Shadow Access impacts identity, access and management and cloud security. The following is a short recap of the discussion between these three leaders in cybersecurity during the Security Boulevard webinar: Shadow Access: Where IAM Meets Cloud Security.
Impact of Shadow Access on Security, Operations, Governance and Compliance
Context is Critical to Deciphering the Difference between an Event and an Incident
Al Ghous shared how important it is to have the context necessary to make the right decisions and that even many human users don’t have the context to know what kind of access they actually need. In the cloud, it is difficult to dynamically ensure the right individual has access to the right data, at the right time. Therefore, it is very difficult to decipher what is an event and what is an incident. In the cloud, it is difficult to monitor identities, access and entitlements, and with that, everything falls apart – governance, compliance, and security.
Security Operations: “Investigation after something happens is way too late”
Ken Foster shared that from a security operations perspective, roles in the cloud are not directly connected and it is very hard to track down when and why something happened. If there is some kind of event or incident, understanding the root cause is a very difficult, tedious, and time-consuming process to go through all the log files and relevant data to figure out which person got what kind of access, when it happened, and how. All of the after-the-fact procedures require extra effort from the security incident response team and the governance team. Compounding the problem is that in the situation of compromised credentials where something looks like an everyday job it won’t trip any flag – which is the situation with Shadow Access – it takes a lot longer to detect when something is awry, and realistically “Investigation after something happens is way too late.”
Understanding Identity and Access Can Make Cloud Operations Faster
Ken Foster and Al also discussed that while it may seem that cloud operations and security teams have opposing mandates (speed vs security), Al noted that if there isn’t proper oversight over automation it can exacerbate Shadow Access. He shared a real-life example where a team followed the proper process – they went through their infrastructure code (their Terraform change), they made the change and held a peer review but there was an accidental oversight from a security perspective so they made the change and it inadvertently enabled unfettered access to certain resources from the outside.
However, this doesn’t have to be how things are – Ken shared “The great thing about the cloud is it allows you to operate at a higher speed but it allows you to screw up at a high speed too. But if you understand how an identity and its access is being used and how data flows through your environment, you can now actually automate cloud operations, together with a lower risk profile, at the right permission level and build at Cloud speed.”
Impact of Gen AI and LLM on Data Sharing and Shadow Access
The impact of AI and LLM proliferating even more risky data-sharing was also discussed. Al Ghous shared his perspective, “Teams end up creating risky situations where they are training the AI’s learning algorithms by feeding it vast amounts of data but you don’t know what level of access these AI’s and corresponding API’s have into your internal data stores. Visibility of what AI and LLM have access to is typically missing today and there isn’t a good technology out right now that’s able to address it. This results in blind spots with these models that is a significant security and access risk.”
Poll Response: CIEM? DIY? IGA? No Visibility?
During the session a couple of polls were conducted, illuminating the current practices the industry is taking to try to manage the problem of Shadow Access. In response to the question “How do you ensure you have visibility of identities and access permissions in your cloud environment(s)?”, the poll responses were as follows.
| Manual, piecemeal processes | CIEM tools | DIY | Don’t have visibility today | IGA tools |
|---|---|---|---|---|
| 32% | 16% | 13% | 18% | 21% |
The poll responses indicate that current approaches to addressing Shadow Access are highly fragmented with multiple different approaches being utilized. We will discuss the pros and cons of the different approaches in a future blog.
The fact that twice as many respondents said they were using manual piecemeal processes is a clear indication that there is a large gap between conventional IAM and cloud security processes and visibility of the identity and cloud access risks that matter actually falls through in the middle between the two.
How to Address the Gap Between Existing IAM and Cloud Security
To address the gap between existing IAM and cloud security (where Shadow Access thrives), the speakers recommended not just adopting a new technology but building a process to manage cloud identities and entitlements, compliance, and address concerns around user access reviews. Al Ghous recommended automating and continuously monitoring the current status of Cloud IAM, to get out of the time-consuming and inefficient spreadsheet, google sheet, and manual tracking process. “By making things automated and continuous, you can be compliant all the time, rather than doing compliance on a quarterly basis and then you can just extract a snapshot as needed and give it to your auditors.”
Ken also shared a similar sentiment on how to begin addressing the problem of Shadow Access. He said that the current process for access reviews is fundamentally broken. Today’s Access Review process does not know how identities or access or entitlements are being used and how data is flowing to these identities. He shared that you start by going in and using an automated tool like Stack Identity to map out and visualize how that identity is being used and flows inside your cloud environment. “I think if you do this manually you’re just not going to do it – it’s another task that’s tedious and time-consuming and you need to be able to automate and visualize and understand how this identity is being used and where. You need to react very quickly and it’s not something that you’ve got a lot of time to spend figuring out why that access was there – just start visualizing it and move forward.“
Lastly, both remarked that automation and continuous monitoring provide the visibility needed to discover identities and entitlements. This accelerates incident response and provides a perspective to know who, what, when, and why, so you can pinpoint the root cause and address relevant issues.
Much more was discussed in the webinar with Al, Ken and Venkat. Watch the full webinar, including a product demo by registering for the full on-demand webinar here.
Recommended next steps:
- Learn more about Shadow Access in the Shadow Access Impact Report here
- Learn more about the Stack Identity platform here
- Run your own free Shadow Access Risk Assessment – register here