Introduction

Defense in depth starts
with identity in the cloud

Cloud is now the dominant platform for enterprise application development. Based on data from the 2020 State of the Cloud Native Security Report, up to 64% of enterprise workloads will be in the cloud in just the next 24 months. As architectures shift to take full advantage of cloud native technologies, governing identity and access management (IAM) will become an even more critical component of cloud security. IAM policies across all cloud accounts must be constantly monitored and evaluated to determine the potential risk exposure to the business.

Palo Alto Networks Unit 42® cloud threat researchers have undertaken major new research on IAM in an ongoing effort to assess the security posture of cloud technologies. This latest report details the current identity landscape, methods attackers use to silently perform reconnaissance as well as a look at common threat actors themselves.

matt signature Matthew Chiodi
Chief Security Officer, Public Cloud
Watch the interview
Request an exclusive briefing
The complex picture of cloud IAM

Consider Figure 1 below, where the user account has access across three different cloud providers—each with its own unique roles and permissions. The governance challenge here comes from the sheer volume of user and machine roles combined with permissions and services that are created in each cloud account.

While many organizations attempt to enforce a least privilege model, this often breaks down quickly with multi-cloud complexity. All these variables make visibility into effective permissions challenging.

complex picture of cloud IAM
RESEARCH TECHNIQUES

Uncovering identity
flaws worth millions

During a Red Team exercise in the spring of 2020, Unit 42 researchers were able to compromise an AWS environment with thousands of workloads.

research icon

An "outside in" penetration, where Unit 42 researchers, posing as attackers, unauthorized and with no credentials, were able to gain access to internal resources through a misconfigured IAM trust policy.

research icon

An “inside up” style of attack, where Unit 42 researchers, posing as attackers, started with limited (non-administrative) access and escalated their privileges to include administrative access to the entire cloud environment.

Unit 42 researchers note that all misconfigurations found during the exercise were customer misconfigurations, not AWS platform security misconfigurations. AWS has tried its best to detect and alert users when an IAM trust policy is misconfigured. However, while IAM trust policies are secure by default, users can still override the policies and introduce insecure configurations. AWS also offers its free IAM Access Analyzer to help identify unintended access to resources and data that are shared with an external entity.

Read the report
KEY FINDINGS
Read the report
Top Threats

An ongoing look at cloud infrastructure threats

In addition to the latest findings on risks stemming from IAM misconfigurations, Unit 42 researchers present updates on cloud security trends – looking for clear indications of the overall security posture of cloud infrastructure.

Cryptojacking tool spotlight: an analysis of Kinsing Unit 42 researchers provide an analysis of the cryptojacking tool Kinsing with a detailed look at its worm-like capabilities and established use in cryptojacking operations around the world.
Cryptojacking continues to be a persistent threat for organizations Unit 42 research shows cryptojacking to affect at least 23% of cloud-enabled organizations globally. Cloud environments are being targeted, with a focus on malicious cryptomining (also known as cryptojacking) operations.
THREAT REPORT

Unit 42 Cloud Threat Report, 2H 2020

Read the report
PRISMA CLOUD

See how Prisma Cloud can address the cloud threats in your enterprise.

Learn more

Get the latest news, invites to events, and threat alerts