Go back

Mastering the Identity Management Lifecycle: The Essential Guide

Mastering the Identity Management Lifecycle The Essential Guide

Contents

Imagine this: Your company part ways with an unhappy ex-employee who still has access to cloud resources and applications. Although you assume they won’t take sensitive data to a competitor, how can you be sure?

A shocking 83% of people say they still had access to their previous employer’s digital assets, including third-party integrations connected to their environment. This problem is not just about security – it’s also about preserving your company’s integrity, reputation, and competitive edge. That’s why it is essential to clearly understand the identity management lifecycle to safeguard your organization against such breaches.

What is Identity Lifecycle Management?

Identity Lifecycle Management (ILM) is a comprehensive process that involves the management of your organization’s digital identities (individuals, devices, or entities) throughout their entire lifecycle. ILM includes various stages like creation, modification, usage, and eventual de-provisioning or retirement of digital identities. The primary goal of ILM is to ensure that these identities are correctly and securely managed from their initial creation to their termination.

ILM helps you maintain security, prevent unauthorized access, and comply with regulatory requirements by ensuring digital identities are always aligned with your organization’s needs and policies.

What is the Identity Lifecycle Management Process?

ILM is crucial for managing your company’s access, security, and compliance. This process ensures that the right individuals have the appropriate level of access to resources, enhancing security and efficiency. ILM consists of several key phases:

  • Onboarding: Creating an identity when a new user joins involves provisioning access to relevant resources, setting permissions, and establishing initial configurations.
  • Ongoing Access Modifications: This phase involves modifying access permissions to ensure they align with the user’s current responsibilities.
  • Monitoring and Reporting: Consistent monitoring of access activities is crucial for identifying suspicious behavior or unauthorized access. 
  • Offboarding: The process of deactivating a user’s access to resources when they leave the organization. 

Source

Why Do You Need Automated Identity Lifecycle Management?

When your organization scales, manual identity management processes can be complicated, error-prone, and time-consuming, which is why automated identity lifecycle management offers a range of benefits:

  • Efficiency: Streamlines the identity management process, reducing administrative overhead and ensuring that identity-related tasks are performed quickly and accurately.
  • Security: Enforces consistent security policies and access controls. It can automatically revoke or adjust user privileges when someone changes roles, leaves the organization, or when security threats are detected.
  • Compliance: Helps organizations demonstrate compliance with regulations like GDPR, HIPAA, and others by providing auditable access controls and data governance.
  • Risk reduction: Manual processes are prone to errors, oversights, and inconsistencies. Automated ILM can reduce the risk of security breaches, data leaks, and compliance violations by ensuring that user identities and access permissions are always up to date.
  • Scalability: Automated ILM solutions can scale with your organization, ensuring that identity management remains efficient and effective even as your business expands.
  • User experience: Enhances the user experience by providing self-service options for identity-related tasks. Users can reset passwords, request access, and manage their profiles more easily, reducing the burden on IT support.

Mastering Identity Lifecycle Management: The Essential Guide

Although automation provides multiple benefits to the identity management process, you might face some challenges when implementing it. So, let’s discuss the tips and best practices for overcoming the challenges associated with digital identity management.

1. Automate Onboarding and Offboarding

Effective identity management starts with automated onboarding and offboarding to streamline the provisioning of accounts for new hires and remove access for departing employees. This automation ensures that employees quickly access the necessary resources, which boosts productivity. Also, it simplifies the de-provisioning process when employees leave, enhancing overall security and operational efficiency by protecting your business against disgruntled ex-employees.

Actionable tips to follow: 

  • Use rule-based access control to assign access rights based on job roles and responsibilities.
  • Integrate identity management with HR systems to synchronize employee data.
  • Define access templates that outline the specific permissions and resources required for various job roles.

Source

2. Contractor and Temporary Employee Management

Contractors and temporary employees require distinct identity management strategies to ensure that these individuals have access only to the resources necessary for their specific roles. This process involves creating separate user groups and access policies for these workforce segments, promoting a more tailored and secure approach.

Actionable tips to follow: 

  • Define specific access policies for contractors and temporary employees.
  • Implement automated solutions to provision and de-provision access based on contract durations.
  • Review and adjust access privileges periodically to ensure alignment with job responsibilities and contract terms.

3. Access Level Updates

As employees change roles or responsibilities, organizations must also modify their access. Automation through role-based access control (RBAC) systems ensures that employees always have the right resources for their current roles while assuming the ‘trust no one, always verify’ approach as per the Zero Trust Maturity Model

Actionable tips to follow: 

  • Align employee roles with their job descriptions.
  • Use automation to enforce access policies consistently.
  • Periodically review and update role definitions.
  • Create a straightforward process for employees to request role changes. 
  • Periodically certify access levels to verify that employees have only the necessary resources for their roles.

4. Secure Offboarding

Secure offboarding is essential for minimizing the risk of disgruntled ex-employees who maintain access to critical systems. It involves immediate revocation of access rights, asset retrieval (such as laptops and access cards), and thorough exit interviews. This comprehensive process ensures departing employees cannot access company systems, therefore safeguarding your organization.

Actionable tips to follow: 

  • Disable access rights instantly upon an employee’s departure to prevent unauthorized access.
  • Ensure the return of company assets, such as laptops and access cards, during offboarding.
  • Conduct thorough exit interviews to identify potential issues or risks.
  • Maintain an inventory of assets.

5. Attribute and Password Management

Managing user attributes and passwords is fundamental to identity management, including enforcing strong password policies, promoting multi-factor authentication (MFA), and automating attribute updates. Ultimately, it will enhance security by reducing the risk of data breaches and ensuring compliance with regulatory requirements.

Actionable tips to follow: 

  • Enforce strict password policies, including complexity requirements and regular changes.
  • Use of MFA to enhance security.
  • Utilize identity management tools to automate attribute updates.
  • Provide a password manager tool to help users generate and securely store complex passwords.

Source

6. Audit and Reporting

Regular audits and reporting are integral to effective identity lifecycle management. Audits involve the periodic review of user accounts, access rights, and system logs to detect anomalies and potential security breaches. Automated reporting generates insights into compliance adherence and potential threats, helping you keep in line with industry regulations and internal policies.

Actionable tips to follow: 

  • Conduct periodic audits of user accounts, access rights, and system logs to detect anomalies and potential security breaches.
  • Use identity management tools that generate automated reports and alerts based on predefined criteria.
  • Use reporting to demonstrate compliance with industry regulations and internal policies.

7. Training and Awareness

Educating employees on security best practices is essential to increase their awareness of responsibilities. Training programs help understand threats like phishing, the importance of strong password practices, and adherence to security policies.

Actionable tips to follow: 

  • Develop awareness programs covering different areas related to your organization’s security.
  • Conduct periodic training sessions.
  • Tailor training content to the specific roles of employees.
  • Use real-life examples and scenarios to illustrate security threats.

Your Automated Solution to Identity Lifecycle Management Challenges: Rezonate 

This article discussed the ins and outs of ILM, but following these best practices might not be enough to survive in the fast-changing world of digital security. New threats are always popping up, and you need a more active and straightforward way of managing identities. 

To protect your identities at speed and scale, choose an automated IAM solution like Rezonate. Rezonate simplifies privilege management, giving your IT team total visibility over all your identities and access behaviors immediately. Real-time risk scoring provides valuable insights for your teams to swiftly recognize and address security gaps, helping proactively enforce a least privileged access model and ensure users only have the access they need.

Rezonate automatically detects identities that are not active for customizable periods of time. Our solution identifies specific entitlements that are not being used by identities and allows for a smoother and more secure offboarding process.
Request a demo today to stay ahead in the digital security landscape.

Loading

Continue Reading

More Articles
7 Tips to Make Sense of the Gartner IAM Magic Quadrant

7 Tips to Make Sense of the Gartner IAM Magic Quadrant

The world of Identity and Access Management (IAM) is not just about selecting a vendor – it's about selecting the right vendor. In a rapidly evolving sector, making informed decisions is critical for your business to stay secure and efficient. With its long-standing reputation in tech research, Gartner has led the way in offering crucial insights into this domain. A telling projection is that by 2026, 90% of organizations will primarily rely on identity threat detection tools – a jump from less than 20% today. This shift underscores the criticality of understanding the IAM vendor landscape and making informed choices. What is the Gartner IAM Magic Quadrant and What Does it Mean? The Gartner IAM (Identity and Access Management) Magic Quadrant is a research methodology that presents a graphical representation of a market's direction, maturity, and participants. It offers an analysis of technology providers in the IAM domain, focusing on their ability to deliver and the completeness of their vision. The IAM Magic Quadrant evaluates the strengths and weaknesses of the most significant providers in the marketplace. It offers custom category weighting, showcasing the evolution of the vendor space over time. Furthermore, it incorporates user reviews to provide a comprehensive understanding of each vendor, ensuring a cap of twenty vendors to maintain the quality and significance of its insights. Getting included in the Magic Quadrant means getting exclusive approval from Gartner, which proves to your customers that you are an exceptional vendor.  The Four Quadrants: 1. Challengers Challenger providers have a good capability to execute but may not have a fully realized vision. They are solid and stable, often having a large market presence, but may lack innovative features or forward-looking strategies. 2. Leaders Leader vendors excel in both their ability to execute and the completeness of their vision. They are often the dominant players, demonstrating a clear understanding of market needs and exhibiting robust performance through a comprehensive range of products. Rezonate integrates with a Magic Quadrant Leader, Okta, to help detect risks and threats across your Okta infrastructure through least privilege best practices and auto-remediation. No matter how big a vendor’s reputation is, it’s always essential to consider solutions like Rezonate that continuously monitor your systems and offer real-time threat protection. 3. Niche Players Niche players focus on a specific segment or have a limited innovation capability beyond their niche. They may excel in their specialized domain but not offer a broad suite of solutions or expansive growth strategies. Source 4. Visionaries Visionaries are companies that showcase a strong ability to envision future market trends and plan accordingly, even if they might currently lack execution capability. They are innovative and forward-thinking, often introducing new features and capabilities ahead of the market. What are the Goals of the Magic Quadrant? The Gartner IAM Magic Quadrant is designed to help you navigate the often intricate landscape of IAM vendors. Its primary goals and benefits include: Informed Decision Making The Magic Quadrant serves as a guide for businesses to choose the right vendor, ensuring they evade the costly repercussions of a suboptimal decision. With a comprehensive analysis of each vendor's strengths and weaknesses, businesses can make choices that align with their specific needs and objectives. Optimized Expenditure The Magic Quadrant is pivotal in financial planning as it benchmarks vendor pricing against the market. This means businesses can show if they are getting value for money or if they can achieve the same or better outcomes at a more competitive price point. Minimized Complexity and Risk One of the unsung advantages of the Magic Quadrant is its analysis of contract terms and conditions. By doing so, Gartner helps shield businesses from unforeseen costs and potential pitfalls, ensuring a smoother engagement with vendors and a more predictable budgetary landscape. In effect, the Magic Quadrant is a strategic compass, guiding businesses toward vendors that meet their immediate needs and align with their long-term goals while ensuring cost-effectiveness and reduced risks. 7 Tips to Make Sense of the Gartner IAM Magic Quadrant Navigating the Gartner IAM Magic Quadrant can initially seem daunting, given its comprehensive analysis of vendors. However, understanding its methodology and nuances can help both IAM vendors aiming for a spot in the Quadrant and businesses seeking the best solution. Here's a breakdown of seven critical sections of the report: 1. Market Definition/Description Understanding the IAM market as defined by Gartner is crucial: “Gartner defines access management (AM) as tools that establish, enforce and manage journey-time access controls to cloud, modern standards-based web and legacy web applications.” For example, Gartner-approved capabilities provided by AM tools could include: API access control User authentication (e.g. least privilege and zero trust principles) Advanced lifecycle management capabilities Journey-time orchestration in the context of access management Internal access administration (e.g. user onboarding and provisioning) Reporting for compliance purposes Gartner's market definition ensures businesses are comparing vendors catering to the same market segment. When you align your vendor evaluations with Gartner's definition, you're better poised to select a solution that truly fits your needs. On the other hand, vendors should streamline their offerings to fit within this defined market. By doing so, they enhance their visibility and relevance in the Quadrant. Caption: This graph shows where the top vendors lie in the four quadrants. Source 2. Inclusion Criteria The inclusion criteria are akin to the gatekeepers of the Magic Quadrant. They stipulate the fundamental requirements a vendor must meet to be considered. For businesses like yours, this gives you confidence that every vendor in the Quadrant has already met a baseline of quality and capability. Vendors aiming for a spot should meticulously tailor their pitches and presentations to highlight how they meet or surpass these criteria. 3. Exclusion Criteria While the inclusion criteria set the stage, the exclusion criteria provide a reality check. Knowing who didn't make the cut – and why – can offer you clarity on Gartner's stringent standards. In contrast, vendors should steer clear of pitfalls that lead to exclusion. Avoiding exclusionary factors is paramount, whether this means ensuring a significant market presence or ramping up core IAM capabilities. 4. Evaluation Criteria Part 1 | Ability to Execute A vendor's operational prowess comes to the forefront with their ability to execute, encompassing everything from product quality to overall business health. For businesses, the Magic Quadrant offers a peek into a vendor's operational strengths and potential longevity in the market. Vendors can bolster their position by relentlessly improving product quality, fortifying their financial health, and refining their customer service approach. Table 1: Ability to Execute Evaluation Criteria Evaluation CriteriaWeightingProduct or ServiceHighOverall ViabilityMediumSales Execution/PricingHighMarket Responsiveness/RecordHighMarketing ExecutionMediumCustomer ExperienceHighOperationsLowAs of August 2022 Source: Gartner (November 2022) 5. Evaluation Criteria Part 2 | Completeness of Vision A vendor's foresight is illuminated through their completeness of vision. Businesses can glean insights into whether a vendor is merely keeping pace or truly pioneering the future of IAM using the Magic Quadrant. This criterion serves as a testament to a vendor's innovation and adaptability. Vendors can impress Gartner by immersing themselves in continuous market research, aligning their strategies with emerging trends, and remaining receptive to user feedback. Table 2: Completeness of Vision Evaluation Criteria Evaluation CriteriaWeightingMarket UnderstandingHighMarketing StrategyMediumSales StrategyLowOffering (Product) StrategyHighBusiness ModelMediumVertical/Industry StrategyLowInnovationHighGeographic StrategyHighAs of August 2022 Source: Gartner (November 2022) 6. Market Overview The IAM market is in constant flux, marked by innovations, challenges, and shifts highlighted in the Magic Quadrant report. The market overview section gives businesses a panoramic view of IAM industry activity, helping you align with prevailing best practices and be attuned to upcoming changes. Vendors can carve out a competitive edge by staying in sync with market movements and preemptively addressing emerging needs in their product offerings. 7. User Reviews In an age of information overload, authentic user reviews stand out. They offer businesses a raw, unfiltered view of a vendor's offerings, echoing the voice of real-world users. Gartner's rigorous process ensures these reviews are comprehensive and trustworthy. Vendors can enhance their Quadrant positioning by nurturing customer relationships, promptly addressing concerns, and cultivating an ecosystem where satisfied users are advocates. Navigate the IAM Landscape With a Gartner-approved Vendor The Gartner IAM Magic Quadrant provides you with a clear compass to navigate the IAM vendor space. By breaking down the market, evaluating vendors meticulously, and incorporating valuable user reviews, it offers companies like yours a robust tool to make strategic decisions in the realm of Identity and Access Management. But there’s more to the IAM industry than the Magic Quadrant report. Recognized as a Cool Vendor in the 2023 Gartner Cool Vendors Report in Identity-First Security, Rezonate is making waves with our forward-thinking approach. Our commitment to identity-centric security tackles the pressing challenges of compromised identities and rising breach costs. Explore Rezonate’s platform or request a demo to see firsthand how identity-first security can redefine your protection strategy.
Read More
Breaking the Identity Cycle

Breaking The Vicious Cycle of Compromised Identities

As we at Rezonate  analyze the 2023 Verizon Data Breach Investigations Report, an unmistakable deja vu moment grips us: A staggering 74% of all breaches are still exploiting the human factor — be it through errors, misuse of privileges, stolen credentials, or social engineering. This recurring theme serves as a clear call for businesses to switch gears and move away from static security approaches towards a more dynamic, identity-centric model. An Unyielding Threat Landscape Year after year, our IT landscape and attack surface continue to expand. Cloud adoption has soared, hybrid work becoming the norm, and our infrastructure continues to evolve. Yet, the threat statistics remain frustratingly consistent. This consistency points to a key issue: our security measures aren’t keeping up. Traditional security approaches, designed for a static operational model, distributed across tools and teams, are only increasing complexity and not meeting the demands of an ever-changing, dynamic infrastructure. In turn, this provides ample opportunities for attackers. The commonplace of Shadow access, increased attack surface, and greater reliance on third-parties all present identity access risks, making it harder see, understand and secure the enterprise critical data and systems. How Are Attackers Winning? Attackers are using simple yet effective methods to gain access to valuable data without the need of any complex malware attacks. A variety of account takeover tactics, bypassing stronger controls such as MFA, compromising identities, access, credentials and keys, brute forcing email accounts, and easily laterally expanding as access is permitted between SaaS applications and cloud infrastructure. Stolen credentials continue to be the top access method for attackers as they account for 44.7% of breaches (up from ~41% in 2022). Threat actors will continue to mine where there’s gold: identity attacks across email, SaaS & IaaS, and directly across identity providers. Where We Fall Short Security teams are challenged by their lack of visibility and understanding of the entire access journey, both across human & machine identities, from when access is federated to every change to data and resource. We're also seeing gaps in real-time detection and response, whether it be limiting user privileges or accurately identifying compromised identities. These shortcomings are largely due to our reliance on threat detection and cloud security posture management technologies that fail to deliver an immediate, accurate response required to successfully contain and stop identity-based threats. What Should You Do Different? We’re observing that businesses adopting an identity-centric approach:  Gain a comprehensive understanding of their identity and access risks, further breaking data silos, Are able to better prioritize their most critical risks and remediation strategies, Can more rapidly adapt access and privileges in response to every infrastructure change , Automatically mitigate posture risks before damage is inflicted, and Confidently respond and stop active attacks. Identities and access, across your cloud, SaaS, and IAM infrastructure, is constantly changing. Your security measures must evolve in tandem. The identity-centric operating model enables businesses to proactively harden potential attack paths and detect and stop identity threats in real-time. Breaking the cycle in Verizon DBIR 2024 Now is the time to make a change. Let’s change our old set-and-forget habits and know that security needs to be as dynamic and adaptive as the infrastructure it is protecting.  For more information about how can Rezonate help you build or further mature your identity security, contact us and speak with an identity security professional today.  This post was written by Roy Akerman, CEO and Co-Founder at Rezonate, and former head of the Israeli Cyber Defense Operations.
Read More
GitHub Account Takeover of AWS and GCP Accounts

From GitHub to Account Takeover: Misconfigured Actions Place GCP & AWS Accounts at Risk

In April 2023, Rezonate research team explored prevalent misconfigurations of GitHub integration with cloud native vendors. GitHub OIDC-based trust relations have been found with the critical misconfigurations that leave connected AWS/GCP accounts vulnerable to potential takeover attacks. Although this issue was discovered and reported in the past, we have found that dozens of GitHub Public Repositories, and potentially many private ones, have demonstrated this critical issue, leaving dozens of companies vulnerable. The team notified recognizable affected organizations, but there may be more private repositories and organizations at risk. In this article, we will introduce the misconfiguration research process,  explain the OIDC implementation process that GitHub uses to authenticate to the cloud, present the misconfigurations that we have identified across various organizations, provide a step-by-step guide for discovering and fixing the problem, and propose how to avoid the issue completely. Key Points Rezonate research team has explored an attack vector that exposed AWS & GCP accounts to unauthorized access through misconfigured OpenID (OIDC) GitHub Actions role. Based on our scans, these known misconfigurations exist in dozens of the GitHub public repositories that use Github OIDC provider to AWS or GCP. During the last few weeks, the Rezonate team has reached out to a few dozens of vulnerable organizations and personal accounts, providing them with information in order to remediate this misconfiguration. To check whether your GCP or AWS accounts have been affected by this misconfiguration, please refer to the “Remediation Guidelines” section. Background Cloud and SaaS technologies have made identity and access controls the connective tissue between operational tools and cloud-native environments. To ensure business operations flow as seamlessly and as fast as possible, IAM and Devops teams are required to share administrative access and create trust relations between 3rd-party tools and their core cloud environments. The key challenge is to limit privileges and conditions on these cases, and to protect and monitor this highly-privileged administrative access. One of the most common examples of trust relations can be found in a software CI/CD pipeline, where strong privileges and access to an organization’s Cloud infrastructure are provided. We’ve seen dozens of cases where this access path was exploited due to misconfigurations, lost credentials and access keys, and compromised supply chains such as the CircleCI incident, the NPM incident, and many others. Figure 1: Attacker scans for misconfigured trust relations in GitHub, and uses them to impersonate a CI/CD app, gaining full access to AWS or GCP accounts. Due to the highly-sensitive nature of these access paths, CI/CD vendors have added support for the OpenID Connect (OIDC) protocol to supply short-term credentials, which are considered more secure. The trend toward OIDC support is reflected through the announcements of GitHub, GitLab, and CircleCI within the last 2 years. OIDC is a modern, secure authentication method for creating trust relationships, but when not configured correctly, the method can become the root cause of a hidden, critical access risk. Even though these misconfigurations were reported in the past, in books, as well as in security blogs, the Rezonate research team has identified many organizations that remain vulnerable.  GitHub OpenID Provider Integration The GitHub OIDC deployment guide highlights many advantages to using OIDC over access keys. OIDC allows you to adopt good security practices, such as: No cloud secrets: Eliminating the need to store cloud credentials as long-lived secrets. Instead, workflows will request and use a short-lived access token from the cloud provider through OIDC. Authentication and Authorization management: Having granular control over how workflows can use credentials, using the cloud provider's authentication and authorization tools to control access to cloud resources. Rotating credentials: With OIDC, the cloud provider issues a short-lived access token that is only valid for a single job, and then automatically expires. The following diagram provides an overview of how GitHub's OIDC provider integrates with GitHub Actions and the cloud provider: Figure 2: Overview of GitHub OIDC provider integration In general, integration involves the following steps: Start by creating an Identity Provider in the target cloud environment. GitHub Actions will generate an OIDC temporary token containing execution context (such as the repository, organization, or branch). GitHub will send a request to the cloud provider, containing the GitHub OIDC token. The cloud provider will validate the token and the context, and exchange it with short-lived credentials that allow access to the cloud environment. GitHub OIDC Integration with GCP & AWS Integrating GitHub Actions through OIDC includes setting up trust between the cloud infrastructure and GitHub, which workflows can then use to access roles and service accounts. Configure Trust The process of configuring trust between the cloud provider and GitHub is similar between different cloud providers, and includes two main steps: Create an OIDC Identity Provider that points to: https://token.actions.githubusercontent.com. Create a Role or Service account and establish trust with the recently created Identity Provider. Let's examine the setup for GCP and AWS. Configure Trust with GCP Based on Google Cloud documentation, the following process creates a Workload Identity Federation, which provides the issuer ID and basic attribute mapping. Figure 3: Creating a Workload Identity Federation Optionally, after configuring the attribute mapping according to the Google Cloud documentation, add Attribute Conditions such as a GitHub organization, repository, or branch. Figure 5: Adding Attribute Conditions Now that we have the Identity Provider configured, we can bind it to service accounts and allow GitHub to use them as part of its workflow. In the picture below we can see the github-actions-integration service account connected to the Identity Provider recently created.  Figure 5: Bind service accounts to Identity Provider Configure Trust with AWS Similar to GCP, AWS starts with creating a new Identity Provider (OpenID Connect) with the GitHub Provider URL. Figure 6: Create an Identity Provider in AWS Next, we can create an IAM Role and reference the recently created Identity Provider, allowing users federated by the Identity Provider to assume roles in the account. Figure 7: Create an IAM Role Next, we name the role, add a description, and modify the access conditions of the role. By default the trust policy condition only includes audience filters. Figure 8: Modify access conditions using filters As mentioned in the GitHub integration documentation, it's highly recommended that you limit access to specific repositories by adding filters against the token subject. Note that by default the AWS process does not enforce adding additional conditions. To add conditions, click the “Edit Policy” button, which reveals the following warning: Figure 9: Missing additional conditions warning in AWS Configure GitHub Workflow Now that everything is configured from the cloud infrastructure side, the next step is to use the relevant GitHub actions as part of the workflow. First, add permissions to the workflow, allowing it to read an OIDC token. Add the following permissions to the beginning of the workflow YAML file: Figure 10: Add permissions to GitHub workflow Next, add the matching action to the authentication process, based on the cloud provider:For AWS, use the configure-aws-credentials: Figure 11: Add matching action to authentication process - AWS For GCP, use the google-github-action/auth: Figure 12: Add matching action to authentication process - GCP After performing the steps above, the integration process is completed and the workflow can perform operations in the cloud environment. Potential Misconfiguration Although the integration between the cloud and GitHub is relatively simple, potential misconfigurations could expose access to unauthorized parties. GitHub articles refer to Conditional access as part of the integration process, however, the cloud infrastructure is not flagging or alerting when conditional access is not being used. The lack of notification from the cloud provider during the setup increases the chances that an organization will have misconfigured trust settings. Those misconfigurations may result in roles and service accounts that can be abused by threat actors/attackers, leading to unauthorized access. As a result of our research, we have discovered two specific types of misconfigurations that can be exploited by attackers to gain unauthorized access to a trusted cloud account. Misconfiguration - Lack of Subject Condition This misconfiguration occurs when the user who integrated the role did not add conditional limitations to cloud access. This misconfiguration allows any GitHub organization to access the cloud account. Misconfiguration - Poorly-Defined Condition Pattern This misconfiguration occurs when the conditions defined limit the subject, but are not restrictive enough and thus can be bypassed. For example, the subject condition may include a wildcard to allow all the repositories in the organization to use the same role or service account as part of the GitHub Actions workflow. If the wildcard is mistakenly placed in the organization name (and not in the repository name), the condition allows unauthorized access from any GitHub organization with a name that fits into the pattern. Identifying Vulnerable Organizations To Identify vulnerable organizations and understand how prevalent misconfigurations are, we used GitHub search, looking for Actions workflows that use OIDC with AWS or GCP. Using GitHub Code Search, we executed the following queries: Figure 13: GitHub Code Query - AWS OIDC Workflows Figure 14: GitHub Code Query - GCP OIDC Workflows We split the query into subqueries to avoid reaching GitHub’s result limit, and eventually produced a list of roles and accounts that were potentially vulnerable. Having the list, the next step was to identify what was misconfigured. GitHub actions query returned thousands of results, and checking them through GitHub actions would be time-consuming. As a workaround, the team developed a different approach to identify vulnerable organizations using self-hosted runners. Self-Hosted Runners Github Self-Hosted Runners is a feature that allows organizations to execute parts of the GitHub Actions workflows in their own environment. The team discovered that by controlling the machine that authenticates against the cloud, we can extract the OIDC token, and perform batch tests on AWS roles and GCP service accounts outside of GitHub. The batch tests included the following steps: Setup a self-hosted runner:Download and install the GitHub self-hosted runner: Figure 15: Our self-hosted runner Configure the runner to proxy all of the traffic through our local proxy:Use the http-proxy parameter within the GitHub action. Figure 16: The GitHub workflow configured to trigger token generation. Intercept a workflow request and extract the Web Identity Token:After everything was ready, we triggered the workflow by performing a commit to the repository. The commit started a GitHub workflow which performed a network request to assume the target role with the Web Identity token. Then, we extracted the token from the request sent by the runner to AWS. Figure 17: Extract token from runner request - AWS Decoding the JWT Token reveals our sub, along with other identifiers that are being sent and logged by the cloud provider as part of the authentication process. Figure 18: Decoding JWT token Copy the token to our multithreaded script, which will check the potentially vulnerable roles. Using a pre-developed script and leveraging Boto3 and Gcloud, we scanned a list of potentially vulnerable roles while having the JWT at hand. Results After reducing duplicate roles and service accounts, we scanned approximately 1500 roles and service accounts across GCP and AWS. As for the first misconfiguration, lack of subject condition, we determined that dozens of the roles were vulnerable, allowing anyone to use them to access the accounts. The second misconfiguration, poorly-defined condition, was harder to test and required setting up a dedicated GitHub organization per target. Thus, we performed a random test against 20 organizations, finding one of them to be vulnerable to this attack. The vulnerable accounts included various organizations, including private companies, non-profit organizations, software development studios, and many personal accounts. During the last few weeks we have reached out to the relevant organizations and people, sending them information regarding the vulnerable roles and sharing remediation guidance. Remediation Guidelines Could My Environment Be Affected?  Based on our research, this type of misconfiguration is a risk for AWS and GCP users who use GitHub Actions with modern authentication (OIDC). Identify Potential Misconfigurations: Lack of Subject Conditions To identify this misconfiguration In AWS, check for roles that have no subject limitations in its trust policy. Figure 19: Misconfigured Role with no Subject - Example - AWS To identify this misconfiguration in GCP, check for service accounts connected to the Identity Provider that has access to the Entire Pool. Figure 20: Misconfigured Role with no Subject - Example - GCP Identify Potential Misconfigurations: Poorly-Defined Conditions To identify this misconfiguration in AWS, locate the StringLike conditions for roles that are connected to the Identity Provider, and check for wildcards in the organization name. Figure 21: Misconfigured Role with Poorly-Defined Condition Pattern - AWS For example, in this case, we have a role that was originally intended to be used by different repositories within the Rezonate organization. Since the StringLike conditions included a wildcard in the organization name,  every organization that starts with “rezonate” can assume this role. This means that an attacker can create a new GitHub organization with the name “rezonateX” and get access to the role. This misconfiguration option does not apply to GCP, as GCP does not support wildcards. Identity Risks in the Rezonate UI Rezonate customers should look for the security risk “GitHub Actions Role vulnerable to hijacking” in the Rezonate UI and follow the guided remediation steps attached to it. Use a Script to Perform a Quick Scan For the general public, we have released a script to our GitHub repository (link here), which performs a quick scan against the AWS account or GCP project and reveals possible vulnerable roles and service accounts.
Read More
See Rezonate in Action

Eliminate Attacker’s Opportunity To Breach Your Cloud today

Organizations worldwide use Rezonate to protect their most precious assets. Contact us now, and join them.