There’s almost universal consensus that perimeter-centric security is insufficient for today’s distributed IT environments. But where debate amongst IT pros and vendors now rages is whether the optimal enterprise security approach today is application-centric, data-centric, or identity-centric. Data-centric and application-centric approaches have merit, but each can be undermined simply by the wrong identity accessing data, applications, or other resources. This blog will analyze 10 diverse data points that help make the case for an identity-centric approach.
Keep in mind, an identity-centric, or identity-based/identity-defined, security approach is not meant to promote an identity-only security approach. Without question, data security, application security, and many other security strategies and technologies outside identity governance are all essential to manage risk and achieve compliance. The identity-centric security approach is, arguably, the model with the most momentum. In simple terms, identity management is about enabling the 5 A’s—Authentication, Authorization, Access to data, Auditing, Accountability—but of course, “simple” is not an apt descriptor for almost any modern enterprise IT environment. Identity-centric entails centrally managing roles, policies, access control, and privileges across the disparate, far-flung pieces of today’s enterprises, and, importantly integrating the IAM infrastructure across the enterprise cybersecurity estate. This requires knocking down organizational silos and barriers to streamline identity management throughout the IT environment. Identity-defined security emphasizes that, only with the integration of disparate directory services, applications, databases, networks, and resources can organizations understand and enforce who a user is, what they are allowed to do, where and with what they can do it, and whether their actions are appropriate or not given the context. And integration of the identity management tools/data (i.e. privileged session analytics) with other enterprise tools, such as SIEMs, CASBs, etc. is essential to getting the context part right.
For those who want to really sink their teeth into understanding everything they need to know about protecting against identity-based attacks and centralizing security around identity, there’s perhaps no greater resource than the new book: Identity Attack Vectors: Implementing an Effective Identity and Access Management Solution. Co-authored by Morey J. Haber (CTO/CISO at BeyondTrust) and Darran Rolls (CTO at SailPoint), who have many decades of combined IT experience across identity-related disciplines (IAM, PAM, etc.), the book covers identity management in breadth and depth—from fundamentals to attack methods to successful solution implementations, while managing to stay very approachable..
What Data Points from 10 Different Vendor Sources Tell Us About the Identity Challenge
Let’s explore what insights can be obtained from recent research, organized across four different aspects of enterprise identities: Identities, Access/Privileges/Privileged Identities, Vendor/Third-party Identities, and Insiders. While I selected 10 different respected research sources for this analysis, there are many others I could have picked from. What’s interesting in reviewing the various research is that there is a convergence of data on identity and sub-topics, with similar data and recurrent themes surfacing.
Identities
- 52% of IT security decision-makers claim identities have increased more than five-fold in the past 10 years. [IDSA State of Identity Report]
According to the IDSA (Identity-Defined Security Alliance) research, more than half of organizations have experienced a 5-fold growth in identities in the last decade. This is what people mean when they talk about the “explosion in identities.” It’s not hyperbole. Part of this increase is driven by growing headcounts and the long-underway trend toward a more digital workforce, but it’s mostly driven by mobile devices, IoT, machines, software robots, cloud platforms/applications, and services.
Organizations are struggling not only in finding, onboarding, and securing identities, but also with fundamental questions such as: What has an identity, what doesn’t? How many accounts can a single identity have? Does it make a difference depending on the type of identity (human versus AI chatbot, software robot, etc.)?
- 65% of companies have over 1,000 stale user accounts [2018 Global Data Risk Report, Varonis]
As the Varonis data point highlights, stale user accounts proliferate. Many other studies confirm this. These could be orphaned accounts created when an employee changes roles or leaves the company, or from a temporary employee or vendor. Or, it could be a disused, but not de-provisioned, machine identity. It’s likely no one is watching these stale and/or orphaned accounts, though cyber threat actors are certainly looking for them. Of course, if these stale accounts are privileged, they can fast-track an attacker’s access to sensitive resources.
- The number of different accounts associated with the average business user has been estimated as high as 191 [Password Expose Report, LastPass]
Note that the 191 number reported by LastPass does not even include privileged accounts. With so many passwords and accounts, you can bet that password reuse, simple passwords, and other risky password practices are rampant. Are those passwords getting onboarded, secured, and managed? Most likely, only a small percentage of those passwords are under adequate, centralized control.
- More than 99 percent of threats observed required human interaction to infect user devices [2019 Human Factor Report, Proofpoint]
Any way you slice it, humans and human identities are central to IT risk, and to securing organizations against attacks. Properly controlling identities, especially with regard to privileged access (more on that below), can prevent, or at least mitigate, most human and identity-based risks—phishing attacks included.
Access, Privileges, Privileged Identities
- Over 80% of cyberattacks involve privileged credentials [The Forrester Wave™: Privileged Identity Management, Q4 2018]
This Forrester stat has been around for several years now and was reiterated in their most recent PIM Wave report. Still, it’s powerful and part of a diverse body of research validating that exploitation of privileged credentials/privileged access plays a role in almost every cybersecurity breach incident today. Privileges are exploited, or stolen credentials are used, to gain initial access to an environment. Once inside the IT environment, other privileges may be used to move around (lateral movement) and gain more access/privilege, compromise additional identities, and control assets. Basic PAM technologies and best practices such as privileged credential management (i.e. rotation, eliminating default/re-used credentials, etc.), and enforcing least privilege and just-in-time privileged access, could drastically slash the number and impact of breaches here.
- Privilege misuse is one of the top-3 threat patterns most often associated with breaches [2019 Data Breach Investigations Report, Verizon]
The most recent Verizon DBIR published a number of findings related to privilege exploitation. Keep in mind, attackers typically make use of multiple threat patterns across various stages of a cyberattack. With the right identity management controls, such as PAM, organizations can break the cyberattack chain at multiple links, helping to at least limit the attack’s damage, if not outright preventing it.
- 70 percent of all attacks involve attempts to laterally move across the network [Global Incidence Response Threat Report, Carbon Black, July 2019]
Many other studies validate Carbon Black’s data point about lateral movement being a key part of the cyberattack chain. With that said, it’s curious to me that lateral movement rarely makes the headlines or even the body of cyberbreach news articles. It should. Again, identity-based security controls around access management and least privilege can minimize lateral movement, slowing an intruder and limiting their damage. Frequent password rotation can also help ensure that, if an attacker has gained initial access through stolen credentials, their access is time-limited.
Vendor Access & Third-Party Identities
- Organizations have, on average, 182 vendors logging into their systems every week [Privileged Access Threat Report 2019, BeyondTrust]
- On average, companies share confidential and sensitive information with approximately 583 third parties [2018 Third-Party Data Risk Study, Opus & Ponemon Institute]
Let’s lump together the two data points above from BeyondTrust and from Opus & Ponemon Institute. One area that has long remained a struggle for most companies is ensuring secure remote access—whether for remote workers or vendors. VPNs and many other commonly used technologies simply don’t offer the granular security controls needed. Ideally, an organization wants to extend the best practices they uphold within their perimeter beyond their perimeter as well. Where identities are concerned, this means ensuring only the right identity has access to the right resources, and within the right context.
Again, with vendor access and remote access, the best data and application security technologies can only protect you so far. To ensure the right identity is doing the right things with the vendor account, you need to apply basic identity management and privileged identity controls such as enforcing least privilege, rotating passwords or one-time passwords to limit damage of stolen credentials. Session management and monitoring should also be layered on to audit and control every vendor/remote access-initiated session activity.
Interestingly, the Opus/Ponemon report found that 59% of companies incurred a breach due to a vendor, while the BeyondTrust report put that number at 58%. The closeness of these two numbers from two totally different sources gives me high confidence in them. Hopefully, others too are starting to look beyond VPNs to better secure and manage vendor identities.
Insiders
- 60% of companies experienced insider attacks in the last year [Insider Threat Report 2019, Nucleus Cyber & Cybersecurity Insiders]
Finally, the threat no one likes to directly confront – insiders. Most security defenses are focused on keeping outsiders (malware, external attackers, etc.) out. Their value is null or limited in the face of an insider, who may be especially dangerous because they have the know-how to move around the environment, no one (usually) is suspicious of them, and they know where the value lies inside the organization. When the insider is over-provisioned with privileges, which is often the case, the potential for damage is high. Identity-based security controls are the best defense for protecting against, or at least mitigating, insider threats—both intentional and inadvertent. Access management, removing admin rights and layering on least privilege, enforcing separation of privilege and separation of duties in roles, and managing/monitoring privileged sessions are just a few of the identity-centric controls that can help protect against insider threats. These same controls also protect against external threats that breach the perimeter defense to establish an internal foothold that essentially make them an “insider.”
Identity-based Security for the Masses
Identity is almost invariably a factor in every cyber breach event today. Regardless of whether an organization chooses to centralize security around identities or something else, to endure as a digital enterprise in the modern era—from both a security and compliance standpoint—modern identity governance strategies and controls are a must. A key part of this involves ensuring security and identity leadership and budgets are aligned, and that identity-based technology talks to other security and analytics technologies across the enterprise.
Get started with identity-centric security: https://www.idsalliance.org/get-started/
About the Author: Matt Miller is Senior Content Marketing Manager at BeyondTrust. Prior to BeyondTrust, he developed and executed marketing strategies on cybersecurity and cloud technologies in roles at Accelerite (a business unit of Persistent Systems), WatchGuard Technologies, and Microsoft. Earlier in his career Matt held various roles in IR, marketing, and corporate communications in the biotech / biopharmaceutical industry. His experience and interests traverse cyber security, cloud / virtualization, IoT, economics, information governance, and risk management. He is also an avid homebrewer (working toward his Black Belt in beer) and writer.