blogs.vmware.com Open in urlscan Pro
2a02:26f0:1700:38e::2ef  Public Scan

Form analysis
2 forms found in the DOM

GET https://blogs.vmware.com/vov/

<form class="search-form" method="get" action="https://blogs.vmware.com/vov/">
  <label class="sr-only" for="s">Search</label>
  <input class="search-field" placeholder="Search" name="s">
  <input type="submit" value="Submit Search" class="search-submit btn">
</form>

POST https://blogs.vmware.com/vov/wp-comments-post.php

<form action="https://blogs.vmware.com/vov/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate="">
  <p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> Required fields are marked <span class="required">*</span></p>
  <div class="comment-form-comment"><label for="comment" class="sr-only">Comment</label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required="required"></textarea></div>
  <div class="form-wrap">
    <div class="form-left">
      <div class="comment-form-author">
        <label for="author" class="sr-only">Name</label>
        <input id="author" placeholder="Name*" name="author" type="text" value="" size="30" maxlength="245" required="required">
      </div>
      <div class="comment-form-email">
        <label for="email" class="sr-only">Email</label>
        <input id="email" name="email" type="email" value="" size="30" placeholder="Email*" maxlength="100" aria-describedby="email-notes" required="required">
      </div>
      <div class="comment-form-url">
        <label for="url" class="sr-only">Website</label>
        <input id="url" name="url" type="url" value="" size="30" placeholder="Website" maxlength="200">
      </div>
    </div>
    <div class="form-right">
      <div class="comment-form-cookies-consent">
        <label for="wp-comment-cookies-consent">
          <input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"><span> Save my name, email, and website in this browser for the next time I comment</span></label>
      </div>
    </div>
  </div>
  <p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="12568" id="comment_post_ID">
    <input type="hidden" name="comment_parent" id="comment_parent" value="0">
  </p>
  <p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="34795b6ae6"></p>
  <p style="display: none;"></p><input type="hidden" id="ak_js" name="ak_js" value="1633648602918">
</form>

Text Content

Menu VMware on VMware Blogs
Search
Search
 * VMware.com
 * Communities

 * RSS
 * Twitter

 * HomeToggle submenu
   
   * About
     
   * Authors
     
   * IT Best Practices
     
   * Vision and Innovation
     
   * VMware Products
     
 * App ModernizationToggle submenu
   
   * CloudHealth by VMware
     
   * Pivotal
     
   * VMware Cloud Foundation
     
   * VMware Tanzu
     
   * Wavefront by VMware
     
 * WorkspaceToggle submenu
   
   * VMware Horizon
     
   * VMware App Volumes
     
 * NetworkingToggle submenu
   
   * VMware SD-WAN
     
 * SecurityToggle submenu
   
   * VMware NSX
     
   * VMware Cloud Foundation
     
 * Multi-CloudToggle submenu
   
   * NSX
     
   * VMware Cloud on AWS
     
   * VMware Learning Platform
     
   * VMware vSphere
     
 * VoV Homepage
   


 * RSS
 * Twitter


Security


GOING NOWHERE FAST. HOW TO STOP THREAT ACTORS AFTER A BREACH

vov
September 28, 2021

Share on:
 * Share on Twitter
 * Share on LinkedIn
 * Share on Facebook
 * Email this post

0

by: VMware Engineer, Cloud Security (VGS) Casey Lems

Sad to say, it’s not a matter of if a threat actor is going target your
environment and put your security posture to the test, but when. Once an
attacker gains that access, they immediately attempt to mimic and exploit admin
credentials to expand their footprint in your network. That’s why the greatest
secondary defense is to immediately wall them off—ensure the virtual ‘room’ they
entered has absolutely no doors.

Accomplishing that feat involves establishing the right permission strategy
via least privilege, which in turn can be combined with threat mapping software
like CloudHealth® Secure State™ to present a formidable defense.

The key is automation. In general, there is an enterprise cyberattack every 11
seconds, and that means non-human intervention is required. Once all the
permission parameters (guardrails) have been established, it’s straightforward
to automate least privilege. Of course, teams need to identify what they are
looking for based on the enterprise’s rules, regulations, and other factors.
Otherwise, security teams risk garbage in, garbage out scenarios that benefit no
one except threat actors. This is similar to a doctor requesting blood work from
a lab—the lab needs to know what it is looking for in order to generate the best
results. 


SEARCHING FOR A NEW IDENTITY

The first step in least privilege is to establish identity parameters and
profiles based on three major buckets (see Figure 1). 



Figure 1. Three major buckets to consider prior to establishing permissions.

Static inputs are those things which generally stay the same— what compliance
framework an environment must adhere to, or the classification of data which
dictates who or what should have access to it.

These are the easiest to tag and oversee due to their consistent ‘boring’
nature. Different assets (app, technologies, etc.) have different security
requirements and unique exposure rates, thus the need for threat models. And,
naturally, there are dynamic inputs in the enterprise ecosystem that will
change a lot, and therefore require ‘fluid’ permissions. 


PUTTING YOUR CARDS ON THE TABLE

Let’s take the example of AWS s3:GetObject used to downloading files from S3.
Applying our three buckets, we can conduct an identity profile analysis (see
Figure 2) that enables developers and administrators to understand every
potential access point a threat actor might try. 

Figure 2. Identity profile analysis of AWS s3:GetObject scenario.

Now, let’s examine an even more serious potential breach—creating a new user via
AWS iam:CreateUser. The identity profile analysis i(see Figure 3) demonstrates
that even with a ‘For Official Use Only’ classification, allowing new users to
be created can be a road to ruin. 

Figure 3. Identity profile analysis of AWS iam:CreateUser scenario.


SOLVING THE PUZZLE, EACH AND EVERY TIME

At VMware, we employ Secure State to put the puzzle pieces together to create an
interconnected cloud security model (see Figure 4). The solution comes with 300+
rules right out of the box, and offers infinite customization to meet specific
needs. 

Once criteria are entered, Secure State delivers all the relationships between
various components in the cloud. This can radically alter the way least
privilege is implemented versus traditional siloed approaches that can
inadvertently miss an open door. There is no longer the need to manually go
through each potential scenario, parse together relationships, or other
labor-intensive tasks. This frees up cloud security teams to focus on more
mission-critical issues, as well as ensures the enterprise is safer regardless
of the threat at hand.

Figure 4. Identity profile analysis of AWS iam:CreateUser scenario.


HELPFUL HINTS (THAT WORKED WELL FOR US)

While there are no set rules for least privilege, there are some general
guidelines our teams have been following for protecting apps and data, including
deploying Zero Trust strategies.

Start by asking internally if there are any permissions that should be uniformly
denied or flagged from use by service users. Establish identity profiles for
your service organization and find ways to detect non-conforming resources.
Engage with cloud developer teams to help them understand the value of least
privilege—getting everyone psychologically on board with a new paradigm is more
than half the battle.

Be carefully using provider-managed IAM policies (ReadOnly, PowerUser, etc.),
especially when it comes to service accounts, and avoiding using wildcards when
possible. Infrastructure as code can definitely help!

Finally, use ephemeral credentials whenever possible, and don’t forget to employ
resource policies to further your least privilege strategy.

Check back for more updates on this ever-changing topic.

VMware on VMware blogs are written by IT subject matter experts sharing stories
about our digital transformation using VMware products and services in a global
production environment. Contact your sales rep or vmwonvmw@vmware.com to
schedule a briefing on this topic. Visit the VMware on VMware microsite and
follow us on Twitter.

VOV




RELATED ARTICLES

Security


PUBLIC CLOUD SECURITY, OPEN SOURCE TOOLS, AND WHAT ‘THEY’ DON’T WANT YOU TO KNOW

vov
September 30, 2021
Security


GOING NOWHERE FAST. HOW TO STOP THREAT ACTORS AFTER A BREACH

vov
September 28, 2021
Security


DELIVERING A VERY SECURE PLATTER OF VMWARE SECURITY TECHNOLOGIES

vov
September 16, 2021
Security


A (THREAT) HUNTING WE WILL GO! HOW VMWARE IT WENT BEYOND SIMPLE DETECTION

vov
September 14, 2021
Security


REIMAGINING BUSINESS CONTINUITY AND OPERATIONAL RESILIENCE STRATEGIES

vov
September 9, 2021
Security


TRUSTING ZERO TRUST—REIMAGINING SECURITY THE VMWARE IT WAY

vov
September 7, 2021
Security


POSITIVE AT LAST! HOW VMWARE REMEDIES SECURITY INFORMATION OVERLOAD

vov
August 31, 2021
Security


SEAMLESS PHYSICAL SECURITY FOR AN EVOLVING WORKPLACE

vov
August 27, 2021
Security


WHAT’S THE GREATEST ENTERPRISE SECURITY ADVANCE IN DECADES? SIMPLICITY

vov
August 11, 2021
Security


REMEMBERING THE FORGOTTEN THREAT: HOW AI REDEFINES PHYSICAL SECURITY

vov
August 4, 2021
Security


HOW VMWARE IT ACHIEVES NONDISRUPTIVE DISASTER RECOVERY

vov
August 3, 2021
Security


HOW SOFTWARE DEVELOPMENT HELPS VMWARE IT MEET REQUIREMENTS, DESIGN NEW PRODUCTS

vov
April 27, 2021


COMMENTS


LEAVE A REPLY CANCEL REPLY

Your email address will not be published. Required fields are marked *

Comment
Name
Email
Website
Save my name, email, and website in this browser for the next time I comment







Company

About Us Executive Leadership Newsroom Investor Relations Customer Stories
Diversity, Equity & Inclusion Environment, Social & Governance
Careers Blogs Communities Acquisitions Office Locations VMware Cloud Trust
Center COVID-19 Resources

Support

VMware Customer Connect Support Policies Product Documentation Compatibility
Guide End User Terms & Conditions
Twitter YouTube Facebook LinkedIn Contact Sales

--------------------------------------------------------------------------------

© 2021 VMware, Inc. Terms of Use Your California Privacy Rights Privacy
Accessibility Site Map Trademarks Glossary Help Feedback


Cookie Settings