Cloud computing technologies are broadly applicable in many technological fields. As a result, many organizations worldwide are using cloud technologies, such as AMAZON WEB SERVICES, MICROSOFT AZURE, and others. Reliance on a cloud computing implementation of an application architecture can reduce development times and development costs, while increasing the flexibility and scalability of applications. But cloud computing implementations add a new layer of security risks. A cloud-based infrastructure can be made up of many individual roles, users, services, machines, and other identities. Some privileged identities will be capable of making substantial changes to the cloud infrastructure, for example accessing sensitive protected data. These privileged entities must be secured, and the principle of least-privilege is one potential way of effectively doing so.
Current approaches for implementing cloud and privilege assignments are not user friendly and pose security risks. As a result, organizations often employ simple permission policies that give entities more permissions than they need, for example by granting the same permissions across entities sharing a group. Such permission policies enable attackers to easily move laterally and escalate privileges within the environment. Further, in some organizations, once privileges are granted to an identity, they are never revoked, even after the identity ceases using or needing the privileges. This also poses security risks, since it results in identities having more privileges than needed.
Consequently, systems and methods are required for automatically implementing a least-privilege model in an environment and for incentivizing organizations to maintain and implement a secure permissions policy. Such systems and methods can enable automatic determination of the most privileged identities in the network environment. These identities can then be targeted for additional management and protection.