Eldimel Golpen 
Cloud networks are prime targets for cybercriminals as they contain a wealth of sensitive information that can be accessed through the Internet. Major providers block billions of hostile threats everyday, with Microsoft facing 600 attacks daily, while AWS tracks between 600 to 750 million intrusions and malware attempts per day. Although hacking attempts happen on a massive scale, a large-scale successful breach of a major cloud provider’s infrastructure is rare since these ecosystems are strengthened by multiple cybersecurity components. So to gain access, threat actors focus on finding vulnerabilities in user accounts, and look for individual company environments that have complex permissions.
Complexity can be a dangerous liability since it creates pathways that attackers can exploit. When hundreds of Identity and Access Management (IAM) policies, service accounts, and roles exist, administrators lose visibility. This gives attackers the opportunity to breach cloud systems and steal sensitive information. Here’s how complex cloud permissions threaten your data.
Permission Sprawl
Permission sprawl (too many unnecessary permissions) happen when cloud systems administrators or IT managers fail to check access rights, API keys, and roles over time. This happens frequently in data-dependent industries, and it can remain unnoticed for months or even years since the ‘sprawl’ piles up layer by layer. Permission sprawl affects about 58 percent of enterprises globally, and it causes the average organization to expose more than 802,000 data files to risk.
For instance, a cloud team may give a developer a temporary IAM role, like Administrator Access so they can quickly and easily migrate an archived database. Once the migration has been completed, the developer moves on to a new project. But if the administrator permissions were never removed, this means that the developer is still registered to the platform and has access to it. If an attacker manages to get hold of the developer’s credentials, they inherit the full administrator powers and can compromise the entire cloud environment.
Permission sprawl can be prevented by granting human and non-human identities elevated permissions only when absolutely necessary, then automatically revoking them after a predetermined time-to-live. Automating access lifecycle through managed ISPM solutions, or Identity Security Posture Management, can also be beneficial since it continuously monitors and audits digital identities tied to the cloud. It can identify human users and AI agents, revealing who can access what, and it also looks for stale or orphaned accounts that retain unnecessary privileges.
Credential Creep
Credential or entitlement creep happens as users accumulate access rights over time as their role changes through the years. For example, a new marketing assistant is hired, and they’re given read-only access to a specific database to see campaign details. After six months, they’re tasked to update the company site’s landing pages, and the IT manager is instructed to give them temporary read/write access to the marketing web storage bucket. In their second year with the company, the individual is promoted to a leadership role, so IT gives them credentials for financial systems so they can access funding for marketing campaigns.
By this time, the employee now has read-only rights to the original database, read/write rights to the storage bucket, and admin access to banking or payment systems. If their password is hacked, the attacker inherits all these permissions, and they’re now free to deploy malware or steal funds. Regular audits can help to prevent credential creep since doing so ensures that users only hold the necessary credentials required for their everyday tasks. Implementing role-based access control can also neutralize entitlement creep since it cleanly removes an employee’s previous, unneeded permissions once they change roles or departments.
Privilege Escalation
Some cloud ecosystem breaches are the work of verified users as they can take advantage of their permission and escalate their privileges. For example, an employee who has permission to pass an IAM role to a new service can attach an admin role to a function they control, giving them full access to the cloud environment. They may also abuse their read/write permissions to download, make copies, and exfiltrate massive amounts of customer data or company trade secrets, delete or alter data, and wipe audit trails to cover their tracks.
To prevent cloud permission abuse, strictly limit the number of users with cloud administrative rights, and change credentials frequently. It’s also recommended to connect your cloud system to your company’s central identity provider so that any employee’s access will be automatically revoked the moment they leave.
Complex permissions can leave your cloud system vulnerable to cyberattacks. Regularly make audits, continuously monitor user behavior, and consider using automated solutions to keep cloud environments safe and prevent threat actors from gaining a foothold in your data systems.
