Cybersecurity cloud management on product-driven organisation
Least Privilege for Distributed, High-Velocity Development
Imagine you joined a cloud native company, regional approach with more than 500 EC2, multi-account approach, many Dev teams creating applications, deploying on a daily basis and making a stop to “clean up and organize” is not an option. Your mission is to securitize the infrastructure without loosing flexibility.
From my standpoint you have to options:
- Panic and Run,
- Get your hands dirty and start figuring out how to improve security
Cloud Security approach in a product-driven & DevSecOps culture
At this moment (2020) We are facing a time-changing phase in terms of delivering IT services moving from a traditional approach on to an agile way. This change challenges the organisation security approach who needs to change moving from a: deny-first allow-later, or protecting the border to securing the whole it IT process without affecting the WIP and delivering products faster.
Therefore moving from a restrictive approach to a collaborative is a must in this time. So approach like continuous compliance and continuous security are getting interest in these times.
Thinking in a cloud native company and in terms of cloud infrastructure, applying Least Privilege is recommended… but how to do it based on the previous scenario?
Least Privilege + High-Velocity Development
In order to connect both worlds and if you agreed with me on this approach, I would share a possible solution very cool by the way, from Netflix called: Repokid and Aardvark
How these works?
For Aardvark, basically the heart of all his solution is AWS Access advisor. For those who doesn’t know Access Advisor take a look to the following picture:
Access Advisor, is part of IAM product and is accesible only through the console, therefore Aardvark is a productivized of Access advisor who checks and record roles following an algorithm.
Under the hood
What happens with a role or policy that was not used after 90 days ?
The answer is Repokid will take care of unused roles.
In conclusion:
If you are part of a company who is in a start-up phase where delivering products is crucial to grow, you will need to create infrastructure and security solutions who can handle that organisation speed, because we all know that during this days “adding more muscle” is not always the best solution therefore: automation and making elastic infrastructure is the right path.
With these powerful tools you can start your operation with some roles with 98% of all the policies attached. You will only need to remove the one related with you security policy and audit for example: remove the capabilities to “Stop Cloudtrail”, “getting any access to IAM and handling keys”, etc.
Using this approach any Dev can start creating his project, creating EC2, Buckets, without worrying about permission, meanwhile Aardvark and Repokid are running and gathering info in regards with used roles and policies. Finally after 90D the tools with start removing unused roles.
Using this approach you will be using the concept of “Continuous Security” a very cool practice during this days.
Where you can find it
https://github.com/Netflix/repokid
Additional information
This is an interesting video from AppSec in California 2019, where Repokid was introduced and set the fundamentals to understand it.
Hope this helps!
Pablo
