In the fast-paced, large-scale world of digital business, establishing and managing an acceptable risk tolerance related to user identities — both human and machine — is a critical element of organizational security. At the forefront of this challenge is the need to strike the right balance between ensuring robust security and maintaining an environment that doesn’t impede innovation. After all, identities are the new perimeter in the cloud. Unfortunately, getting this balance wrong can either stifle productivity or expose the organization to significant security risks.
Drawing the line between identity security and risk
At its core, risk tolerance with respect to identity management hinges on the balance between security and usability. Security measures — such as strictly enforcing MFA requirements or limiting the number of administrators for projects and applications — enhance protection and reduce security risk, but may frustrate users by adding complexity to their daily workflows or time-sensitive tasks. On the other hand, prioritizing usability and flexibility by lowering security barriers unnecessarily increases the risk of unauthorized access and breaches.
Organizations must navigate this delicate balance by establishing and accepting risk tolerance limits which are determined and agreed upon by the executive leadership and board of directors. Stakeholders must make informed decisions about where to draw the line between security and risk. An effective approach to risk management considers both operational impact and security threats, ensuring that risk tolerance is an executive-level decision.
Managing identity risk in practice
Let’s consider a few typical scenarios in AWS, one of the many popular cloud service providers. Managing cloud identities is difficult in part due to the paradigm shift brought on by ephemeral virtual resources. Due to the dynamic nature of all of the corresponding virtual cloud resources, the mix of human and machine identities, and the increasing number of third-party services that require access to your sensitive S3 bucket data, cloud identities are inherently complex. All of these challenges mean that acceptable risk tolerance is often high, but there are tools organizations can use to meaningfully reduce identity risks.
Real world challenges
So, your organization has hundreds of AWS accounts, and is leveraging IAM roles to manage access to various resources across your cloud estate, likely including S3 buckets, EC2 instances, and a plethora of Lambda functions. Over time, manually managing hundreds or thousands of various roles becomes untenable. More often than not, employees are going to end up with over-simplified, over-privileged access policies because those roles tend to be assigned broadly to prevent service disruption. Furthermore, it’s very likely that overly permissive identities are continually maintained, rather than reviewed, with the justification of avoiding disruption for operations teams managing application deployments in the cloud.
Let’s look at this scenario at a more granular level: A developer was initially “temporarily” granted full access to a specific S3 bucket for debugging purposes. However, those permissions remained long after the initial task was completed. What about when an IAM role was previously created specifically for an application that no longer exists in your cloud stack? We know that role is no longer required since the associated resources were purged, but that very same long-lasting, stale role represents a potential backdoor for adversaries. It’s an obvious and easy fix in hindsight, but considering 98% of granted permissions are unused, it’s fair to assume that a large number of organizations assume this undue risk every day.
In this context, there are two outstanding concerns that, based on how they are addressed, can directly impact your organization’s risk portfolio:
- Overprivileged access: This is the scenario where users or applications retain more access than they need, which increases the risk of data exposure in the event of an account compromise.
- Lack of observability and visibility: As the number of associated resources grows, how are you expected to track and manage permissions across a multi-account environment? (As explored in the above scenario, your business may have hundreds of individual AWS accounts within its very large enterprise account.)
Finding the right tools
Cloud security posture management (CSPM) and cloud Infrastructure entitlement management (CIEM) tools are designed to solve exactly these kinds of problems. Here’s how they could help in the above AWS scenarios:
- CSPM: These tools continuously monitor the security configurations of cloud environments, flagging overprivileged access, misconfigured permissions, and unused roles. For example, a CSPM solution could alert the security team about the overprivileged developer account that still has full access to the S3 bucket after the debugging task is complete.
It would also identify the outdated IAM role tied to the decommissioned application. Sysdig’s Posture Reporting for IAM Roles in the cloud can be used to quickly sort, filter, and rank the detected role information to remediate identity risks associated with roles and their permissions. - CIEM: Unlike CSPM, a CIEM solution provides granular visibility specifically into the cloud permissions across human and non-human identities, offering actionable insights on how to reduce the attack surface. In the case of our AWS examples, a CIEM tool could analyze all roles, groups, and policies across the accounts, highlighting which users have excessive permissions and recommending least-privilege configurations.
CIEM solutions, like Sysdig’s IAM Policy Generation, can be used to automate the enforcement of least privilege by dynamically adjusting permissions based on actual usage, ensuring users and applications only retain access to the resources they need.
Establishing proactive IAM strategies
Identity and Access Management (IAM) is the cornerstone of security for accepting and managing risk tolerance specifically related to end users, employees, and machine identities. IAM best practices lead to the implementation of policies that minimize an organization’s risk tolerance and ensure that user access is appropriately controlled and monitored. Key strategies within IAM that reduce identity risks include:
- Role-based access control (RBAC): This approach limits access to projects and sensitive information and restricts functionalities (ex. editor, commenter, or viewer) based on user roles which are defined according to job function. This reduces unnecessary exposure and therefore reduces the risk of data leaks in organizations with well-defined and stable roles.
- Attribute-based access control (ABAC): This strategy limits access using a combination of characteristics (such as the user’s department and job function) and user, resource, and environmental attributes. These controls are more dynamic and granular compared to RBAC, and are best suited for organizations where access is dynamic, diverse, and context-dependent. While ABAC is more complex to implement and maintain, organizations operating in cloud environments will see vast improvements in supply chain and identity risk management with flexible access controls.
- Least privilege principle with CIEM: Similar to RBAC and ABAC, the principle of least privilege ensures users only have the access necessary for their roles, minimizing the potential damage from compromised accounts. Furthermore, this gives security teams a better understanding and prioritization for anomalous user events during an investigation and data analysis, as they can quickly determine if the user was behaving outside of normal behaviors or with elevated privileges.
- Multi-factor authentication (MFA) and single sign-on (SSO): These security implementations add layers of security that are meant to protect user identities from misuse and ensure appropriate access to resources. Independently, MFA can increase friction but significantly reduce the risk of unauthorized access, whereas SSO centralizes authentication for a user-friendly experience. The implementation of these security mechanisms together is the fastest and easiest way to keep attackers out of your enterprise environment.
- Continuous monitoring: This security measure enables real-time detection of suspicious activities, allowing for quick responses to potential threats. Real-time detection and automated response actions will allow your security teams to identify and remediate a rogue user before the attacker gets too far into your environment, because once they’re in, an attack only takes mere minutes.
IAM plays a crucial role in balancing security with usability, tailoring access controls to minimize an organization’s risk tolerance. By implementing the IAM best practices above, your organization’s risk tolerance with regards to identity threats should be nearly zero percent. With both proactive and reactive identity management controls in place, there will be a very low risk of a breached identity in your organization.
Adapting risk tolerance over time
Risk tolerance is not static, but it should be minimal. As organizations evolve, so too must their approach to establishing risk tolerance with regards to user management. Changes in the business environment, such as rapid growth, technological advancements, or emerging threats, necessitate regular reassessment of risk tolerance levels. For instance, after a security breach, an organization might temporarily tighten user access controls to mitigate further risks during an investigation. Similarly, new regulations might require adjustments in access management policies to maintain compliance.
Reinforcing the importance of training and awareness
Even with the best IAM practices in place, human error and tight deadlines remain significant factors in the rate of accepted risk tolerance. User behaviors can either support or undermine security measures, so ongoing training and awareness programs are essential in aligning user actions and security processes with organizational risk tolerance. Regularly educating and reminding users of pertinent risks and the importance of security protocols helps ensure that they contribute positively to the organization’s overall security posture.
Finding the right balance
Managing risk tolerance in user management is a complex but essential task that involves finding the right balance between security and usability. By carefully defining your organization’s risk tolerance levels, implementing robust IAM strategies, and continuously adapting to new challenges as they present themselves, organizations can protect themselves from security threats while empowering users to perform their roles efficiently.
In the digital age, mastering risk tolerance in user management isn’t just smart — it’s necessary for survival.