The dangers of role-based access control (RBAC)

Chris Sienko: Hello and welcome to another episode of the Cyber Work with Infosec podcast. Each week I sit down with a different industry thought leader to discuss the latest cybersecurity trends and how those trends are affecting the work of Infosec professionals as well as tips for those trying to break in or move up the ladder of the cybersecurity industry.

Today on the show, we're going to talk to Balaji Parimi at CloudKnox about the dangers to be found in role-based access control, or RBAC. Balaji Parimi is the founder and CEO of CloudKnox Security. He founded CloudKnox Security based on his vision for a different approach to managing identity privileges at the infrastructure level with an approach built upon his belief that the solution to mitigating insider threats should not be about restricting privileges, but about creating a much less intrusive path to managing high-risk privileges without impacting productivity and trust. Prior to starting CloudKnox, Balaji ran engineering and operations at CloudPhysics. Balaji, thank you for joining me today.

Balaji Parimi: Thank you, Chris.

Chris: I like to start the show off by giving a little background on each guest. Clearly, you're pretty high up in the security and tech world. How and when did you first get started in computers and security? That's something that's always been interesting to you or did that come on later in life?

Balaji: I went to school in India in engineering. My civil engineering was my undergrad major. For one of the projects that I needed to start writing some stuff in my Fortran, that was my first interaction. This was way back in '92. That's when-

Chris: Okay. So, they had you writing in Fortran in '92, huh?

Balaji: Yes. And I fell in love with that.

Chris: Yeah. Yeah, yeah, yeah.

Balaji: Then I came here for grad school. I went to grad school in Bradley University in Peoria, Illinois, with computer science major. And then I went to another grad school, San Jose State University, and got the software engineering graduate degree again. Ever since that Fortran program, I knew this was my passion.

Chris: This was your thing. Absolutely.

Balaji: Right.

Chris: Tell me about your company, CloudKnox. What does your company offer to its clients and what is its role in the cybersecurity landscape?

Balaji: Yeah. We are a hybrid cloud security platform focused on protecting hybrid clouds, both on-prem, VMware, or any of the public clouds. The biggest problem today is, with the cloud infrastructure, the automation is at a completely different level. There are literally tens and thousands of knobs to control every nook and cranny of compute storage and networking. So, with cloud infrastructure, it's like everything in one place, which means, at the crux of it, all these knobs are turned by some identity, some human, and non-humans like service accounts, bots, access keys, or machines, things like that, which means, there is always that human element that has the ability to control every aspect of the infrastructure.

We've been using 30-year-old RBAC that creates static rules, and the privileges for the static rules are based on assumptions. Basically, think of it as you're an administrator. In Windows machine, if you're an administrator, yeah, you've get hundred privileges or something like that, but at the most that you can do is you can reformat the disk or you can reformat the OS, so you are limited to just that one box.

You look at a virtualized data center or your AWS account, your administrative privilege means everything. You can destroy everything, you can create everything, and you can import everything, you can clone everything. That 30-year-old methodology, RBAC, that was created, was created for a completely different data in a completely different day, and we're using the same thing in a completely dynamic and a cloud infrastructure role.

See, the danger here is, the risk here is, there are hundred privileges in a Windows box versus about 30,000 privileges when you are looking at your cloud. Out of the 30,000, all these identities ... The reason why I'm using the term identities is that there are so many machine identities these days, almost one is to five ratio, they use only a fraction of what they are given, literally about 1% of the privileges for the day-to-day operations. Yet, we are over-provisioning the privileges for all these identities because we are using the old methodology and we don't know better, and there are not enough tools to do that stuff.

What I wanted to do, as a company, our mission is to provide a platform to make it easy for you to make data-driven decisions. The way that you do it is, okay, instead of giving 30,000 privileges, which gives the ability for somebody to make an accident or with bad intent [inaudible 00:04:58] some things, give them just enough privileges so that they can continue to do whatever they want, whatever that they've been doing in the company, whatever that they need, and at the same time, provide some guardrails for them to prevent themselves from doing all kinds of accidents or certain bad things in case of a bad actor gets into the company.

That means, how do you figure out what are those just enough privileges for every identity, which means you need to keep track of what each and every identity is doing. You need to do proper accounting and attribution. Identities can come in from multiple directions these days. They can be local, they can come from enterprise directory, they can be coming from a federated system like Okta, or Ping, or something of that sort. No matter how the identity gets in, you need to figure out a way to do the proper accounting and attribution, establish their profile. Now you know, okay, John Doe uses these 50 functions out of the 20,000 for his day-to-day operations. Doing that at cloud scale is almost impossible if you have to do that manually.

That's where our system comes in, automates this whole thing, and once you created these profiles, you can use our activity-based authorization. What do you mean by activity-based authorization? It is the process of automating the creation of these profiles for every identity so that just enough privileges for each and every identity is this set. Once you have it, now the second set is, one, you got the visibility into which identities can touch your infra. What operations can they do? Now, these are the just enough privileges that I needed to give to each and every one of those.

Now, if you have a single platform that gives you the ability to do this across clouds, it's easier because the models, the permission models and the privilege management models, across these clouds are completely different. You look at VMware, AWS, they're worlds apart. You look at AWS and Azure. Again, there is a vast difference between them. It's almost impossible for somebody to ... for an organization to find somebody who is an expert in all these, in at least one, if not, I mean, let alone two.

That's because these are specialized areas, and there are not a whole lot of people that spend a lot of time and energy in understanding these kinds of things, right?

Chris: Right.

Balaji: So that's ... Sorry.

Chris: Oh, no, it's okay. Go ahead.

Balaji: Yeah. That's where our platform automates all this, and then, with the click of a button, will give you the ability to provide those just enough privileges for every identity across any cloud platform.

Chris: Okay. You've answered a lot of questions that I was going to ask later, but we'll sort of break them apart piece by piece. But we're here to talk today specifically to talk about role-based access control, or RBAC. The purpose of role-based access control is to control the levels of access, like you say, that employees have to the network. Before we even get into the sort of issues or the loopholes or whatever, for those new to the concept, can you explain role-based access control? How does it work, and how was it designed as it was meant to be, to control your network?

Balaji: Yeah. Basically, with a network or any system, you have a bunch of things that you can do automatically within software. It is very difficult for somebody to assign, okay, John Doe ... Let's say you have 500 of those. And if you have thousand users within the organization, how can you assign a specific set of actions for each and every one of those instead of enumerating, okay, this guy can do these 20 things, this guy can do these 50 things? The roles came into picture. Create a role, and that role has all these 50 things. And then give this role to anybody who is in this group within the organization. Like for example-

Chris: So, designers would have one set of roles and executive people would have another set of roles. Is that sort of the idea or ...

Balaji: Yes. Role is a proxy for a set of privileges. It's as simple as that.

Chris: Okay. Before we dissect the dangers and the difficulties, do you think there are still some upsides of using role-based access control if done well and if used properly, or is this just a bad system?

Balaji: It has its advantages, and it has its applications. But the whole concept of role-based access control system could work even for this, but how do you determine the set of privileges that constitute a role? That is what that needs to be focused on. Like for example, today, RBAC, the set of privileges that a role should have is completely based on assumptions, like this is an administrator. Oh, administrator means everything, so give him everything under the sun. Another guy is read-only. Read-only means he can only read, so give him just that read and be done with it. Whether the administrator is using all that or not, it doesn't matter. On RBAC, if you have a limited set of privileges, RBAC works perfectly, even with the assumptions-based role creation. But as the number grows, it becomes a lot more difficult.

Chris: Right. Okay. Now, I guess going from that, we're seeing this is kind of a sin of convenience, where you're basically saying, "Well, it's an administrator. Let's just give him all of the privileges rather than customizing what the actual person is going to need in their day-to-day work." How do we start sort of pulling back from this? What is your approach to cutting down the ... I think you noted there's 15,000-plus privileges across VMware, Amazon Web Services, and Azure cloud environments, and 50% of them are high-risk and so forth. So, what is the process in your mind of sort of pulling back from all of this unnecessary privilege granting?

Balaji: Well, first thing is you need to understand who is using what, and once you have it, you can figure it out who has what kind of roles? Let's say John, Craig, Daniel, those three are marked as ... they have those three as administrator roles. That's for the sake of [inaudible 00:11:27]. If those three are administrator roles means they have all those 15,000 privileges, look at what they used. Let's say, if they've used let's say a couple of hundred privileges over last 90 days, or 180 days, or one year, or the entirety of their lifetime at the company. Now, figure out a way to create a role with just those 180 privileges. Then, you are making the RBAC work, but you have created a role dynamically based on the usage, not based on static assumptions.

Chris: Okay. Yeah. Can you tell me a little bit about the sort of high-risk privileges? What are the risks involved here? When you have all this extra ... these privileges, give me kind of a worst-case scenario. You have all these extra privileges, and therefore, what? What's a thing that could happen to your network and to your company?

Balaji: Yeah. Yeah. High-risk privileges are the privileges that have the capability to cause severe disruption or data leakage. Let's say, for example, somebody has the ability to destroy all the compute instances. They needed to destroy, let's say, compute instance eight. In their scripting, where scripting compute instance eight, but eight and star on a keyboard are on a key, separated by a shift. Accidentally, instead of eight, they inputted star, which is a wildcard for everything.

Chris: Right. Oh, Okay.

Balaji: When they run it, everything is gone. Or if a bad actor gets in, this we have seen in the companies many, many times, they intentionally, "Okay. You know what? I want to wipe out the data here. I want to fill in." A couple of months ago, there was a company called VFEmail. A bad actor formatted the disks of all their production instances, destroying 18 years' worth of their customers' emails.

Chris: Wow.

Balaji: And the guy never needed that kind of privilege. That privilege was required only for troubleshooting for a DR and backup ecosystem. This guy never needed it, never used it in his entire life. That was the first time, and with the kind of power, he was able to do that kind of stuff. Those are the example.

There are so many other examples where I've seen ... A CISO, he was telling me that an engineer, a contractor engineer, took a snapshot of a compute instance with very sensitive data and shared it with an offshore contractor for some performance testing.

Chris: Wow.

Balaji: Soon it ended up in the public domain, and the CISO did not know about this because nobody copied any files. They copied an entire computer disk, where no DLP system was able to ... And that was merely meant for backup systems. Backup systems are the ones that gave a backup and stored it in, not meant for an engineer.

Chris: Not useful. Yeah.

Balaji: Yeah, not useful for ... And since because they were using static RBAC, well, he was an admin, and he got everything, including that. So, those are the kinds of dangers.

Chris: Okay. Now, what are the roles, if any, of non-human identities in all of this? I'm thinking of things like service accounts that connect modular coding components or things like microservices, or software containers, or APIs. Does that play into this issue at all or is that something else?

Balaji: Yes. Yes, because the automation is ... We are in the middle of unprecedented levels of automation, so with the click of a button, we want code to build, and deploy, and start into production, and all these kinds of things. But all these automation things are also associated with some identity, and these are machine identities, non-human identities. Even these identities are given certain roles because they need to perform some things. And guess what? Those roles are also created based on static assumptions.

What happens when these machine identities gets into the wrong hands or if somebody injects or somebody accidentally puts something into the code that the mission identity is running, now, it could cause a lot of problem. We have seen so many times that people accidentally publishing their access keys for their AWS into public get out, and the trolls on the internet catch hold of that, and get onto their AWS account, and start cryptomining. Basically, cryptomining is not as severe. It's only costs the company money. There was instances where the hacker got in, he shut out everybody else, demanded ransom. By the time company could act on it, he wiped out their entire infrastructure clean.

Chris: Wow. Geez. Okay, a couple of questions following up on that. One just occurred to me. What is the actual time and resource commitment that it would take for a company to reform its privilege levels? I mean, you mentioned CloudKnox, that you're helping in sort of like turning the switches off and making a more right-sized privilege level. But what does this actually realistically mean if you're trying to completely readjust how your entire privilege structure works in your company? Is this a big project or is it something that can be done in an afternoon?

Balaji: No, it's definitely not something that can be done in an afternoon.

Chris: Right. I didn't think so, but it's a better story that way, obviously.

Balaji: Yeah. It's kind of a journey and a mindset. It depends on the CISO. There are some CISOs where it's not an issue. Nothing has happened until now, so nothing is going to happen, so I'm fine with this. That's kind of ... I mean, it took me 15 years to subscribe to ADT until a burglary happened at my house.

Chris: Right. There you go.

Balaji: But there are people who are proactive and say, "Hey, I wanted to prevent these kinds of things because ..." It definitely depends on the mindset. But this is a huge problem that is out there, and lots and lots of CISOs are realizing that. Even Gartner at their conference, that had a risk conference last week, they said, "Identity and access management in the cloud is the number one priority." This is the second time in a row.

Chris: Mm-hmm (affirmative). Okay. So, it's clearly, it's a matter kind of will, and it is going to take some work, but do you think that there needs to be outreach in terms of letting organizations know that this is a problem? Do you think most people most places know that it's a problem but don't want to sort of take the time or resources to deal with it? Or is it really true, like people will be able to wait until after the disaster hits and then say, "I've never even heard of it"?

Balaji: See, the thing is, most people are aware of this problem, and most people want to fix it too. It's not like they don't want. Most people to want to fix it too. But the traditional tools have been a lot more ... I mean, quite frankly, for cloud infrastructure, there are not many tools out there that can help them fix this. Quite a few customers that we have seen, they started doing manually to do these kinds of things. And then they were like ... it was drowning them because it's that humongous and it's a monumental effort.

If the market realizes, okay, there are some platforms or tools that are available that can help me with this, I'm pretty sure everybody wants to, at least the majority of the people want. Every CISO that I talked to is like, "Hey, I don't have ..." They have two problems. One is, their security admins and the infrastructure admins are doing a lot more than what they were doing 10 years ago. They just don't have time to catch up with the advancements to gain that knowledge. And second, even if they gain the knowledge, they just don't have the time to go and implement it at the times, and CISO is finding it hard to hire more people to come in and handle all these kinds of things.

So, what they're looking for is, okay, A, their current resources don't have the ability and the resources; B, even when they're ready to hire, they don't have enough talent over there; and C, they don't know if there are enough tools that can help them make it easy, rather than a five-month project or five-year project.

Chris: I see.

Balaji: So, basically, if they realize, "Hey, there is this platform out there that can make it easy for me to implement these things," they take this product in a jiffy. We talked to many, many, many customers, or usually we go in and we say, "Hey, here is ... with the platform, with the click of a button, you'll be able to do this." And the guys were like, "Is this real?" I'm like, "Yeah."

And then we do the demo, and we say, "Hey, we can do a free risk assessment with half-an-hour deployment from your side. Once you do the risk assessment, you can see it for yourself, and you can play around with it." Pretty much every customer that we talked to, every customer did a risk assessment. And once they see that, okay, there is something out there that can help me, that can help my team to address the security issue, everybody would jump right on it. It's just a matter of the market knowing that there is something out there that can help them, unlike the traditional ones, or unlike the traditional privilege access management projects, which will take years and years.

Chris: Yeah. This is very eye-opening to me because role-based access control was sold to us as the new panacea and nothing could go wrong. Is there an alternative on the horizon or are we really going to have to just sort of reform what we have now and go ahead with that?

Balaji: My prediction is, with the cloud, and IoT, and the level of automation that is happening out there, activity-based authorization is going to take over. It's just a matter of time. What do I mean by activity-based authorization? It is giving just enough privileges to every identity that needs to operate in the space because then you are dealing with tens of thousands of privileges. There's no point in giving those tens of thousands of privileges with every identity, thinking that they may use it sometime in the future.

Chris: Would these privileges be requested and gained in the moment kind of thing? Is that how that works, like as you're working on a thing and then you ask for the access at that moment? Or how ...

Balaji: You can start off with a basic set that you need in order to perform your day-to-day job. If you need something that you needed to do, you can go through privilege on-demand or just-in-time type of privilege, where ... Let's imagine that every Saturday night I do something that is specific to some backup job. I don't need it every time until Saturday night, 10:00 PM, when I start, when I'm about to do that stuff. This is going to evolve into, here are a set of things that you do on a day-to-day basis. You'll have them. Here is a set of things that you need on demand at certain point in time.

It's just like bill pay. You can write check whenever you want. You have the checkbook with you. But at the same time, you can set it up in bill pay to pay a bill at a certain point in time in the future, or you can set up a recurring thing. It's exactly similar to that. You have your own set checkbook, and you have your own bill pay. So that's how-

Chris: It’s automatic. Yeah.

Balaji: Yeah.

Chris: Okay. As mentioned up at the top of the show, the name of the show is Cyber Work, and one of the big focus of the show is people who are interested in cybersecurity as a career. So, for listeners who are interested in this topic and would like to work in the fields of access control and provisioning and so forth, what types of hands-on experience, education, certs, and so forth would you recommend that they seek out to enter the field? What types of things do you think would make you want to hire someone in this area?

Balaji: Yeah. Again, the access controls, and identity and access management, privilege management, and all these things, it really depends on the target system that you're ... Let's say, for example, if you are looking at a mobile device management system, it's a bit different. If you are looking at laptops, desktops, it's a bit different. If you are looking at cloud infrastructure, virtual infra, it's a bit different.

My suggestion would be, which area that you want to focus on, go gain a complete understanding of how the authorization models ... what kind of automation exists in there. What are the risky things there? What kind of risks exist in there? What kind of security policies that I can set up across these things? At the end of the day, you are going there to mitigate the risk from any of these things from causing damage due to access or privileges for any of these things, which means, if you get a good understanding of that aspect of it, it's a lot more easier.

There is no one size. One size doesn't fit all. So, you can't think, okay, I have an admin read-only of storage at the network admin, because admin and MDM has the ability to wipe out all mobile devices that are part of that MDM system, whereas admin and AWS can wipe out the entire company, so two different things. My advice would be, depending on where you want to apply, or it could be one or more, understand what those risky models are, what the capabilities are. Then you will be a lot more educated in terms of the value that you can bring to the organization.

Chris: Are there hands-on exercises that you could try to understand how privileging works without actually ruining your company? You're doing things in real life.

Balaji: Yeah, yeah, yeah. There are a ton of those. Basically, you can ... I mean, one simple example. Right now with cloud, you can spin up anything. For personal accounts, they provide some micro-instances for free. You can go, you can spin up within your own environment, you can play around with that, and if you needed to deploy a Linux or something, pretty much all of them are free. I'm sure that there are some open source flavors of whatever that you wanted to do. They can deploy and they can play around with it.

And a lot of the times, you have ton of videos and you can figure out ... A lot of this knowledge, especially related to access controls and all, you can figure these things out as you go through, but it's a matter of, you need to have the passion and drive to understand those completely. A lot of the people don't pay attention to this, but the people who are experts in this area, they are treated as gods in any organization.

Chris: Yeah. Yeah. Yeah. If you want to learn, if you want to be the person that's defending security on the front line, that's as a good place as any to start.

Balaji: Yeah.

Chris: Based on your examination of this trend of overprivileging identities, looking into the future, where do you see this all going in years to come? Do you see a new model? Do you see things getting worse, things getting better?

Balaji: Compared to 10 years ago, now, there are lots and lots of a non-human identities are in the system, and that number is projected to grow even more. It's like today, it is one is to five, and that is projected to go up to one is to 20 or something like that in the next couple of years.

Chris: Wow.

Balaji: Which means for all these non-human identities, the usage patterns are pretty much set. There are machines. They're scheduled and they are set to do certain things there pretty much. The industry is going to move towards providing those just enough privileges to all these non-human identities to mitigate the risk because, in the wake of this level of automation, one simple mistake could wipe out a company or cause severe damage. So, one way to put in proper guardrails is providing them just enough privileges so that they cannot do any mistake either intentionally or unintentionally. I believe the industry will move forward in that direction.

With IoT, there are millions and millions of devices that are going to be in place. Every device is not going to ... I mean, it's probably impractical for every device to authenticate itself before doing certain things, so most of it is going to be based on authorization, which is, again, what kind of privileges that you are authorized to do. As we evolve more and more with all these ecosystems, with the emergence of IoT ecosystem as well, it kind of forces us into, yes, now, you can't just depend on authentication and access control all the time. You need to figure out a way to bring the authorization into picture, and this is-

Chris: It's where it's going to be.

Balaji: Yeah.

Chris: Okay. If listeners want to learn more about you or CloudKnox, where can they go online?

Balaji:

CloudKnox.io is our website, and then-

Chris: Okay. It's Cloud K-N-O-X dot io.

Balaji: Yeah.

Chris: Yep. Yep.

Balaji: We are one of the finalists at RSA Innovation Sandbox this year. We have that three-minute pitch out there, so if you go to RSA Innovation Sandbox, they can hear about at a high level what we do and our pitch.

Chris: Cool. All right. Balaji, thank you very much for joining me today.

Balaji: Thank you, Chris.

Chris: And thank you all today for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your favorite podcast catcher of choice.

To see current promotional offers available for podcast listeners and to learn more about our Infosec Pro live boot camps, Infosec Skills on-demand training library, and Infosec IQ security awareness and training platform, go to infosecinstitute.com/podcast or click the link in the description.

Thanks once again to Balaji Parimi, and thank you all again for watching and listening. We'll speak to you next week.