Navigating the Identity and Access Management Landscape with Joseph South

TLDR;

  • Security of Cloud IAM requires a different mindset than traditional IAM. Once credentials are breached, attackers gain access to all infrastructure in a Cloud environment. This is one of the Primary Reasons why IAM is the new Perimeter.
  • To address IAM security gaps, start with Tagging of IAM Resources, Cleanup Inactive, Roles with Over Permissions, and optimizing duplicate permissions.
  • Security Buy-In is key from Leaders. This helps Security teams collaboratively enforce Security Best Practices.

Linkedin Profiles

Host: https://www.linkedin.com/in/mpurusottamc/

Joseph South: https://www.linkedin.com/in/joseph-south/

Transcript

Host: Hi, everyone. This is Purusottam and thanks for tuning in to the Scale to Zero podcast. Today's episode is with Joseph South or we call him Joe. Joe is the host of the Security Unfiltered podcast. He's currently a principal cloud security engineer at Volkswagen Financial Services. He has close to a decade of experience in cybersecurity. He started his career at IAM, and that is one of the topics we will be chatting about today. And a fun fact, he's a collector of rare whiskeys as well.

So Joe, thank you so much for joining us in the podcast. For our audience, do you want to briefly share about your journey?

Joe: Yeah, sure. So, you know, first off, you know, thanks for having me on. I really do appreciate it. Thanks for all of your flexibility. My schedule is insane, as I'm sure we'll talk about later on.

But yeah, you know, my journey into security, I guess, is a bit of a challenging one because so I got work experience in IT, just basic help desk stuff in college. And I figured after college, you know, I'm going to go into law enforcement. I'll go into the government or something like that. Right. And so I'll just do some IT work to make some money for these student loans until I can get into like my real career. You know, um, I actually disliked IT help desk a whole lot. I thought it was the most boring thing in the world. Um, and I couldn't imagine myself taking a career like that. And in my first job right out of college.

The person who was mentoring me at the company that I was working at mentioned, hey, you have a pretty good mentality for cybersecurity. I had never heard of cybersecurity or anything like that. But he, you know, inquired me or really, you know, encouraged me to pick up the security plus book and start reading it. And he said, if I'm interested, you know, from there, you know, maybe it's something that I should go down.

And I picked up the Security Plus book and I couldn't put it down, to be honest. I read it cover to cover several times when studying for my exam. And I found the stuff really interesting. I found myself researching it, you know, during work, after work, thinking about it constantly. And so that kind of started, my two-and-a-half-year journey of getting into cybersecurity because then, you know, I felt, okay, I'm going to go into cybersecurity.

I figured six, or seven months of studying really hard and whatnot, I'll get into it. Little did I know two and a half years later is when I finally got into a security dedicated role. That whole process was very frustrating for me because everyone was telling me I was doing all the right things, but I didn't have experience with these multi-million dollar solutions that companies have.

And so they're like, oh, no, we're not going to take you because you don't have this experience, but there's no way for me to get that experience. Yeah. So that's a small gist of it. And that's kind of where I started my podcast with that mentality of helping others get into this field that I love.

Host: Love that. One thing I really loved is you had a mentor early on who sort of guided you towards cybersecurity and that's often the challenge that we see today that a lot of folks want to get into cybersecurity, but they don't know where to start from. And hopefully, your podcast is helping a new entrance to the cyber security world.

Joe: Yeah, I surely hope so. And, you know, I always tell everyone I'm always open, you know, for a conversation. I'm always open to a message on LinkedIn or wherever it might be. Um, because I do remember when I was trying to get in and I would be messaging people in security and I mean, you know, 9.9 times out of 10, I would never get a response and it was the most frustrating thing because all I wanted to do was just get some guidance. You know, like, Hey, what am I doing wrong? What could I do better? Where should I be focusing right now? All of that sort of stuff, you know, I'm not trying to be a burden on anyone. And so that's why, that's why I have the podcast. And that's why I always tell anyone, you know, if you have any questions, if you need a mentor, just reach out, I'm more than happy to help.

Host: Yeah. And we will try to add all the details about your podcast when we publish this episode also so that it reaches to more listeners or more audiences. 

Joe: Awesome. Yeah, that'll be great.

Host: Absolutely, So before we start the recording, I generally ask this question to all of our guests and I get unique answers depending on the job role and different stages of life.

So what does a day in your life look like today?

Joe: Yeah, that's a loaded question. My day starts at about eight or nine o'clock and I don't get done until about midnight or 1 a.m. My day, every day is different. Like you said, I'm in charge of all cloud security engineering at Volkswagen Financial. That in and of itself is a huge task. Right.

So that's taking on everything and anything in the cloud, working with developers, making sure that they're creating secure code, as well as working with other solutions that we have internally that are monitoring the cloud for its own infrastructure security and making sure that the code that we're putting in there is getting put into secure infrastructure and secure architecture and responding to… different incidents and also putting out what I call fires of discovering, oh, hey, we're in a new cloud and we've been in there for a while now. And now I have to go figure out what's going on over there pretty last minute. I need to be on top of it.

Host: Yeah, So, sort of varied set of tasks across a varied set of security areas if I want to summarize your day. So, one please go ahead.

Joe: Yeah. Oh, yeah. I would say that's pretty accurate. And, you know, I always tell everyone cloud security is a more graduated security domain. Right. You don't go straight into cloud security. That would not be a good idea.

You would want to get experience in other domains of security because, in cloud security, all of it's combined. Right. So I have IAM experience. I have endpoint security, infrastructure security experience, and some light network security experience. Well, every day I'm using all of those skills that I learn.

Host: Yeah, and that makes sense. And one of those areas we're going to talk about today is the IAM, right? So,, as I said in the intro as well, you started your career in the IAM as well. So let's dig in.

So in a recent summit in October, you presented a session on mapping the battlefield by untangling Cloud IAM challenges. So IAM in particular has been in our lives for over a decade. I believe IAM was one of the earliest like Cloud IAM was one of the earliest services provided by AWS. So why do you think it still needs attention? Isn't it solved already?

Joe: Yeah, I wish it was solved. If really, if anything in security was solved, I'd be out of work. But, you know, with IAM, when we're talking about IAM on-prem, you know, that's behind a firewall, it's behind network security, it's behind all these other things, you know, even infrastructure security would be before IAM security in an on-prem environment.

When we're talking about the cloud, you know, anyone can pull up AWS portal.com or whatever it is, it might be AWS.com. Um, and they can just log in with credentials, right? And so that opens up your entire cloud environment to the whole world to be attacked.

Now, AWS does a pretty good job at, uh, securing their portal, you know, so there is different hoops that people would have to jump through to get to it, but it doesn't make it any easier to negate the fact that IAM is now the perimeter where it used to be a firewall. It used to be your network security. Now it's IAM. And that's just an account, a password. And hopefully, you know, if you're really good, an MFA token.

Host: So that's a very good point. But why do you think it is getting a lot of attention recently? Why is it today versus, let's say, five years ago?

Or it has been the case always. It's just that maybe there are some factors which are affecting why IAM is getting attention recently.

Joe: Well, I think it's kind of twofold, right? In security, it's never not been, you know, our primary focus of attention. In security, it's always been truly about IAM at the end of the day. It's getting more attention recently though because major companies are getting breached via IAM. You know, they're getting breached by users legitimately logging in, you know, as a real user and wreaking havoc in their environment.

Identity and Access Management in the Cloud: Beyond Mere Access Control
Host: Hi, everyone. This is Purushottam, and thanks for tuning into Scale to Zero podcast. Today’s episode is with Chad Lorenc. Chad is a security practice manager at AWS Professional Services, with over 20 years of experience in building and implementing security programs for various organizations. He’s an expert in

I'm thinking about companies like Okta or MGM, these huge breaches. And especially with Okta, they're the leader in SSO and they got breached. That's a huge thing. I don't think I could name a company that I worked for that didn't have Okta in their environment. They're so widely used and they still got breached.

So, it's becoming more of the forefront in people's minds, but in security, it's always been there. And there's a lot of different politics at play in different organizations. And so, a lot of the times, organizations would push back hard on security saying, oh, you can't enforce this. It's making it too secure. It doesn't add any value.

And now with all of these public attacks and public breaches, now we're, it's, we're able to say like, no, we have to do this. You know, if we don't do this, we're going to get breached just like these other people over here.

Host: And this goes back to what you said earlier, right? Like two things. One is these are some of the reasons why IAM has become the new perimeter versus network. And when it comes to the cloud, it's as simple as an attacker logging in, like getting to the password. That's where there is a lot of phishing attacks are also happening, right, to get through your cloud environment, whereas in the case of on-prem, it was much more difficult to get in.

A follow-up question to that is, and you highlighted this in your talk as well, is that the ability to create users and roles at will is an advantage and of the cloud and also a downfall of Cloud IAM. So, for our audience, can you share why you think that's the case?

Joe: Yeah, so that's a, it's an interesting topic because, you know, when you think of the cloud, the cloud is supposed to be this blank slate for developers and engineers to go into and just build, you know, not worry about anything else. They can just build. They don't have to worry about resources. The cloud has it all. And so when we're talking about IAM, these environments can explode very rapidly, before security even gets involved.

You know, I have a good friend of mine. He's the director over IAM at a large company. And he said that the company had existed and moved into the cloud, you know, really before they had an official security team kind of formed because it's a younger company. And when he got involved, the cloud had over 400,000 accounts already in their environment. And that was over the course of maybe a year, you know, and in terms of cloud standards, yeah.

So, you know, he got in, he walked into this situation and, you know, when he interviewed the people, we even told him like, hey, we probably have about, you know, between 20 and 40,000 accounts. And he said, okay, that's large, you know, but we can deal with that. And he gets in and he actually does a real analysis. He actually reached out to me to instruct him on how to do a deep dive analysis into this. And he found 400,000 accounts. Like, okay, that's a little bit bigger than what you guys told me before.

Host: That is even more maddening than what it started with. Right. So if that's the case, like since you advise your friend in that case, right. So I'm curious, like, what was your advice? Like how do you how do organizations deal with these kinds of scenarios?

Joe: Yeah, you know, really the best way to go about it is hopefully you can identify the owner of these accounts, you know, in the cloud tagging is everything. Right.

And so any good security program in the cloud will enforce tags on every asset in the cloud, every account role, everything because it shows who owns it, who created it, that sort of thing. So that was the first thing I told him to keep in mind, and then we started looking at the accounts that, you know, wasn't used, that were over-permissioned. All of those, you know, kind of outliers, I would say, right?

Anything that a regular account that is used shouldn't look like. So you know, maybe it hasn't been used in a year. Maybe it's, you know, got global admin permissions in the environment. Maybe there's 50 of these accounts Right? And you start weeding them out.

And as you get your list of viable accounts down, you get that actual list. Then you start reaching out to these teams and saying, Hey, what accounts do you actually need? You know, what accounts can we combine here? What roles can we combine here? And you start dialing it back, but that takes a very long time. You know, it took a year to create this problem. It's going to take them probably five years to unravel.

Host: Yeah. So that makes sense. I'm curious now. I would love to follow, like continue on the same use case that you had. So if we dig deeper, right into, let's say, the 40,000 accounts, there are several types of identities, right? Human identities, machine identities, there could be third party identities as well. So how should organizations prioritize their security configurations for IAM?

Let's say when you got into that situation and you looked at these three types of identities, what's the first thought that comes to your mind? How do you prioritize?

Joe: Yeah, that's a great question. You know, so first I'm going to look at the human identities for sure. You know, let's look at the accounts that are actually being used by people. And, you know, these accounts are doing different things in the environment. Let's look at their permissions, uh, make sure that, you know, we're, we don't have several different roles that are doing the exact same thing in the environment. You know, can we combine these roles here?

Um, because You know, when, when you do that, I mentioned it before, but when you do that, you're lowering your attack surface, right? You're lowering the probability of someone reaching out to a random person in your environment and somehow getting access to, you know, let's say Azure AWS, right? And now they have global admin because this random account has too many permissions when they shouldn't have had that.

Then I'm going to start looking at the different machine accounts. So in the cloud, this is really more of, I think it's typically called a service account within most clouds. I mean, this is the issue with cloud security, right? Every single cloud has a different term for every single thing, even though they're doing the same thing. And so you're learning different languages, essentially.

You know, but then I'm focusing on the service accounts because those are the accounts where, you know, you could have a service, like let's just say, you know, S3 communicating to cloud front or EC2s. And if you don't have that role or permission locked down, you know, one S3 bucket that's made public is now a foothold in your environment to the rest of your EC2s or to the rest of your AWS environment overall And so you really want to control, you know, what is talking to what and how much permissions it actually has.

And then finally, of course, I would take a look at third party accounts, you know, who outside of our organization has accounts in our environment. Why do they have it? Do they need it? And kind of do an attestation of those accounts and verifying what the vendor and the business unit saying;

  • Hey, do we still have this contract?
  • Is it still active?
  • Are they using it?
  • Do we need to give them access still?

Answering all of those questions will really determine, you know, if you can shut off that access or not. And a lot of the times, you know, these accesses that they get forgotten about, you know, I used to work on the other side of IT, right? I used to work on help desk and I can't tell you the amount of times that, you know, we would no longer allegedly have access to a customer.

but we would still have access. I could still get in there. I could still log into my machine. You know, people, people will just say that you don't have access, but then they won't do anything on the backend to actually ensure you don't have access.

Host: Yeah, I think the like I really like the last part where you highlighted that for vendors where you are not in contract anymore, at least you should clean up because that's a much bigger risk versus vendors who have who are active today and it's often overlooked.

So if I if I change the scenario a little bit that instead of you going into an organization where there is chaos. Let's say if you're starting from scratch, what are your top three things that you will focus on, like particularly in IAM?

Joe: Yeah, it's a great question. Um, you know,

first I would start thinking about everything from a least privileged perspective. You know, when we were talking, when we were just on prem, you know, just in our, you know, fairly local data centers, you know, least privilege was kind of the notion of IAM, right? That's, that's all that it was. But in the cloud, you know, least privilege is literally everything, you know, because now we're talking about EC2s talking to...

you know, CloudFront or S3 or these other service, Amazon Kinesis, whatever it might be. And if you just open up that EC2 to everything, like I mentioned before, you know, you're in a really bad situation in your environment. So you have to think from a least privileged perspective and you should be, you know, every decision that you make in the cloud should be based on, do I need this? Do I need that? You know, what can I live without? Does it need this ability to do this? I think if you address it from that angle, the risk to your environment will be significantly decreased. But unfortunately, a lot of companies either have a cloud presence or they're going into the cloud right now. And they… They're not having security involved in the architecture and design of it. You know, they're just saying, okay, we'll plug in security like we did on prem and they'll be able to fix it. Well, the cloud is a much more massive environment to try and fix.

Host: Yeah, so I want to, I mean, it absolutely makes sense that to follow least privilege, and you highlighted a few other areas in your presentation also, like providing areas like excessive permissions or misconfigurations or privilege escalations. One of the challenges that we see often with either startups or growing organizations is they provide overly permissive access to avoid any business impact. Because it takes time to understand what is the right permission that should be provided to let's say developers so that they can do some work.

And because of that, some developers have overly permissive access. So how should security leaders navigate this, find a balance in between implementing at least privilege and at the same time not impacting the business, the speed of… deploying new capabilities?

Joe: Yeah. So really, you know, the whole point of the cloud is to enable your developers or your engineers to build whatever they want, whatever the business needs. The whole purpose of cloud security is to enable them to do all of that, but in a secure way.

And I think that that's really important. You know, security should not be, it shouldn't be the destination where people go and they just get no every single time they ask for something. Security should be the department of Yes, but because it has different caveats. It has different situations where it's like, do you want this as three buck in public? Yeah, we can do that, but we're going to secure it a different way. There are definitely options to this. And so really, this starts from an organization or a business buy in into security.

And so the security leaders at the organization, they need to get the buy-in from all of the business executives, you know, first and foremost, those business executives need to be able to agree that, Hey, yeah, we need to be able to deploy what we want to deploy in this environment, but we also need to do it in a secure way so we don't get breached and then we're paying all these fines and loss of reputation and whatnot.

And then once you get that buy-in, you want to create a policy. Policy actually outlines the guidelines of what's expected in this environment. And then, you know, once you complete those two feats, uh, now you have to really directly address these issues with the people that are creating the issues. You know, so you have to be working hands on with the developers and saying, Hey, you can use this service or you can create this way. Um, or you can create it, but I need you to do it this way. Right.

And it's, it's all a song and dance, you know, so to speak of trying to navigate this and making sure that, you know, everyone is enabled to do their job correctly, that they can, you know, do what they want to do in the environment, but that it's not putting the environment at risk.

Host: Uh makes absolute sense. I was hoping there would be a like a magic formula which organizations can just use but it doesn't look like there is one. So a follow-up question to that is like often like as I was highlighting if it's an early-stage company they focus on business objectives more than security sometimes. What other patterns have you noticed where security is not paid enough attention is it the training or is it the culture like any other factors which play into?

Joe: Yeah, I would say training and culture is definitely a huge thing. Um, you know, when you think of security training, right. Nine times out of 10, you're going to think about that yearly, you know, video that you have to watch and that's considered to be security training. You know, maybe 10, 15, 20 years ago, that was a good idea that worked, you know, for the most part, but now these attackers are getting so sophisticated that I mean, they're able to fool security professionals, right?

So this training has to be augmented. It has to be enhanced in some way within the environment. That means that your security team needs to get hands on with the rest of the organization to really ensure that they're up to speed and that they're trained the ways that they should be. You know, recently I actually, you know, had a phishing email come through just literally a couple of days ago.

And this phishing email was extremely convincing, extremely convincing. It didn't have a link in it. It came from an internal, you know, uh, email address, right? It looked correct, but what they were asking me to do, didn't make any sense for my role. Um, and, you know, they were asking for a payroll situation, right? And yeah.

Host: Aha! Interesting.

Joe: If it's a real person, I feel for you, right? Because I want to get paid too. But you're in the completely wrong section of the business. Like I don't know anyone even in that department. And they were trying to just get me on the phone to continue the conversation. And I was talking to an expert at an email security company. And he said, yeah, there's… you know, attackers out there that are getting smarter and realizing that people like you don't click on links anymore.

And so they just want the conversation to keep evolving, build the rapport with you. And then when they think that you're in a good place with your trust with them, then they will send over the link. Then they will give you a phone call and, you know, just give you a little bit, you know, like a little nugget more for you to do and just keep on building that rapport with you.

Which is actually, that's how government agents are compromised. You know, they ask for one small thing and then they get another small request, seemingly very insignificant. You know, like why would, why would anyone want to know the name of just any random person that works in this building? You know? Um, yeah, I'll give you a name for 10 grand. I'll give you a name. It doesn't matter. Well, these, these attackers are picking up on that mentality and they're they're playing that within the organization now.

Host: Well, I must say this is very, very sophisticated attack, right? That there is no link. So that means you will not be suspicious because now with all of the attacks that we have heard about or read about, we often expect that there would be a link. And the moment we don't see a link, the suspicion in our mind goes down as well. So yeah, I love how these attackers are trying to sort of attack and get information.

And the keyword that you highlighted is that trust, right? Like they are using smaller chunks of information. They are trying to get smaller chunks of information from you and trying to build trust at the same time so that they can send you a link or something once that trust is built and then you are sort of compromised, right? Wow, that's next level.

Joe: Yeah, it's interesting. This is happening to everyday employees at everyone's company. Not everyone is going to be as paranoid as a security professional is, nor should they be. I'm in security because I'm paranoid like that. I don't click on links. If someone sends me a link, I'm calling them and saying, hey, did you just send me this? That's how I am. But now...It's like an unfair playing field.

Host: And particularly during this time of the year, like these fishing attacks happen a lot, right? Because it's holidays, a lot of folks are like spending, buying. So you might receive a link and you just click on it, right? And you get compromised. It's funny how attackers are also evolving to use new psychological ways of attacking others.

Joe: Yeah, I mean, they're taking the mentality, and I don't mean to cut you off, but they're taking the mentality that the military has towards compromising someone and they're employing that in their own attacks.

Host: True, true. So I have one last question on the IAM. So we spoke, like you highlighted that IAM has become the new parameter, earlier it used to be network. So we spoke about few things which can be done right. What would be top five considerations that you have that you would recommend to let's say a matured organization when dealing with IAM?

Joe: Top five. So I would say, you know, least privilege would be at the very top of that list, of course. Then I would start looking at overly permissive roles and then overly used roles. So those are two different, you know, categories of, I guess, vulnerabilities or attack surfaces in the cloud for sure.

And then we have privileged account management. You know, so when you log into your cloud environment, you shouldn't have, you know, full root access to your cloud environment. It should have a very low level privilege account. And then you escalate that permission, you know, as you need it for just in time access. And then finally, I would focus on MFA, of course. If you don't have MFA in 2023, you're, you're like not even in the game, right?

Host: Yeah, I was waiting for MFA. Like, what's the priority in your list? But yeah, absolutely. Like, MFA has become a standard nowadays.

Joe: Right. Yeah. You know, I put MFA lower because it's almost expected that everyone has MFA now. You know, like it's 2023. We've known about MFA for a while. It should be something that's put in automatically. It's still, you know, not always put in automatically for organizations. But, you know, there's other things that increase your attack surface significantly, like the other four things that I mentioned that kind of Trump, you know, MFA. Like if you don't have MFA, then you know, you're in a bad position.

Host: Yeah, absolutely. That's spot on!

Thanks, Joe for the Insightful conversation. Here are a few important points I gathered:

With this, we end part one of our discussion with Joe. Today, we focused on IAM security. We'll be back for part two, where we'll discuss primarily on cloud security. Make sure you don't miss it. See you in the next episode. Thank you!

You may also like;

Revolutionize your approach to SDLC using DevSecOps techniques with Matt Tesauro
Purusottam: Hi everyone, this is Purusottam, and thanks for tuning into ScaletoZero podcasts. Today’s episode is with Matt Tesauro. Matt is a DevSecOps and AppSec guru who specializes in creating security programs, leveraging automation to maximize team velocity, and training emerging and senior security professionals. When not writing automation code
Guardian Code: Safeguarding Applications in the AI Era with Jim Manico
Host: Hi, everyone. This is Purusottam, and thanks for tuning into the Scale to Zero podcast. Today’s episode is with Jim Manico. Jim is the founder, CEO, application security architect, and lead instructor at Manicode Security, where he trains software developers on secure coding and security engineering. He’s an investor