News

Microsoft Suggests Tracking Cloud Permissions in 2023 Report

• By Kurt Mackie
• 04/03/2023

Microsoft last week announced the release of its "2023 State of the Cloud Permissions Risks Report" (PDF), which catalogs potential cloud services risks associated with access permissions.

The report was compiled by Microsoft after running data against more than "500 risk assessments." Microsoft Azure was one of the cloud services assessed, along with Amazon Web Services and Google Cloud Platform. Of the more than 40,000 permissions tracked across the cloud services, Microsoft found that more than half were "high risk," and were "capable of causing catastrophic damage if used improperly."

In general, for all three cloud services assessed, Microsoft found that just one percent of permissions were actively used. The report suggested that identities used with cloud services have been "overpermissioned." Least-privilege access controls should be used with them as a security best practice, the report suggested.

Moreover, less than five percent of so-called "workload identities," which are associated with software processes rather than human access, were being used. Microsoft found that more than 80 percent of workload identities were inactive, a figure that was twice what Microsoft's 2021 report had found. Workload identities should be tracked by organizations and their permissions to cloud resources should be "right sized," Microsoft indicated.

Such tracking is compounded by the growth of cloud services. Microsoft found that there was an "average of 200+ services across cloud providers."

The 2023 report included some chilling findings on super-administrator identity cloud privileges:

• More than 50 percent of identities used with cloud services had super-administrator privileges.
• More than 40 percent of identities with super-administrator privileges were workload identities (that is, non-human identities).
• Less than two percent of identities with super-administrator privileges actually got used.

Get a CIEM
The report suggested that organizations managing cloud services security should get a cloud infrastructure entitlement management (CIEM) solution. Of course, it touted Microsoft's own CIEM product for the job, namely the Microsoft Entra Permissions Management product, which works across Azure, AWS and Google Cloud Platform.

In general, organizations using cloud services should be able to "right-size permissions based on past activity." They should continuously monitor identities and access permissions, including getting alerts for anomalous identity behavior. They should remediate inactive and overpermissioned identities. Identity governance and reporting should be automated.

Microsoft also recommended removing "inbound SSH/RDP access in security groups to restrict inbound access to virtual machines." Multifactor authentication should be enabled "for all identities with console access." Keys should be rotated regularly, and so-called "permission creep" should be monitored.

Microsoft Secure Event
The announcement of the "2023 State of the Cloud Permissions Risks Report" was part of Tuesday's Microsoft Secure event, which featured top Microsoft luminaries. Microsoft had a lot to say during that six-hour event.

Notable summaries of Microsoft's security product improvements associated with the Microsoft Secure event can be found in this announcement by Vasu Jakkal, corporate vice president of security, compliance, identity and management. Details on Microsoft Entra identity security improvements were outlined by Joy Chik, president of identity and access management, in this post.

The unveiling of Microsoft Security Copilot, an OpenAI ChatGTP-4 security solution, was perhaps the highlight of the Microsoft Secure event. Microsoft Security Copilot, currently at preview, is integrated with various Microsoft solutions, including Azure Security Center and Microsoft Defender for Endpoint. Microsoft also suggested that it would add support for "third-party solutions" to Microsoft Security Copilot at some point.