Permissive Access by Asset

Overview

The permissive access report lists assets that have one or more sources of permissive access

What is Permissive Access?

Permissive access in SecureCloud refers to ingress access to an asset that is overly permissive; it is reported in the Dashboard and Asset Security Access. The criteria defining permissive access can vary from one situation to another, even in the same organization. In SecureCloud you can define permissive access in Risk Configuration and further refine the scope of reporting in Exceptions.

You can set one or both of two independent parameters to define permissive access - source subnet and services. If the actual access specified in the vendor's security controls is equal to or more permissive than any of these settings, it will be considered a violation of best practices.

Possible values for source subnet:

  • Any - only when the cloud account's definition allows access from Any source IP, will the access be considered too permissive
  • Larger than class A (default)- only when the cloud account's definition allows access when source subnet is larger than class A, will the be considered too permissive
  • Larger than class B - only when the source subnet is larger than class B, will the access be considered too permissive
  • None - the source subnet is not taken into account when determining whether permitted access is too permissive

Possible values for services:

  • Any (default) - only when Any is specified will the access be considered too permissive
  • Any and TCP/UDP:0-65535 - only when Any, TPC:0-65535 or UDP:0-65535 are specified will the access be considered too permissive
  • None - the service is not taken into account when determining whether permitted access is too permissive

What Can I See Here?

The main screen section is a list of the assets showing the following information:

  • Asset: The asset's name

  • Account: The name of the cloud account with the vendor's icon - Amazon AWS, Microsoft Azure, Google Cloud

  • Internet access:

    Exists: The asset has access to the internet

    None: The asset doesn't have access to the internet

  • Permissive sources. The most permissive source of access allowed for the asset that matches the definitions in Risk Configuration and Exceptions

  • Permissive services. The most permissive service allowed for the asset that matches the definitions in Risk Configuration and Exceptions

What Can I Do Here?

Add an Exception

In SecureCloud, an exception is a user-defined condition that causes SecureCloud to ignore certain policy violations. The existence of an exception can change the statistical data displayed on the Dashboard and also suppress warnings from appearing elsewhere in the product, such as screen elements appearing in red and warning icons on assets. In other cases, properties that would have constituted a violation are displayed in a strike-through font to indicate they are currently not considered violations of policy. The change in behavior caused by the exception is canceled if the exception is deleted. A single exception can define only a simple set of criteria. However, you can create as many exceptions as you like.

A permissive access exception defines a more specific case of a definition made in risk configuration to be excluded from being considered a violation.

To add an exception:

  1. Hover over the desired asset and click on Add exception. The Add Exception window appears.

  2. Complete the exception details.

    Exception Name: A name of your choice.

    Violation Type: Risky port. This cannot be changed.

    Violation Details: All ports identified as violations are shown and selected by default. If there is more than one port, you can unselect any ports you don't want to include in the exception. If only one port is shown, it cannot be unselected. Press Escape to continue.

    Asset Scope: The assets to be included in the exception. Select one: 

    • Asset tags - all assets having the exact same tags as this asset
    • Cloud account - all assets in the cloud account in which this asset is located
    • All cloud accounts - all cloud accounts monitored by SecureCloud

    You can click View all assets in scope to view all assets that will be affected by this exception

    Description: Optional text of your choice.

  3. click Add to save.

Once added, exceptions can be viewed in Exceptions, where they can be deleted if desired.

How Do I Get Here?

Main Menu > Dashboard > Permissive Access widget