AWS Identity and Access Management (IAM) represents a new paradigm not only in access control, but in providing identity and access management as a service. Gone are the days when we could rest on our laurels behind a perimeter defence; those with malicious intent have just as much access to the services we leverage to control our entire infrastructure as we do. We’ve also moved from disparate authentication systems in network switches, storage appliances, and hypervisors to one single control point for complete management of all infrastructure. If I haven’t got your attention yet, how about this?
Dome9 has been solving network security challenges for customers for years. On our journey we’ve listened to hundreds of customers tell us that they appreciate Dome9 solving the fundamental security challenges associated with leaving behind an infrastructure that you have complete visibility over for one that you don’t. Over time as a consequence of this we’ve built a culture around focusing on the fundamentals of public cloud security and bridging this gap.
It’s no wonder, then, that Dome9 is here today, at the intersection of network security and identity and access management. After all, what’s more fundamental than protecting the entire keys to your castle, so to speak? The cloud control plane, including IT management consoles and APIs, has become a new attack vector. Credential theft, key logging, man-in-the-browser type compromises, and API key leakage are all threats to centralized management consoles. In addition to malicious intent, unintentional privileged user error remains a serious threat. Consider the most privileged administrators in your organization making a small but disastrous oversight either at the console or in a script intended to control the lifecycle of infrastructure. In an instant your business could be impacted forever. The problem compounds when you consider the demand that concepts like continuous deployment and integration put on our access control systems. The result is many competing interests for access.
We are very excited to announce our response : Dome9 IAM Safety. Dome9 IAM Safety is an AWS IAM Dynamic Authorization solution, providing protection against malicious cloud control plane attacks and unintentional privileged user error.
Using IAM Safety, Dome9 customers are now able to define those IAM-enabled actions that they deem the most potentially catastrophic to their business. Using a policy builder type interface, users can begin from predefined templates or freely select from all possible IAM controls.
Once complete, Dome9 then restricts either individual IAM users & roles associated with your AWS account, or all of them at once. Once restricted, users (and roles, too) cannot perform the actions contained in the restriction template. IAM users that require access to those actions from time to time are issued the Dome9 IAM Safety mobile application whereby they have the ability to “elevate” their rights and perform actions contained in the restriction template for short periods of time. Like all solutions Dome9 develops, IAM Safety is built to work in concert with all existing AWS IAM functionality, not against it. IAM Safety honors all existing IAM rights assignments and only permits users to perform actions you place in the restriction template if their current rights model grants those actions to them in the first place. As you would expect, Dome9 administrators have full perspective over IAM users, roles, and who is protected vs who is not in a dashboard interface.
The result? An invisible protective layer providing ‘just in time’ multifactor authorization that prevents accidental and/or malicious invocation of risky actions. When these actions are required to be performed, rights are elevated in a measured and audited fashion for a short period of time while the action(s) can be performed, and then reduced back to the now de facto standard restricted state. Because Dome9 IAM Safety users work at a lesser privilege day-to-day, the results of stolen credentials & compromises are limited to non-catastrophic actions. Pre-authenticated sessions (even with MFA enabled) are no longer a root attack vector since the most riskiest of operations are protected by Dome9 IAM Safety.
We’d love for you to see what all the excitement is about as we’ve just scratched the surface! Please drop me a line for more information, and a personalized and focused demonstration of Dome9 IAM Safety!