Cyber Work: The dangers of Role-Based Access Control (RBAC)
Introduction
In this episode of Infosec’s Cyber Work podcast, host Chris Sienko chats with Balaji Parimi, founder and CEO of CloudKnox Security. They discuss current problems with Role-Based Access Control and how access control is moving toward a more secure future. For those looking for an explanation of both where RBAC has been and where it’s going, this podcast is for you.
When did you first get interested in computers and security?
When Balaji was earning his undergraduate degree in engineering in India in 1992, he fell in love with Fortran, a programming language. As he progressed through earning two graduate degrees, in computer science and software engineering at both Bradley and San Jose State respectively, he carried this passion for Fortran. This led him to fall in love with computers and security.
What does CloudKnox offer its clients and what is its role in the cybersecurity landscape?
CloudKnox is a hyper-cloud security platform focused on protecting the hypercloud. The biggest problem today with cloud infrastructure is that there are a thousand knobs in one place and the human element necessary to control every part of infrastructure.
We have been using 30-year-old RBAC concepts that create static rules based on assumptions where admin privilege controls all. The risk with this is you may only need 100 privileges when you have access to 30,000 of them. The purpose of CloudKnox was to provide a platform that makes it easy to make data-driven decisions.
What is Role-Based Access Control? How does it work and how is it meant to be used to protect your network?
RBAC really just means a system of assigning privileges. With a network or any system you have to assign privileges to potentially thousands of users. RBAC is intended to be used with organizations that have different roles, each with different privileges.
What are the upsides of using RBAC? If done well, can RBAC still be an effective method of controlling access?
It has its advantages and applications — the whole concept of RBAC could work but how do you define the set of privileges that make up the role? RBAC is based on assumptions — for example, one guy is the admin and another is read-only. Whether the admin uses all his privileges or not doesn’t matter.
RBAC works for a limited number of privileges but as the number of privileges and users grows, it becomes more difficult to manage.
How do we start pulling back from the default setting of giving all employees all the privileges as a matter of convenience and begin customizing privileges according to the needs of the position?
The first thing is you need to understand who is using what. Once you have determined the need for certain privileges, you can determine who is assigned what role. To start pulling back from this default, let’s say there are 10,000 privileges and your admin only needs 100. Create a role for this admin with only these 100 privileges.
What are some of the issues involving high-risk privileges?
High-risk privileges are privileges that have the ability to cause severe disruption to the organization or data leakage. The issue here is that one simple mistake can have highly destructive consequences.
What is the role of non-human identities? Do things like service accounts that connect to modular coding components, microservices, software containers and APIs feed into this issue?
All of these come into play — we are currently in the middle of unprecedented levels of automation. Automated things are associated with some form of identity (like machine identity). These are provided with certain roles.
Guess what? These roles are also created based on static assumptions. We have seen people accidently publish access keys for AWS, and trolls grab them and begin cryptomining. We have also seen instances of hackers getting in, shutting others out and wiping out all of the data.
What is the actual time and resource commitment that a company would need to undertake to reform its privilege levels?
It’s not something that can be done in an afternoon, to be sure. It’s kind of a journey and a mindset.
This also depends on the organization’s CISO. There are some that are proactive and want to prevent these things, but it depends on their mindset. More and more CISOs are doing this. It should be noted that it is a matter of will and effort.
Does there need to be outreach to organizations to let them know that over-privileging users is a problem?
Most are aware of this problem and want to fix it. The problem is that most just do not have the resources, talent or knowledge if there are tools out there to help them with this.
There are not many tools to help with this. Doing it manually can be a huge effort!
If these issues of over-provisioning aren’t solved, what’s a safer alternative? Is there one on the horizon?
Balaji predicts that cloud, IoT, automation and activity-based authorization will take over in time. Organizations should move towards giving just enough privileges for the roles to operate within the space of the role.
Under a new, safer system, would privileges be requested and gained in the moment as the task requires them?
You can start off with the set of privileges you need to perform your job. If you need more, you can use privilege-on-demand or just-in-time. If you need a privilege only once a week or so, this is the way to go.
What types of hands-on experience, education and certs would you recommend for people looking to work in access control and provisioning?
Access controls and identity access and privilege management all depend on the system you are using, as they are all different. Focus on your organization and get an idea of what kind of authorization, automation, risks and so on that you can learn.
At the end of the day, you are trying to mitigate risk and having a solid understanding of everything can help a lot in working in access control and provisioning.
Are there hands-on exercises that can help?
There are tons of these! One example is working with the cloud: you can sign up for anything you want to learn and play around with it. There are open-source flavors of a lot of interesting tools out there but as with learning anything, you need to have the passion and drive to fully understand them. Those who are experts in this area will be seen as gods by their organization.
Where do you see this trend of over-privileging identities going in the years to come for identity and access control?
Compared to ten years ago, there are now lots of non-human identities in the system and this number is expected to grow over the coming years. The industry will move towards providing just enough privileges to get the job done but not enough to potentially cause severe harm to the organization if there is an accident or malicious activity. You cannot just depend on authentication and access control.
If listeners want to learn more about you or CloudKnox, where can they go online?
You can check out cloudknox.io and RSA Innovation Sandbox, where he was one of the finalists for 2019.
Conclusion
In this episode of Infosec’s Cyber Work podcast, Chris Sienko interviewed Balaji Parimi, founder and CEO of CloudKnox Security. They spoke about the current state of RBAC, where it’s going in the future and other valuable information.
You can see the full episode on our YouTube page.
What should you learn next?
Sources
- The Dangers of RBAC, Infosec (YouTube)