The Cloud has no perimeter! Really?

A friend of mine called me up suddenly and asked me what appeared to be a trivial question “How can we detect fraud even if the credentials are correct?” My initial reaction was, “Of course you cannot. That is the whole point of credentials.” However, that question got me thinking about how important identity is in today’s cloud-dependent world.

One key consequence of moving everything to the cloud is that all physical limitations & boundaries are removed. Everything is available & accessible to you at all times, from everywhere. “The cloud has no perimeter” says every cloud pundit ever and everyone, including the said pundit, accepts it as a major benefit of moving to the cloud.

Yes. It is true. Only as long as you can prove you are you.

Today your identity determines if you have access, what you have access to, your privileges and your authorities. Think about it:

You log in to your work email account by providing your credentials. The same email account, via Single Sign-On (SSO), lets you log in to your leave management system. It lets you query your payroll. It also allows you access into your work flow in order for you earn your living – be it items you decide on or your code repository or your ticket management system. A similar logic applies to your personal transactions also.

Now imagine what happens if your identity (credentials) are not accessible to you. Perhaps someone stole them. And that there is no way for you retrieve your credentials.

What will you be able to do?

Chances are, if you lose your access or if your identity is breached or stolen, you will be completely stymied. You will not be able to access anything anymore and quite conceivably every means of establishing that you are indeed you are also dependent on you having access to something on a cloud somewhere.

Take the worst case example: Assume your aadhar records are breached or stolen or deleted or lost. How are you going to establish that you are indeed the person you claim you are? Even the vaunted “Who you are” factors would not establish that you are you as they no longer identify you. (I am sure that the UIDAI Authority has thought of this exact scenario and has a procedure for addressing it. However, I could not find it.)

Doesn’t your ability to prove your identity not bound you and constrain you as clearly as any physical boundary? 

Hence, my claim that identity is the new perimeter. Once that is breached, all hell breaks loose.

Non-Human Identities

On the cloud, the problem is actually compounded due the non-human identities. In a connected, automated world services are often initiated without human intervention. Applications interconnect across organizational boundaries using tokens, keys and certificates. This also extends to devices, bots etc. The authentication for such non-human identities is highly automated. Often, the certificate or key is the identity.

Now, it is not impossible to imagine a scenario where such identity proofs are compromised. Developers are so famous for embedding access credentials in code, that there are multiple automated github bots that look just for such keys in checked code. Check out this story of what happened to an unfortunate developer who left the access keys in the checked code for only five minutes.

Couple this with the low security checking on IOT networks & devices and it is quite clear that this is an issue that needs a well thought out response. 

Conclusion

I am not trying to establish a case that SSO or non-human identity access is bad or that they should be stopped. The benefits of anywhere, anytime, anyhow access are obvious to all.

My intent is primarily to highlight that this is a risk that one needs to evaluate explicitly and mitigate appropriately. Today, most IAM systems have extensive mechanisms to implement zero trust security. Invest the time to understand them and use them extensively. I try and talk about it in a forthcoming article.

And perhaps in the meanwhile we should pay attention to that simple question that started this train of thought – is it possible to detect fraud when the credentials are validated?

May be.

(Learn more about Sridhar Parthasarathy at the Purple Team website)