Episode 043: 08‐29‐2024 Intersection of IAM - GluuFederation/identerati-office-hours GitHub Wiki

Title: Intersection of IAM with cloud

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Alexandre Sieira, Information Security Entrepreneur , Tenchi Security
• Co-Host: Marc Boorshtein, CTO Tremolo Security

Youtube

Description

Managing IAM for your own users and employees is hard enough, and with the adoption of cloud (including SaaS) it’s only getting harder. Especially when you consider the addition of 3rd parties into the mix, such as contractors, BPOs, MSPs and other kinds of vendors. In this podcast we’ll discuss the intersection of IAM with cloud (with a particular discussion of AWS cross-account access and the Snowflake incident) and with Third Party Cyber Risk Management in general.

Homework

• SaaSpocalypse – The Power and Complexity of AWS Cross Account Access
• Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake
• Luke Jenning Linkedin Thread on Snowflake breach

Takeaways

• The confused deputy problem is where a system (the "deputy") is tricked into misusing its authority by another program or user that does not have the appropriate permissions. This occurs because the deputy has more privilege than the entity that triggers the action, and it is confused about who is making the request and what permissions they have. In a B2B use case, the Deputy might be your cloud infrastructure account, and the attack may originate from a SaaS provider that helps you manage your cloud account.

• It's unfortunately too easy for customers to over-permission third party vendors in the cloud. Some vendors document insecure practices, like long-lived shared secrets. This attack surface area is significant--one study found that 40% of the insurance claims originated from third party risk. And this is not limited to small firms. These problems have been documented at small contracts in Belarus all the way up to large public companies like Okta and Splunk--which requested root access to customer's AWS account for no reason.

• There is no goverance process for workforce identity. You should review Github PR's for any cloud role changes (and use Tools like Dry Run security to help you identify risky PRs). But policies need to be reviewed and pruned... somehow.

• Developers need to be a part of the solution. But for success, we need to educate them and give them the tools to do the job. Part of this may be new practices around externalizing policies. Developers must not forget about negative tests! It's great that you have access. But also check that you don't have access with the wrong creds!

• This wasn't discussed in the episode, but Alex mentions in the homework video: Organizatinal identity is a challenge when an enterprise relies on federated identity. Can you register for an account at a CA for a domain you don't actually control? Perhaps...

Livestream Audio Archive

here