A Morning with Balaji Parimi
You’re probably thinking to yourself, who is Balaji Parimi anyway and why should I read on? Until my meeting last week, I would have thought the same thing.
Spending the last 20 years living in the US, he has carved out an impressive CV working his way up through the ranks from a VWware Engineer to the VP of Engineering and Operations at CloudPhysics. During his time, he experienced the aggressive growth of Cloud.
As Cloud Infrastructure grew, the benefits of which gives businesses new abilities to scale up in efficiency but, also introduced a new set of cyber threats, Balaji (as with others) discovered a huge problem. He couldn’t easily identify all the privileged users and what they had access to, meaning identity privilege management started to spiral out of control.
Not knowing who can get into the systems, what was visible to them, what they were entitled to and what these privileges had access to presented a huge risk for his organisation and others. Along with the rise in non-human identities, it made these questions more crucial and difficult to control. wanting to address this problem, in 2016 he quit his job and began developing a solution.
Balaji discovered that organisations were predominantly relying on role-based access controls (RBAC) to solve their growing identity privilege challenge. The problem with RBAC is that it was created over 30-years ago – in the pre-cloud era – and is fundamentally flawed when applied to today’s dynamic cloud environments. The first challenge being visibility into the cloud environment. In most cases, they have no idea which identities are doing what to their infrastructure. The second challenge is figuring out what to do with that information, in most cases, discovering that their identities have excessive privileges realising they need to take immediate action to mitigate the risk before something happens…
This is where Balaji’s CloudKnox comes in…
“The idea behind RBAC was to assign identities to specific roles based on their job function (e.g. admins), and privileges were granted to each role based on what was considered a necessity for an identity to be able to perform their day-to-day job. Once these roles were created, they were rarely reviewed again and once an identity was assigned a role they were never removed from that role even if they moved to another team and were no longer performing the original job function associated with that role”. Said Balaji.
Let’s take a Bob and Fred example– from a security perspective we want to do the right thing – we want to grant each of them the specific privileges that they need to perform their respective jobs and nothing else. BTW – although they are both “system admins” they each perform very different tasks.
NOT an easy thing to do. We all have this inherent fear of revoking privileges that might be needed down the road for someone like Bob and Fred to do their job.
NOW over-provisioning our identities is happening in the cloud – introducing a whole new set of risks and the implications are very different!
CloudKnox is unique to the market, it isn’t like any other solution. It enables businesses to define roles based on historical activity data. For example, Bob has been using 5 privileges and Fred has been using 3 entirely different privileges over let’s say a 90 day period so instead of assigning Bob and Fred a “system admin” role with excessive privileges they can simply create custom roles based on the unique activity for each identity.
Another example of this is in the authorisation mechanism, which takes place in the cloud, this allows for non-human identities to be included. Only CloudKnox can give a full audit of all the permissions, with the associated actions to assign privilege and manage these instances.
Analysts seem to be in agreement that cloud security and management are in the top 5 challenges facing CISO’s. CloudKnox has been designed and written specifically for the cloud and directly addresses the issues that organisations face, rather than an on-premise solution re-imagined.
To understand if Balaji has identified something you could benefit from request a free risk assessment.
From the integration with CloudKnox, AWS IAM Access Analyser is a new function that analyses resource policies to help administrators and security teams protect their resources from unintended access.
A recent BBC report highlights the importance of defending mobile devices that can access corporate data from not just obviously rogue apps (e.g. blocking sideloading) but also seemingly ‘good’ apps that may contain recycled code.