top | item 38516992

(no title)

Do you think humans are doing a better job? Research shows that 95% of the permissions granted to users aren't used which creates huge problems and is a reason for spending millions in security tools. Why not use Slauth and other checks such as policy simulators to get tightened policies pre-deployed

discuss

verdverm|2 years ago

I'm not your target user, I don't feel the priority on this problem even though our permissions are more permissive than we'd like. Thing is, to rein them in typically requires application changes. You cannot just sprinkle magic LLM dust on IAM and make things better.

My concern is for those who blindly trust LLMs. Security posturing is not the place to be an early adopter of AI tools. You have to understand both IAM and system architecture to know if what the LLM is saying is correct, so where does that leave us?

I think they can be an extra pair of eyes, but not the driver. Still, there is a signal to noise problem that remains, due to the inherent hallucinations.

wg0|2 years ago

Absolutely not. Anywhere where accuracy, precision and safety matters, throwing LLMs in the mix is irresponsible IMHO or being too optimistic or possibly not understanding how these giant arrays of floating point numbers work or just hoping for the best.

Similarly, LLMs used for SQL generation meant for business analytics is also a critical area where if numbers are wrong, it might lead to a business going bankrupt.

For Prototype, fun exercise, sure go all in.

DanielSlauth|2 years ago

First of all its pretty awesome your permissions are very tight. You are definitely on the other side of the spectrum compared to the rest. I get it that there is a lot of skepticism because of people hyping LLM's so indeed for now we use it as Copilot and not the driver. Hopefully you can agree though its pretty random that we are still manually creating IAM policies and need to get accustomed with the thousands of different permissions :)

thehucklecat|2 years ago

what kind of application changes are you thinking it would equire?

my policies are definitely too broad, but feels like I should be able to tighten them up without changing code. (just potentially breaking things if I get it wrong and go too tight).

lijok|2 years ago

> Research shows that 95% of the permissions granted to users aren't used

These would be the "s3:*" and "Resources: *" scoped permissions I assume? I can't imagine users are explicitly typing out permissions, 95% of which are not relevant for the task.

> which creates huge problems

Such as? What is the material impact of a workflow or a user having too many permissions?

> and is a reason for spending millions in security tools

Are you claiming that overscoped IAM permissions alone are responsible for 1M+ security tooling bills in companies? Would you be willing to share information on which tools these are?

kkapelon|2 years ago

> Such as? What is the material impact of a workflow or a user having too many permissions?

Security obviously https://en.wikipedia.org/wiki/Principle_of_least_privilege

rtkwe|2 years ago

It's the constant tug of war between the idealized security status where users have just enough access to do their jobs and the fact that it's hard to know the precise access you need until you get the task at which point the idealized process of review to grant access takes too long and really drags down your development pace.

At my job for example we don't have a separate support team for the ETL work we do so I have a lot of access I don't use unless things are breaking and then I can't wait for the access approval process to get added to database XXX or bucket YYY to diagnose what data has broken our processes.

jsploit|2 years ago

> Research shows that 95% of the permissions granted to users aren't used which creates huge problems and is a reason for spending millions in security tools.

It'd potentially cost millions more to recover from a GPT-4 disaster.

milkshakes|2 years ago

that's a false dichotomy. there are approaches to this problem that are powered by neither humans nor LLMs -- see https://github.com/Netflix/Repokid as an example

jmathai|2 years ago

One challenge will be similar to self driving cars. The error / fatality rates need to be several orders of magnitude lower than for human operators for it to be acceptable.

candiddevmike|2 years ago

AWS and GCP already provide tools to show excess permissions...

verdverm|2 years ago

The pain there is often a pre-configured role with a slew of permissions was used and you actually need to craft a new role with the right permissions.

I wrote some code once to fetch all those preconfigured role permissions and then present them in a more digestible way