The rise of multicloud environments brings with it the need to understand how to implement security policies across each cloud provider. The fact that each of the big three — Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) — uses different nomenclature and configurations makes it that much more complicated to create a seamless and secure virtual network.

A pair of researchers shared their practical advice on how to secure one piece, identity and access management (IAM), at Black Hat USA 2022.

"If there is one thing we would like you to take from this specific session, it is that IAM is the backbone service. It is the core service. It is the gateway that controls every access to your cloud resources, and it must be protected," said Igal Gofman, Ermetic's head of security, who presented "IAM the One Who Knocks" with Noam Dahan, Ermetic's research lead.

Multiple Strategies for Multiple Clouds

Organizations have several reasons for using multiple clouds, as Gofman listed off: adding in redundancy for better stability, reducing costs, taking advantage of multiple vendors' marquee features, and having conflicting platform requirements from different projects. But when you split resources among various clouds, he added, you need to be aware of and accommodate for the differences between how the platforms function.

"It's hard enough to be an expert on one cloud platform," Gofman said. "But often we copy features and routines from one platform to another. And those may work differently from what we expect at the beginning."

Dahan then drilled down on the ins and outs of logging features from Azure, AWS, and GCP. Besides using logging for detection and incident response, he said it is good for improving the permissions process.

"In order to know whether you can take permissions away from someone, what you would usually do is try to examine the logs and see what they're actually using, a sort of 'use it or lose it' philosophy," he explained.

There are two main approaches to issuing permissions, Dahn said: sculpting from marble or sculpting from clay. Marble means starting with a full raft of permissions and then chipping away until you reach minimum necessary permissions; this can end up too permissive because you don't want to remove too much. Clay means building up permissions until you have enough. Security staff likes this model, Dahan said, but developers hate it because they don't know what permissions they will need down the road. He recommended a hybrid approach of starting with a smaller hunk of permissions and then building up in places as needed.

Who's at the Door?

The title of the talk comes from the TV series Breaking Bad, when science-teacher-turned-meth-kingpin Walter White reacts to a friend warning him that he's in danger of someone coming to his door and killing him. White, incensed, asserts that he is the dangerous one by saying, "I am the one who knocks." Perhaps IAM is the stand-in for White — it looks basic and unassuming, but underestimating its power is dangerous. Or maybe it's just a turn of phrase.