Overview
Identity, authentication and authorization is paramount component for cloud security. Harden Cloud IAM configuration acts as perimeter level security for cloud workload. Navigating through evaluating complexities of IAM policy permission, trust boundary need to be evaluated on periodic bases and based on user/role/service account access behaviour pattern, the security control hardening should be applied.
This blog contains most commons best practice for CIEM based security findings to achieve operational excellence through operations automation at scale.
DISCLAIMER: This document discuss about risk mitigation techniques and not risk elimination methods. In order to eliminate risk of cloud platform identity misconfiguration, Service control policies are the best preventive measures. you can refer respective cloud service provider service control policy document to know more about policy creation to prevent misconfiguration at cloud IAM service. Becaue of Service control policies and its technical limitations it cannot be applied for all operations use cases.
This blog covers solution and use cases for bellow problems
- How can be scale CIEM operations for thousands of resources, its permissions, trust boundary configuration and across multi-cloud environment (AWS, Azure and GCP)?
- What are the best practice use cases i should start with to achieve operational excellence?
- How do i automate CIEM security best practice findings without disrupting agility, innovation and business disruption?
Use cases: Operations best practice and automation workflow
NOTE: Top 10 operations automation use cases are shown as example by using AWS,Azure and GCP terminologies but same is applicable other cloud service providers as well.
1) Identify human user access patterns from AWS IAM access advisor , Azure Access reveiw or similar cloud native tools and apply Least privilege enforcement with permissions boundry or policy hardening.
2) Identify System users (Cloud services like EC2, Container, Cloud function, Azure function etc.) from AWS IAM access advisor , Azure Access review or similar cloud native tools and apply Least privilege enforcement with permissions boundary or policy hardening.
Least privilege automation demo using autobotAI.
3 ) AWS IAM Access analyzer finding Fetcher that evaluates if any external principal is set to “ALL PRINCIPAL” then action should be delete IAM role AND/OR apply least privilege from access advisor data with custom approval flow.
4) Automation workflow from Azure access review for Guest users, All users and Applications. Analyze Azure access review result and apply least privilege to user after Mail, MS Teams, or Slack based approvals.
5) Automation workflow bot that analyze Azure AD GUEST user azure from access review, if anomaly found in user creation and access then disable user after approval and Alert security team on Indication of compromise.
6) Automation workflow bot that analyze Azure AD application access review findings and apply least privilege AND/OR disable application based on approval from application owner (over MS teams, slack or google chat).
7) Automation workflow to identify AWS/Azure/GCP IAM users created but not part of any group. Move identified individual user to default user group with read-only permission attached with default deny permission.
8) Automation workflow that identify cross-cloud access in IAM role / Service account / Azure application and applies least privilege with access advisor / Access review based findings.
9) In order to reduce human errors by terminating business critical workload, create automation workflow that automatically identify users and/or roles, service account with termination permission. apply permission boundary with default deny policy for specific resource.
10) Create workflow that detects IAM access key is exposed finding from security services like AWS Trusted advisor, Azure security center, and automatically disable access keys with human approvals.
NOTE: Above examples are few that we have identified as few of the best practice from compliance framework. Every organization has different risk appetite and such automation workflow bot can be created based on each unique requirement.
How to automate? : Call to Action
Multi-cloud automation requires mutation permissions on cloud resources (e.g. Create, update, delete etc). Its important for risk management to not expose such permissions to external entity.
Step 1: Select automation platform with #zerotrust architecture that do not collect data and not require permission trust relation configuration with external provider.
Step 2: Deploy automation workflow workspace on your centralised cloud automation account and add all cloud account, security tools and communication tools (e.g. Google Chat, MS TEams, Mail etc.) to workspace.
Option 1 – Step 3: Select automation workflow bots that helps automating above given use cases.
Option 2 – Step 3: Create your own automation workflow with Generative AI assistance and No Code.
Step 4: Assign automation workflow bot to AWS, Azure or GCP account.
Step 5: Schedule automation workflow bot to execute in time interval or integrate bot with 3rd party security tool with web hook configuration.
Conclusion:
CIEM, CSPM and any other cloud operations that are Day 2 operations which need to be automated should be automated with the goal of improved security posture. automation use cases should be selected carefully by doing detailed cloud operations process mining. Centralised management of such automation workflow is necessary to implement traceability, human approvals and scalability of workflow deployment. Last but not least, Operations automation workflow should be configured to enforce least privilege permission for automation platform with zero trust based architecture support.
Originally appeared in https://medium.com/@hello_26308/ciem-top-10-operations-automation-use-cases-for-security-risk-mitigation-3dbe986eb30a