Working Towards Least Privilege in the Cloud
ABSTRACT: In 2021 cloud breaches overtook on-premise breaches. Many cloud threats could be mitigated by getting to a position of least privilege in which employees are only authorized to access the systems that they need to do their job, but getting to this point is a very painful process. AWS contains upwards of 15,000 permissions. To enable organizations to quickly grant employees access to the permissions they might need, AWS groups these permissions into a hardly more manageable set of 1187 managed policies, with an average of 91 permissions per policy, and 14 popular policies that grant access to more than 1000 permissions. This adds up to a situation in which organizations tend to massively over-grant permissions to their workers. This talk presents strategies by which organizations can assess their risk posture and work towards a position of least privilege by understanding what permissions employees actually use on a regular basis and how to identify and mitigate the risk posed by the most dangerous permissions.
BIO: Kevin Alejandro Roundy received a Ph.D. from Wisconsin in 2012, upon which he joined Symantec/Norton Research. In 2023 he left to join Andromeda Security. His career has focused on applying Machine Learning to verbose log data, ranging from Windows event logs to network and firewall logs, AV logs, etc. He co-designed the flight recorder and log analyzer for an Endpoint Detection and Response product, and developed incident detection and prioritization algorithms for Security Operations Centers. The most widely cited of his 100+ approved/pending patents describes how to discover threats in log data by analyzing relationships in security events. He currently analyzes Cloud logs to measure and mitigate security risks by applying state-of-art Machine Learning and Large Language Models.