Risky Identities: Transfers & Terminations

March 3, 2022
by Paul Roberts
Zilla automates transfers and termination policie

Shadowy cyber criminal and ransomware gangs may be scary. But your biggest cloud risk likely comes from people you already know: current and former employees with access to sensitive systems and data.

When more than 450 virtual machines running Cisco’s WebEx Teams application unexpectedly crashed in late September of 2018, the impact was felt immediately. Around 16,000 WebEx Teams accounts went offline – some for up to two weeks. The company scrambled to fix the damage, incurring around $1.4 million in overtime costs as employees rushed to restore the WebEx Teams accounts. Cisco ultimately refunded another $1 million to affected customers for the loss of service.

Chaos In the Cloud

The cause of the outage? The usual suspects were quickly ruled out: ransomware- or cybercriminal gangs; a flawed software update or an inadvertent error by support staff. Rather, investigation by Cisco – and law enforcement – zeroed in on an unlikely source: a longtime employee who had resigned in April, 2018, five months before the attack.

That employee, Sudhish Kasaba Ramesh, eventually pleaded guilty in federal court to the crime of intentionally accessing a protected computer without authorization and causing damage. According to the plea agreement, Ramesh admitted to intentionally accessing Cisco Systems’ Amazon Web Services cloud infrastructure without the company’s permission and deploying code he developed that resulted in the deletion of 456 virtual machines running WebEx Teams.

We can only guess at Ramesh’s intentions in uploading destructive code to his former employer’s cloud infrastructure. But the bigger question for Cisco and companies like it is ‘how was a highly privileged former employee like Ramesh still able to access critical company cloud assets more than four months after he resigned his position?

When Termination Isn’t the End

The answer is that companies often fail to adequately manage the access permissions not just for former employees and contractors, but for their current employees. Former employees like Ramesh frequently retain permissions to access corporate IT resources long after they’ve parted ways with an employer. And active employees can easily end up accumulating broad access to sensitive systems and data as they take on new responsibilities during their tenure at a firm. This is especially true with the advent of hybrid IT environments that blend both physical and cloud based assets within enterprises.

The case of Ramesh and the Cisco WebEx Teams incident is just the latest example of an organization paying the price for poor oversight of employee access. In December, 2021, for example, a 36 year-old Oregon man, Nickolas Sharp, was charged with stealing and leaking gigabytes of confidential files from his employer, a “New York-based technology company” that was identified in news reports as Ubiquiti, a maker of high performance networking gear.  At the time, Sharp worked as a Cloud Lead at Ubiquiti and had formerly worked as a software development engineer at Amazon.

According to a statement published by the Department of Justice, “Sharp exploited his access as a trusted insider to steal gigabytes of confidential data from his employer, then, posing as an anonymous hacker, sent the company a nearly $2 million ransom demand.” He was identified only after a temporary power outage during the incident briefly disabled the VPN service he was using to access Ubiquiti’s network and revealed the IP address of his home network.

Transfers and Terminations — Mover and Leaver risks

For the organizations that are victimized in such incidents, the moral of the story is clear. They need to do a better job managing user entitlements, with particular attention to issues like employee departures (terminations, resignations) and what might be termed “entitlement accretion” – the gradual accumulation of permissions as employees in good standing take on new roles and move vertically or laterally within the organization.

As with orphan accounts, the challenge here is easy to understand. Highly privileged users like IT administrators and senior developers may maintain credentials for scores of internal and cloud based applications during their tenure with an organization. However, without an accurate and up to date record of user entitlements, even as straight-forward a matter as de-provisioning an employee who has been fired or who resigned can become fiendishly complicated. That’s especially true with hybrid IT environments that add cloud-based infrastructure like Amazon Web Services (AWS) to the mix. Access to such infrastructure may be managed separately from access to an organization’s internal environment and applications, or by way of third party APIs that can be difficult to isolate from normal (authorized) activity. 

“Handling transfers and terminations requires comprehensive knowledge of both user entitlements and how applications are configured for access.”

Deepak Taneja, CEO and Co-founder Zilla Security

At Cisco: Cloud Access Lingered

That appears to be what happened in the case of Ramesh, the former Cisco employee. Court documents show that Ramesh was part of the WebEx platform team “focused on automation, access to data, and logging metrics” while at Cisco. “As a member of the platform team, he possessed the access key for Cisco’s WebEx Teams application that was maintained on servers hosted by Amazon Web Services.” While Ramesh parted ways with Cisco in April of 2018, however, he retained his AWS access key through a Google Cloud Platform account he controlled. That allowed him to issue commands that deleted approximately 456 servers, resulting in the complete shutdown of the WebEx Teams application in September of that year.

The Fix: Automation to the Rescue

Confronted with increasing complexity, organizations need new tools (and partners) to help them keep their environment and data secure. Simply: spreadsheets and manual tracking of users and entitlements can’t scale to accommodate the complexity of modern, hybrid IT environments. Furthermore, the costs of mistakes and oversights are rising – as the incidents at Cisco and Ubiquiti make clear.

The only way out is automation!  Let’s consider how automation can help when an employee transfer or termination occurs.  Most organizations today maintain HR applications like Workday, Paylocity or BambooHR, that serve as a source of truth for every user’s business profile. When a transfer occurs, organizations usually expect a user’s new supervisor to decide what permissions the user should carry forward. The new supervisor is the only person in the organization who has the business context to make these decisions.

What’s needed is a way to monitor these HR applications and detect user lifecycle events when they occur, and trigger policies that ensure user application accounts and permissions across the IT environment are deactivated, removed, or modified as needed. For example, organizations might schedule a weekly “transfer review” that sweeps permissions for all transfers detected during the week into a single access review in which supervisors review transferee permissions.

Layers of Complexity with Terminations

Of course, handling terminations can be complicated and relying on automation to deactivate a terminated user’s account in a centralized identity or single-sign-on (SSO) provider like Azure AD or Okta is never enough. That’s because:

  • Users may have access to applications that have not been onboarded for SSO
  • Applications may be configured to support both SSO as well as direct password-based access
  • An SSO provider may expect to use SCIM (System for Cross Domain Identity Management)  connectors to de-provision application accounts, but only a small fraction of SaaS applications have built-in SCIM support or the APIs to support a SCIM gateway.

In all these cases, automated de-provisioning of terminated users leaves these permissions untouched and open to account takeover attacks. Another issue for some applications is that shutting off SSO and removing accounts is not enough; the application owner or user’s supervisor may need to take specific actions to preserve a terminated user’s account data.

Without proper automation, the complexity of all these use cases invariably results in either a ton of manual work aided by spreadsheets and emails, or serious vulnerabilities.  Zilla’s technology handles all the use cases mentioned above through transfer policies or termination policies that trigger appropriate workflows.

Identity providers that claim to support identity lifecycle management but really, only provide centralized authentication and SSO, don’t have the context Zilla does. Zilla is fully aware of every single account, resource, and fine-grained permission every user has, as well as how every application is configured. Zilla truly has the context to support transfers and terminations.

Before they begin working with Zilla, organizations find that accounts linked to former employees turn up frequently in audits, as does evidence of current employees who have retained no longer needed permissions from a prior role. With Zilla, automated transfer and termination policies make regulatory compliance easy, and dramatically reduce mover and leaver risks.

Conclusion

Your organization benefits tremendously from the power and capabilities that cloud-based applications and infrastructure provides. But it needs to address the greater risk that comes with a reliance on cloud based platforms and applications. That includes new tools and capabilities to properly manage cloud access and entitlements.

Got Questions? Talk to Zilla! 

Interested in learning more about how Zilla helps companies achieve access security and compliance in a cloud-first world? Contact us today.