Modal Title

Dome9 Automates Permissions for Multiple AWS Accounts

Apr 28th, 2016 5:06am by
Featued image for: Dome9 Automates Permissions for Multiple AWS Accounts

Dome9 Security, one of newest Amazon Web Services security partners, has launched “IAM Safe,” a blanket identity and access management cloud service to help enterprises bring order to the chaos of managing access to multiple AWS accounts.

It can thwart “man-in-the-middle” and “man-in-the-browser” attacks, as well as damage created through lost or compromised credentials.

Dome9 CEO and co-founder Zohar Alon praises the robustness of AWS security offerings but says enterprises need help on their end.

“The dilemma is not when you have one or five enterprise AWS accounts, but when your enterprise has 100 AWS accounts,” he said, adding that Dome9’s SaaS offerings provide a way to automate security policies.

“AWS gives you the granular ability to say what those permissions and processes can be, but you can get lost in that granularity” — Zohar Alon

IAM Safe is the way you grant permissions and authorize any number of people and processes across your infrastructure.

“You have hundreds of developers who need access to the system, and every one of them can get numerous types of permissions across regions and Amazon accounts. Once you are authenticated, you can inherit so many capabilities across so many different realms and geographies. That’s a huge problem to solve.

“AWS gives you the granular ability to say what those permissions and processes can be, but you can get lost in that granularity,” he said. “IAM Safe tries to make order in the mess.”

In addition to attackers who use “man-in-the-middle” or “man-in-the-browser” attacks to commandeer companies’ whole infrastructure, he predicts it won’t be long before we see ransomware for cloud services.

He explained the service this way:

The customer builds a one-time trust with the AWS account; then Dome9 offers a policy builder that maps 1,600 activities to what is above the line and those below the line. Everything above the line requires an extra level of authorization. Then it sets policy for all the people, machines, and processes.

It includes a mobile app, available for Android and iOS, on which users must click, within two minutes, to complete above-the-line activities.

If an unauthorized person tries to do an activity above the line, it sends an alert that his identity was just used to do this activity without using the mobile app. An authorized person can tap the app to proceed, but an unauthorized person would be denied.

You could allow only superusers who are authorized to perform above-the-line activities to have access to the mobile application to limit further access. Requiring the mobile app can help prevent one employee from sharing credentials with another unauthorized employee, he said.

You also can implement two-person authorization, in which both the department head and team member must authorize specific actions through the mobile application.

Unauthorized access remains a leading cause of cyber attacks, according to IBM’s latest report, with insiders carrying out those attacks in 60 percent of cases.

In a recent poll, 90 percent of security pros said they are worried about the rash of breaches related to compromised credentials, and 60 percent said they cannot detect these kinds of attacks, according to a survey from security vendor Rapid 7.

Stolen credentials have been blamed for major breaches at Target, health insurer Anthem, the U.S. government’s Office of Personnel Management and even the Naughty America porn production house. A jury recently awarded health records vendor Epic Systems $940 million in damages in a trade secret lawsuit against Tata Consultancy Services (TCS) that involved fraudulent use of credentials.

DB Networks also recently added a new capability to its database security solutions to thwart the use of stolen account credentials. It’s an issue Microsoft has addressed as well.

Dome9 announced in February that it had achieved membership in the Amazon Web Services Security Competency program and ISO 27001 Certification. Based in Menlo Park, Calif., it also has an R&D center in Israel. In October, it raised $8.3 Million USD in Series B financing, raising total funding to $12.8M.

Dome9 has more than 200 customers, including Apigee, Citrix, Cloud Technology Partners and Tradair. In addition to AWS, its offerings work on Microsoft Azure, IBM SoftLayer, Google Cloud Platform, Rackspace, and HP Cloud infrastructure.

Feature Image: “Requiring Authorization” by Helgi Halldórsson, licensed under CC BY-SA 2.0.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.