It is sobering to consider that the greatest digital outage of our age was absolutely authorized. As far as we know, so far, there were no failures of AuthN, nor AuthZ, when Crowdstrike happened to push an update that ran with “most privilege,” rather than least.
Technically, the Falcon incident wasn’t even an escalation of privilege that executed code remotely, nor an exploit of some 0-day dreamed up by some Hollywood script kiddie. It was caused by a “file that contains configuration data. It is not code or a kernel driver.” On the other hand, that supposedly-inert bag-o’-bits led directly to an “out-of-bounds memory read triggering an exception.” The good news is that unauthorized access to memory was blocked, but the bad news was that “This unexpected exception could not be gracefully handled.” (an understatement!)
Data can be as dangerous as Code
Such hubris has its roots in the von Neumann architecture’s distinction between code and data. That’s an insight I found from Professor Mary Shaw at CMU, who noted that “We've grown up with the notion that CODE RULES and data is the redheaded stepchild” (with a tip o’ the hat to Dave Farber’s Interesting People list).
IAM systems also tend to treat policies as “just data,” whether modeling RBAC, ABAC, ReBAC or any other -AC. While AuthZ pros realize “Security policies are software, too”, Cloud service providers often make it impossible to roll out changes to users, groups, permissions, tags, or resource hierarchies incrementally into production.
You wouldn’t ship code without testing it first, so we need to be able to test our AuthZ changes the same way to prevent planet-scale incidents like this. Let’s get to work — and on to “all the links authorized to click!”
Standard Events
Standards are a significant step in the right direction, and there were so many to choose from the 120th IETF meeting in Vancouver last week — along with our own 3rd happy hour for subscribers to sample Jean-Francois Lombardo’s new board game Aliens vs. Permissions!
ALFA 2.0: David Brossard presented a lightning talk on the latest Abbreviated Language for Authorization draft to bring XACML into the 21st century [RFC, slides and video]
AuthZEN @ OAuth: Discussion of the AuthZEN Profile of OAuth Rich Authorization Requests [RFC and video]
WIMSE: Advancing convergence of human and non-human identities, the working group for Workload Identity in Multi System Environments debated how Transaction Tokens could bridge the gaps by carrying additional context across a call chain [latest RFC, prior slides, and a recap blogpost from SGNL]
Upcoming Events
CAEP: Beyond the IETF, the OpenID Foundation is also inviting implementors of Continuous Access Evaluation Protocol solutions to participate in an interoperability event at Gartner IAM Summit in December.
IIW (Internet Identity Workshop) from October 29-31, 2024: Early Bird registration until August 9. Time to start planning for our next meetup — any volunteers?
Black Hat (and DEF CON) from August 3-8, 2024: Expect briefings about breaching AWS (Shadow Resources), GCP (CloudImposer), Azure AD (Un0Authorized), more Cloud Providers, more SaaS Attacks, and, of course, LLMs1 (Nvidia, with a tip o’ the hat to Dark Reading)
Recent Risks
ConfusedFunction: A Privilege Escalation Vulnerability | Tenable explains how GCP Cloud Functions’ “default Cloud Build service account gives the user excessive permissions,” a disclosure that led to recent Cloud Build Service Account Changes | Google. (tip o’ the hat to CloudSecList #248)
Anyone can Access Deleted and Private Repository Data on GitHub | Truffle Security although a massive HN thread claims it’s been a known issue since at least 2018, the AuthZ aspect is less about “private vs. unlisted” access than the relationships between objects when Github’s internal construct of a “repository network” doesn’t align with Git users’ mental models.
AuthN needs AuthZ, too…
All the AuthZ policies in the world won’t help if your AuthN has no AuthZ controls of its own. Manipulating a numeric identifier or a string label should not magically grant privileges through collisions, but:
Changing a user ID should not be possible nor powerful, yet, here’s SAP falling to a "1337" hax0r...! SAPwned: SAP AI vulnerabilities | Wiz July 17, 2024
Changing a group ID shouldn’t, either, yet here’s a VMWare falling to “ESX Admins”! Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption | Microsoft
Startup Sightings
Wiz wasn’t only disclosing risks to SAP, they were also in the thick of talks with GCP — which appear to have halted on hopes of an IPO on the horizon according to an alleged internal email to Wiz-ards.
Linx emerges from stealth with $33M to lock down the new security perimeter: Identity | TechCrunch Earliest Wiz backer CyberStarts also seeded this new garbage collection effort to “link (hence the name) all identities together and to actual, active employees.”
Cybersecurity startup Chainguard raises $140M at $1.1B valuation | GeekWire Started soon after seeding SLSA at Google to speed up adoption of authorized application binaries (I see you, Kim!)
Vanta raises $150M Series C, now valued at $2.45B | TechCrunch Started to automate audits and answer vendor security screening to accelerate revenue, Vanta has hit $100M in ARR to extend its offering to users of SaaS, not just developers.
AI trust startup Vijil raises $6M to prevent AI agents saying the wrong things | SiliconANGLE Chatbot compliance challenges require an AuthZ alternative to “simply surrender to ‘vibe checks’” (tip o’ the hat to ReturnOnSecurity #154)
IAM for MSPs Provider Evo Security Raises $6 Million | SecurityWeek for a platform specifically designed for outsourcing PAM to “prevent internal threats and misconfiguration by creating security groups accompanied by extensive granular permissions”
New Articles
How People.ai Has Future-Proofed Data Security with Zero Standing Privilege | SGNL “Even if an access code is good for only 10 minutes, that’s typically ample time for a threat actor to access a system”
Enhancing Authorization: Harnessing the Power of Partial Evaluation | CyberArk is a thorough introduction to the advantages of “pre-computing parts of an authorization policy based on known information and producing a simplified policy that includes only the conditions”
Security Data Fabric | StrategyOfSecurity Cole Grolmus defines a market for “pre-built connectors for the hundreds of potential sources” that can help access investigations, policy simulation, and reducing access over time
Security Challenges of Intent-Based Networking | CACM Here’s a thought-provoking analogy to consider: what if intent-driven authorization could translate polices from plain language to access control the way networking admins leverage software-defined networking. How many of the risks enumerated in this paper would also apply to ACLs?
New Media
Building Permissions into Data Modeling | USENIX from Facebook researchers presented at Privacy Engineering Practice and Respect (PEPR) on June 3-4, 2024
Authorization with AuthZEN | KuppingerCole an interview with Axiomatics’ CTO
New Tools
VPC Service Controls with private IPs | GCP an additinoal perimeter to prevent data exfiltration
Permit Share-If - Embeddable access sharing components | Product Hunt for one-stop shopping
Black Hole Sun
This time, the impact of a strike that took out a crowd of 8.5M systems around the planet cost over $5B (and cost shareholders almost a whole Wiz, $23B)… but what if next time, the real Death Star was no Moon at all — but rather our own Sun?
USA TODAY’s article recapped how “the ‘Victorian internet,’ went on the fritz” during the Carrington Event of 1859, when “telegraph offices even caught fire.” SDSU astronomy professor Douglas Leonard underscored how “infrastructure is held together by duct tape and chewing gum at the end of the day.” If you want to contemplate a what “great disturbance in the Force” could do, check out What a Major Solar Storm Could Do to Our Planet, a profile of America’s Space Weather Jedis from the New Yorker.
Remember, only you can submit next week’s AuthZ NewZ!
The “Authorize” clipping service and meetups are powered by volunteer authorization nerds who want more people to know about all the cool stuff that’s going on in the authorization world!
Want to help write this newsletter and organize authorization conference activities? Find Rohit Khare on LinkedIn and ask for an invite. If you’re an IDPro member, join the #authorization Slack channel.
Speaking of Generative AI hype: Survey finds payoff from AI projects “dismal” | El Reg and the front page headline on Sunday was Silicon Valley's artificial intelligence frenzy: a bubble full of problems, and bound to burst | San Jose Mercury News