1. Field of Art
The present invention generally relates to the field of computer security and in particular to monitoring permissions to resources in cloud-based computing environments to ensure consistency with enterprise policies.
2. Background of the Invention
An enterprise typically stores a large amount of resources including data and applications. Some of the resources are usually stored locally at data centers on the premises of the enterprise, while other resources are stored remotely by cloud-based service providers. Users at the enterprise access the cloud-based resources via the Internet or another network.
Administrators at the enterprise manage permissions of the users with respect to the resources. For locally-stored resources, the administrators can directly manage permissions by assigning users to roles and separately mapping roles to permissions on the local resources. The permissions can include read, write, and modify permissions.
Managing permissions of users with respect to cloud-based resources is more difficult. The cloud service providers may provide tools allowing administrators to configure permissions of users with respect to resources stored in the cloud. However, often the relationships between the cloud resources and roles of the enterprise users are not apparent. As a result, it is difficult for administrators to verify whether cloud-based permissions for the enterprise users are consistent with their assigned roles.
In addition, the administrators might not detect if the cloud-based permission of a user deviate from the permissions granted by the user's roles in the enterprise. For example, the administrators might not detect if an administrator's account in the cloud is compromised and used to maliciously modify permissions of other users. Additionally, a legitimate administrator might not notice if a malicious administrator improperly escalates permissions of a user.