Why Is Cloud Security So Hard? (Hint: It’s Not)
Securing a new environment without knowing the rules of the road can be hard. Take the time to learn the rules and avoid speedbumps.
I found a strange user in my account with admin rights that I did not recognize! As you can imagine, this triggered all my alarms.
A couple of weeks ago, when I logged into a website provider’s admin panel, I found a strange user in my account with admin rights that I did not recognize! As you can imagine, this triggered all my alarms. I took a screenshot, removed their access, looked them up on LinkedIn, and contacted the provider’s support right away. They were a CEO of a boutique consultancy! Who was this person and why would they have access to my account? Very odd and disturbing at the same time. Could this be a bug with the SaaS provider’s IAM system?
Of course, 1st tier support couldn’t get me the logs or answer my question, so I asked for the security team. They kindly forwarded my request and said they would get back to me in a few days. Frankly, I didn’t expect my request to be forwarded or to hear back at all… but lo and behold, they responded (actually a Product Manager, not security)! After some authentication of my identity, they provided me the details of what transpired.
It turns out, when I invited my developer to the account, they were signed in as someone else! When they clicked the link, access was given to the account they were logged in to, not their actual account. Those pesky cookies!
Turns out, when I invited my developer to the account, they were signed in as someone else!
Two things went wrong here:
First, the developer was logged in as someone else. Tsk, tsk. #1 rule about identity management: no shared accounts! Every login ID should be tied to a human (if your dog or cat has their own email, please leave a comment below).
Second, the SaaS website provider does not tie the actual account access to the user. Instead, they send the user a public link, which anyone can access! This is somewhat old school and they should know better. I have since filed a bug report. Let’s see what they say.
*Shared accounts = high risk accounts.
Ayman Elsawah – AWS Security Strategist
P.S. Need help trusting but verifying? Let’s chat! Email me at email@example.com we can set up a time to talk, I love a good cup of coffee. Have a story to share? Comment below.
This article first appeared on LinkedIn on May 22, 2018.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.
Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service).