Aug 04, 2021
Automated Vulnerability Prioritization in the Context of the Cloud
More and more companies are moving their workloads to the cloud - and for a good reason: it reduces the cost …
In this post, I want to explain the difference between CodeShield and other cloud security solutions. I discuss the differences between CodeShield to existing Gartner Terms such as CSPM and CIEM.
But before we dive into the terms CSPM and CIEM, it is important to understand IAM.
So, what is IAM and where does it come from?
First, cloud security – and the same holds for security - is an extremely wide and broad topic. Looking at IT security in the days before the cloud, it was about physical security, hardware security, network security, and software security.
Since the cloud, physical and hardware security is taken care of by the cloud vendors as part of the shared responsibility model within the cloud. For the cloud, the cloud providers designed new forms of identity access management solutions, also called IAM. Every cloud resource – be it identity or computed-based – can define or be assigned IAM permissions granting or denying access to other cloud resources, even in entirely different cloud accounts.
This granularity IAM permission management offers, at least potentially, a high-level of security. One can even consider IAM as the new firewall of your cloud – it accepts and denies connections and access between individual resources. Using IAM correctly, one can precisely restrict and limit access within the cloud account and perfectly apply the principle of least privilege.
Comparison to Terms used by Gartner
Cloud Security Posture Management (CSPM)
Cloud security posture management solutions are a commodity, i.e., every cloud user should have a CSPM solution in place. A CSPM solution regularly checks for cloud misconfigurations, such as open buckets, open databases, poor password policies, or unencrypted data. CSPM checks are typical best practices and are part of compliance standards set by Center of Internet Security (CIS).
The CSPM solutions typically fetch the cloud provider’s API and perform configuration checks on each individual cloud resource. A tool to mention in this space is CloudSploit, which offers a set of basic checks and also can be used for CIS, HIPAA, and PCI DSS compliance. If you are using AWS, you can also take a look at AWS Config which offers similar capabilities.
Cloud Identity Entitlement Management (CIEM)
CIEM solutions start where CSPM typically stops – at IAM. CIEM stands for cloud identity entitlement management. The term identity entitlement summarizes machine-based and human-based identities. Within the cloud, one differentiates between resource-based and identity-based permissions. An identity-based permission is associated to a human being accessing the cloud environment. A resource-based permission assigns access rights to a machine-based identity, i.e., a Lambda function, an EC2 instance or a database.
In comparison to CSPM solutions, which perform basic checks on resource configurations, CIEM solutions properly evaluate IAM policies and compute the effective permissions a resource or identity has. IAM definitions are extremely complex and have several ways of granting and denying access: apart from permissions and actions associated to each resource and identity, also conditions, permission boundaries, and service control policies play an important role whether an identity or resource has access to a resource.
For instance, have a look at how AWS dynamically evaluates policies to allow or deny an action: https://docs.aws.amazon.com/IAM/latest/UserGuide/images/PolicyEvaluationHorizontal111621.png
As you see, the effective permissions matter. Without evaluating all policies, it’s hard to raise any meaningful warnings. IAM checks that CSPM solution performs (same holds for infrastructure-as-code scanners), don’t evaluate the effective permissions and therefore can only be of limited help. These solutions raise a lot of false positives, or even worse, they miss critical IAM warnings, i.e., have false negatives.
So in short, a CIEM solution analyzes the effective permissions within cloud accounts, and helps you managing the access capability of all your cloud resources. And that’s where CodeShield starts. CodeShield uses a policy evaluation engine that allows us to compute the effective permissions across all resources in your cloud.
In addition to helping to manage your IAM, CodeShield focuses on the newest types of cloud attacks: IAM privilege escalations. For details, read our previous post about it.
If you want to try out CodeShield yourself, sign-up, connect an AWS account, and perform a scan.
