Welcome to Brown’s Bytes! Your weekly insight from Mobliciti’s CTO Andy Brown. Follow #brownsbytes
21st October 2019
As promised, I’m not talking about mobile!
The shift to Cloud IAAS is accelerating – many organisations have dipped their toe into the waters as a minimum, with specific developments across Azure, AWS and Google Cloud. Some organisations are now shifting to an IaaS first approach for new services being added, with traditional compute in the company’s own data centres now classed as legacy or exception only.
As with all things new and shiny, there are often many good things that the new world brings. Cloud is no different to anything else; there are many benefits to be had from not running the “stuff” yourself.
However, as with all new IT, some risks often remain the same when you scratch beneath the shiny new surface. Often these risks relate to how humans interact and set up these systems…
This is an old problem that dates back to the beginning of IT time as there are two types of user on the system – User and Admin.
Over time, the boundaries between accounts that can do nothing and accounts that are all-powerful get blurred. This usually happens because something gets added into the mix that doesn’t fit into either category – it needs more than standard, but less than Global Admin.
Giving everything appropriate access is often time-consuming – if indeed the information exists to set it up exactly in the first place.
The net result is often that an account gets overprivileged simply to get it working quickly.
Now, add in bloat over time with people moving around/joining/leaving and you quickly end up with a mess. Nobody creates this mess on purpose – but it’s there…
Why The History Lesson?
Guess what? Cloud is no different – in fact, it’s much, much worse now. The granularity of permissions continues to grow on Cloud platforms, and as more and more applications are added into the mix with API access, it quickly becomes even harder to effectively set up and police all this.
And you have to do this right! Continuous compliance in this area is crucial to mitigating the risks from a breach and trying to control this without effective tools is almost impossible.
You’re going to hear me bang on about this one – CloudKnox is a new partner of ours that has solved all this. Across all the major Cloud Platforms (and your traditional VMWare environment as well) it’s able to:
- Map out what permissions are in place
- Work out what permissions are actually needed (from usage over time)
- Report on the gap
- Automate resolving issues
- Ensure permissions are in line with best practice
That’s a massive piece of IT Security governance ticked off…