Today, we are excited to announce a new capability for all Wiz customers - Azure Least Privilege. This new capability enables Microsoft Azure customers to enforce least privilege access by identifying and removing excessive privileges. Eliminate the manual steps to understand effective permissions, analyze who has access to what, and leverage Wiz’s recommendations to reduce the risk of stolen credentials and lateral movement.
Permissions are the new attack surface
The dynamic nature of the cloud makes it easy to spin up resources and grant entitlements without much thought of the practical gap between granted and used entitlements. Teams often copy existing role-based access control (RBAC) profile entitlements to new accounts without much analysis. The net result is many users and accounts have excessive permissions that are unlikely to be used but represent security risks. Attackers often exploit these unnecessary permissions to escalate privileges or discover lateral movement paths to gain access to your crown jewels. Gartner states by 2023, 75% of security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020.
Additionally, compliance regulations like PCI, SOC2, and FedRAMP have Identity and Access Management (IAM) requirements that limit users and service accounts with excessive permissions. Organizations that use Azure need to be able to audit, report and remediate excessive entitlements.
Native tooling in Azure suffers from significant gaps in usability that make it hard for organizations to analyze effective entitlements. Analyzing effective permissions using Azure Access review requires extensive manual effort by administrators to audit permissions without any guidance or automation to remediate excessive entitlements. It is, at best, a guided walkthrough of permissions management.
Introducing Azure Least Privilege – Right sizing permissions to enable least privilege access
Wiz’s new capability - Azure least privilege enables administrators that need to reduce risk and meet compliance mandates to enforce least privilege access accounts. Wiz now lets you enforce least privilege access in your environment by finding, auditing and recommending removal of excess permissions.
These excessive permissions could be unused permissions and services determined for each role assignment, services that have never been used according to Azure cloud events, or inactive accounts. Azure least privilege compares the permissions that each account has used with the total permissions the account has enabled and flags unused permissions and services. Wiz also flags inactive accounts for remediation steps. All these findings are conveniently visualized on the Wiz Security Graph. Organizations can use this feature to reduce risk and prevent the likelihood of an attacker gaining access to an over privileged compromised account and performing lateral movement. This feature can also help admins be more efficient, reduce manual reviews by enabling easy entitlement auditing and navigate the shortfalls of native tooling for compliance requirements.
AWS re:Invent is the largest conference of the year for Amazon Web Services (AWS) with hundreds of talks. We picked our favorite cloud security talks that are available online.