all those permissions.
• Full admin permissions given to an identity, but it never carries out any management operations
An identity can assume a role and thus obtain different sets of permissions to resources in an environment.
• An identity can log in to a compute and run an application that can assume a role that has different permission attached to it
Privileged Access is a term used to designate special access or abilities above and beyond that of a standard user. Privileged Access can be associated with human users as well as non-human users such as applications and machine identities.
• An identity that has admin permissions or management permissions
• An identity is authorized to assume a role that has higher privileges/permissions associated with it
• An identity with read access to a resource can assume a role that gives it read/write access to that resource
• An identity with no access to a resource can a assume role that gives it read/write access to that resource