arthead - stock.adobe.com
How Amazon's decision to ditch Active Directory paid off
Amazon's decision to build its own identity and access management system was an expensive one, but an infamous supply chain attack validated the move.
When Amazon made the pivotal decision to build its own identity and access management system years ago, it was a costly and somewhat controversial move within the company -- but one that paid off enormously.
At the AWS re:Inforce security conference last week, AWS executives highlighted the company's strong security culture as the primary differentiator for the cloud giant. Executives continually emphasized that AWS' security culture was built up over many years, with consistent focus and steady investments. One such investment was Midway, the company's homegrown and somewhat obscure platform for authenticating Amazon employees.
Several years ago, Amazon made the decision to migrate from Microsoft's Active Directory and build its own identity and access management (IAM) system. It wasn't an easy one, according to C.J. Moses, vice president of security engineering and CISO at Amazon. "Everybody hated us because we spent a lot of money and did a lot of stuff that they thought was crazy," he said. "And later on, it turned out, we weren't crazy. We might have been paranoid, but [with] good reason."
The validation for the Midway investment came in December 2020 with the discovery of the SolarWinds supply chain attack. FireEye reported that a nation-state threat group had gained access to SolarWinds' network and placed backdoors in software updates for the company's Orion IT monitoring and management product. The threat group -- later revealed to be Russia's APT29, also known as Cozy Bear and Midnight Blizzard -- used the backdoors to breach more than 100 downstream customer organizations, including several U.S. federal government agencies.
At the time, Microsoft also issued a security advisory about the SolarWinds attacks that detailed how threat actors gained administrative access to Azure cloud environments by forging Security Assertion Markup Language (SAML) tokens using compromised signing certificates. The attacks were the first known exploitation of "Golden SAML," an attack technique that researchers at CyberArk discovered in 2017.
Golden SAML allows attackers with privileged network access to compromise any application or service that supports SAML authentication by forging authentication objects. Attackers can also use the technique to impersonate nearly any identity in the targeted organization and elevate privileges.
While it's not specific to Microsoft, Golden SAML posed significant threats to Active Directory. As CrowdStrike detailed at an RSA Conference 2021 session, Microsoft's Active Directory Federation Services (AD FS) uses a domain-joined model to authenticate SAML tokens. As a result, one compromised domain administrator account could be used to move laterally to AD FS and access other domains and cloud services such as Microsoft 365 and Azure.
Warning signs for Microsoft
After CyberArk published its research on Golden SAML in 2017, security researchers warned that the attack technique was a serious threat, particularly for environments with AD FS, and that additional steps were needed to protect customer networks.
CyberArk's research also caught the attention of some within Microsoft. According to a ProPublica report last week, former Microsoft employee Andrew Harris said the company dismissed his warnings about Golden SAML for years. He said while he believed the technique represented a major risk for customers that the Microsoft Security Response Center needed to address, the company repeatedly opted not to take any action on Golden SAML because it did not consider the issue to be a software vulnerability or a "security boundary."
Harris told ProPublica that his fears about Golden SAML were realized with the SolarWinds attacks. While Microsoft later implemented mitigations for the technique, Harris criticized his former employer for not acting before the attacks and failing to inform customers of the risks Golden SAML posed to AD FS.
Moses told TechTarget Editorial that the SolarWinds attacks were a pivotal event that showed Amazon had made the right decision to migrate from Active Directory. "By [moving to Midway] proactively ahead of time, and not trusting the industry standard software that was out there and Microsoft's authentication, that investment was a big win, a good news story," he said.
AWS officials said their concerns about Golden SAML were one of many reasons the company decided to create Midway and take greater ownership and control of its security infrastructure. Moses said Amazon's long-developed security culture not only drove the move to Midway, but also helped the cloud giant avoid many of the incidents and security issues that have plagued other cloud providers.
"All of that work has now, time after time, turned into situations where other cloud providers and other [technology] companies have run into security issues, and we obviously knock on wood every time we avoid them," he said. "You have to be careful as to how much you revel in the fact that you weren't hit, because it could be you any minute, now or tomorrow. But in our case, a lot of the reasons why we have such good luck is because of all the preparation that's been done over the years."
Rob Wright is a longtime reporter and senior news director for TechTarget Editorial's security team. He drives breaking infosec news and trends coverage. Have a tip? Email him.