In a recent Fortune article, Amazon’s chief security officer, Steve Schmidt, suggests 6 questions every company's board should ask its CISOs to understand how robust their cybersecurity preparation is. One of the most challenging questions for CISOs was:
“Who has access to what data? Why do they need it, and for how long?”
This question is critical because cyberattacks often begin with weak, leaked, or stolen passwords. Having legitimate credentials makes cyber crimes easy to commit and difficult to detect, so companies need to minimize each employee’s reach.
Rubrik Data Security Posture Management (DSPM) addresses this challenge with our Data Access Governance (DAG) solution: We help you understand who has access to what data and what the blast radius is for each identity, meaning what their impact would be if compromised. With this critical information, you can implement the principle of least privilege (PoLP) and reduce the blast radius of high-impact identities. This includes minimizing access to sensitive data and right-sizing permissions with minimal disruption to user workflows.
Why is this needed and why is it so challenging to implement?
Many identity solutions focus on understanding the link between an identity, which could be a user, group, or role, and the resource (i.e. infrastructure component) that the identity has access to. However, what we actually need to understand is the link between the identity and the data itself.
Visibility into the data being accessed – including data type, data context, and data sensitivity level – allows us to determine whether the data access is (still) required, if the access or permissions need to be adjusted, or if the access can be removed completely. This means that if this identity is compromised, the amount of data exposed is limited, minimizing the potential blast radius of the attack.
Rubrik DSPM analyzes the effective, as opposed to assigned, permissions to the data, circumventing the typical approach of having to contact the resource owner to manually investigate the link between the identity and the actual data contained within the resource.
How does it work?
Rubrik DSPM integrates with AWS IAM Identity Center, which is the recommended AWS service for managing human user access to AWS resources. It is where you can assign your workforce users, also known as workforce identities, consistent access to multiple AWS accounts and applications. You can automatically provision (synchronize) user and group information from Okta and other identity providers like Active Directory into IAM Identity Center using the System for Cross-domain Identity Management (SCIM) v2.0 protocol.
Rubrik DSPM ingests and analyzes the IAM Identity Center configurations, roles, policies, and resource-based policies. It then evaluates the effective permissions that exist between each identity and the actual data* directly, and provides visibility of this data access across your environment.
Working with Data Access Governance (DAG) and Identity Inventory
The Identity Inventory provides an overview of the users and groups you have in your environment and the data they can access across all the AWS S3 buckets in your environment. Both federated (i.e. Okta or AD) and direct AWS IAM users are supported.
By looking at the group information, you can immediately learn which groups have access to your organization’s most sensitive data. This lets you understand the impact of group membership on data access, which helps you ensure that only relevant users have access to this data.
Looking at the individual user level lets you understand which users have the broadest access to sensitive data and expose your organization to the most risk in case of an identity breach.
You can also use the built-in search functionality to understand what sensitive data you have in your environment and which users could potentially expose it. For example, you can search and filter for credit card information to see which groups and individual users have access to that particular set of sensitive data.
Using the filtered results, you can immediately see which users have access to credit card data and how much. By going to the individual user, you can see the identity details, including job title. In this case, a QA Engineer has direct access to sensitive credit card information in your environment.
Furthermore, you can see the total blast radius of this individual user, meaning the totality of the sensitive data this person has access to. Using the assigned groups and roles, you can trace which of these provide access to this sensitive data.
In the above example, we see that the assigned role “AdministratorAccess” grants access to the credit card information, begging the question if the QA engineer should have been assigned the administrator role in the first place. Using this context, you can now contact the relevant teams or individuals and get clarification on this role assignment, and close the data access security cycle by applying least privilege data access.
Conclusion
Security incidents are inevitable, but you can minimize their impact by strategically managing access to your organization’s sensitive data – starting with your high-impact identities. Right-size their permissions and add extra protections to limit the scope and damage of security incidents, and help prevent these incidents from turning into a data breach.
*We currently support federated and IAM identity permissions in Amazon S3.