How identity and access vulnerabilities create invisible cloud data exfiltration vectors

Aug 5, 2022 | Blogs

Problem: Most Cyberattacks Leverage Compromised Identities

Most cyberattacks occur due to compromised identity, and cloud environments exponentially exacerbate the situation.

Every security professional understands access control – the fundamental process of granting or denying specific requests to some identity to obtain the use of information and related information services. We all have some type of access that allows us to do our jobs. Login IDs give access to corporate assets, with IT teams controlling the access to specific subsets of data and assets available be it customer data, supply chain data, sales data, financial data, email systems, trouble tickets, and more.

Most companies have reasonable processes for managing access to their human identities – employees, customers, contractors, suppliers etc. The notion that identities and access could be exploited as an attack vector was not relevant in the pre-cloud era.

Why Identities in the Cloud Create a Vast Attack Surface

Cloud has disrupted this traditional perspective for a number of reasons.

A new concept of cloud identities

Identities of all kinds both human and non-human are exploding in the cloud. So what exactly are non-human identities? These are defined as identities that need programmatic access. They can be pieces of code, such as serverless functions, Kubernetes APIs, Compute instances, SaaS Applications, or other public cloud services. Regardless of how you define them, they are extremely useful and often represent the vast majority of identities found in cloud deployments. These identities have permissioned access to high-value targets and vastly expand the cloud attack surface.

Cloud Native Automation

Cloud identities have automated access to sensitive clouds due to automation generating tens of thousands of access credentials at any point in time.

Tens of thousands of credentials create unmonitored and ungoverned risks

Each access is a live credential. Enterprises are one IAM vulnerability away from a data breach, and attackers know this as well. Attackers aim to log into your cloud accounts using your weak access credentials in order to exfiltrate your data.

How to Monitor Cloud IAM and Cloud Data Access Risks

Unlike software vulnerabilities, malware, or new ramsomware, IAM is a security vector where enterprises can have complete control. Control allows enterprises to mitigate and prevent the weaponization of IAM, yet this is an immense struggle because the automation associated with cloud native environments have fundamentally disrupted conventional IAM tools and processes.

Cloud data is continuously exposed via thousands of automated and distributed access controls and entitlements, human and API-based. This makes it difficult for cloud security teams to answer fundamental questions like “Who has access to what?”, and “Who is accessing what?” across their cloud data.

  1. Start with an assessment of your sensitive cloud data
    To assess your cloud data security risk we recommend you start through discovery and inventory of data assets. After all, you cannot protect your data if you don’t know where it resides or exists. At the same time, while you inventory the data, assess the data posture for each asset to understand where risks may exist for each individual asset.
  2. Map pathways to your data and relevant identities with access to pathways
    Once you know where your datastores exist, map all of the pathways by which data is flowing to its destination and the various types of emergent identities that have access to the data or to whom the data has been shared. These emergent identities represent Application Identities, SaaS, User Identities, and Cloud Identities (identities attached to infrastructure and cloud services), all of which have permissioned access to data.
  3. Find and assess multi-dimensional IAM vulnerabilities
    Once you have a map and know which identities have access to the various pathways to your data, you can assess how sensitive and confidential data can be exfiltrated. There are likely a myriad of possible data exfiltration possibilities and a comprehensive understanding of the full context is necessary for an accurate assessment of risk.
    Yet the sheer volume of multi-dimensional possibilities creates an untenable situation as no organization has enough resources to proactively address every data breach possibility created by thousands of dynamic cloud credentials.
  4. Compare and prioritize different breach vectors created by IAM vulnerabilities
    To be able to effectively manage the risk of IAM vulnerabilities in the cloud, it is necessary to compare the different pathways by which a data breach could occur. Comparison requires understanding who has access to what, who is accessing what at any point in time, which identities are active or dormant, what level of access is enabled (for example, privileged or not).
    Once you can assess and compare, you can begin to prioritize the risks of the different vulnerabilities that exist, and determine which data breach scenarios should be the highest priority for your SecOps, CloudOps and data team to address with the limited resources available.
  5. Continuously track and monitor – repeating steps 1-4
    Once you complete steps 1 to 4 the first time, you will want to repeat it since the cloud environment is constantly changing. Ideally, the discovery, mapping, and assessment of cloud identity and access vulnerabilities is continuously evaluated.

A Practical Approach to the Vast Attack Surface in the Cloud

There is no manual method that can possibly keep pace with the tens of thousands of credentials creating unmonitored and ungoverned risks in the cloud. Steps 1-5 outlined above, can only be accomplished through automation – which is what Stack Identity offers.

Stack Identity is the industry’s first cloud access risk monitoring platform revealing a live data attack map that prioritizes identity and access vulnerabilities to prevent data exfiltration, rogue access, or unauthorized data sharing.

We empower enterprise cloud security teams to quickly identify every data access pattern, who, what, when where, and why there is data access and its impact on data security.

Learn more: