Achieve least privilege with less effort using IAM Recommender

As cloud adoption grows, we’re seeing exponential growth in cloud resources. With this we’re also seeing growth in permissions, granted to humans and workloads, to access and change those resources. This introduces potential risks, including the misuse of privileges, that can compromise your organization’s security.

To mitigate these risks, ideally every human or workload should only be granted the permissions they need, at the time they need them. This is the security best practice known as “least privilege access.” 

Unfortunately, we don’t implement this practice enough: In fact, internal Google research shows that most permissions granted by admins aren’t used in a 90-day observation period. To achieve least privilege you need to identify high-risk permissions that aren’t needed and are therefore safe to remove. In this post, we’ll look at some of the challenges of establishing least privilege at scale, outline some best practices for how you can get started, and see how IAM Recommender can help.

Least privilege basics

The first step in establishing least privilege is understanding which permissions a user has today and which have been used recently. Then, you need to understand which permissions this user is likely to need in the future, so you avoid getting into a manually intensive trial-and-error loop of assigning incremental permissions. Once you have that, you need to decide how to construct your identity and access management (IAM) policies so that you can reuse roles across several members and projects. Finally, you should aim to change your policies to remove these excessive permissions or monitor their use closely.

This is easier said than done.

Establishing least privilege at scale

A key challenge in solving this problem is understanding how to achieve least privilege efficiently at scale. At Google Cloud, our mission is to accelerate every organization’s ability to reimagine their business through data-powered transformation. We aim to deliver a type of transformation that uplifts your security experience in the cloud, where your developers can innovate at speed while data-backed intelligence helps keep your resources safe.

Since we first introduced IAM Recommender at Next ‘19, we have been working with many large organizations—including Uber and Veolia Group—that have been able to use IAM recommendations to help make their environments more secure, while reducing the number of permissions that were granted. IAM Recommender is now generally available, as part of our new Active Assist portfolio, to provide safe, in-context, and actionable changes to your IAM policies that move your project towards least privilege and don’t require lots of manual effort on your part.

Veolia Group, a French resource management company, has 171,000 employees around the world and manages about 87,000 projects in Google Cloud. Veolia initiated a one-time cleanup exercise of its production projects, using the data from IAM Recommender to get a better understanding of risk and to facilitate decision making with project owners.

“IAM Recommender helped us confidently reduce 1.2 million permissions across production in an initial cleanup exercise that secured over 1,000 user and service accounts—all of which reduces the likelihood of a successful attack.” -Veolia Group

You can hear more about Veolia’s journey at our Google Cloud Next ‘20: OnAir Breakout Session, Using Policy Intelligence to Achieve Least Privilege Access.

Customers like Uber have developed innovative solutions on top of IAM Recommender to automate their security apparatus. Uber uses IAM Recommender to remove Editor roles on a daily basis using a risk engine that determines which role removals can be automated and which need a human check. For all changes, a JIRA ticket is opened for auditability and tracking purposes.

“IAM Recommender helped us identify a significant number of over-assigned permissions in our GCP infrastructure and was instrumental in getting us closer to our goal of achieving least privilege.” -Uber

You can hear more about Uber’s architecture at our Minimizing Permissions Using IAM Recommender Breakout Session.

Best practices for getting started

Through our work with Uber, Veolia, and others, we’ve discovered some best practices that can help ease the process of achieving least privilege.

#1 Mitigate lateral movement threats
If you have several projects, a good place to start is to develop a prioritization framework to identify the severity or ranking for the recommendations to help you understand which ones to apply first. We suggest beginning with looking at role bindings that give the iam.serviceAccounts.actAs permission on projects and Service Accounts. This permission allows a principal to execute code as a service account, and potentially leverage it to access resources that the principal shouldn’t have access to. Doing this helps protect against the threat of lateral movement through service account impersonation.

#2 Migrate from legacy roles
We don't recommend using legacy Owner (roles/owner) and Editor (roles/editor) roles. Use IAM Recommender to scope down access to finer-grained roles. IAM Recommender provides a migration path from these legacy roles to multiple smaller roles, which is especially important for service accounts that get the Editor role by default.

#3 Analyze recommendations using big data analytics
We now support out-of-the box integration with BigQuery. This allows you to export all your recommendations to a BigQuery table for further analysis with Google tools like Data Studio. You can use this technique to create org-wide custom reports. For example, if you want a view of over-provisioning across your production workloads, or if you want to analyze permission usage for a given service account, you can easily do that now.

#4 Establish a governance process for review
Export these recommendations to an identity governance and administration or access certification tool. This will help you speed up your quarterly resource owner or user manager attestations. 

#5 Identify candidate use cases for automation
Once you’ve performed an initial cleanup, identify candidate use cases for automation. Examples of these can be members with Owner/Editor roles or orphaned users. This lets you empower engineers and project owners; they no longer need to worry about asking for too much or making a mistake. You should be able to take away excess permissions automatically because the data was compelling the first time around. You can then strive to bring in an increased awareness of risk and drive for cultural change towards a more equitable balance of speed and security.

Check out our IAM Recommender best practices page for more information.

Learn more

Before the cloud, if you wanted to minimize your permissions towards least privilege, you would have probably plugged your data into a role mining tool or spreadsheet, and a team would have then spent weeks in analysis. We have cut all that time and effort—these recommendations are ML generated and can be immediately applied—and done all the heavy lifting collecting and correlating data in the back end. 

Here’s a video about how it works:

For a behind-the-scenes look into how we did it, continue to our second blog, Under the hood: The security analytics that drive IAM recommendations on Google Cloud, and check out Exploring the machine learning models behind Cloud IAM Recommender for a deeper dive.

Click the following links to learn more about IAM Recommender and Active Assist. If you want to see first-hand how our customers solved for least privilege, be sure to attend one of our Google Cloud Next ‘20: OnAir sessions:

• Uber: Minimizing Permissions Using IAM Recommender

• Veolia: Using Policy Intelligence to Achieve Least Privilege Access

• Active Assist: Cloud is Complex. Managing It Shouldn’t Be