We all recognize that trends such as cloud computing, the explosion of devices (i.e. IoT) and applications, and the emergence of software machines has propelled a substantive increase in identities that enterprises must manage. The IDSA State of Identity Report released last month helps put this growth in perspective. According to the report, 52% of IT security decision-makers claim identities have increased more than five-fold in the past 10 years. The top technological drivers cited for this growth, were, unsurprisingly, mobile devices (76%), enterprise-connected devices (60%), cloud applications (59%), automation (36%), and containers (25%).
The number of different accounts associated with the average business user has been on a steeply upward trajectory for years and has been estimated as high as 191, and that doesn’t even take into consideration privileged accounts; the highest risk accounts in any environment. How are all those passwords getting onboarded, secured, and managed? Largely—they aren’t!
And the hallmarks of the aggressively burgeoning enterprise attack surface are unmistakable—a proliferation of unknown (or inadequately managed), identities, accounts, and assets, and the relentless rise of cyberattacks that draw blood. In this era of blurring network boundaries, edge computing, and mobility, IT risk management and security experts are coalescing around the premise that identity management should be the keystone of enterprise security today. Focusing security around an identity empowers enterprises to centrally manage roles, policies, access control, and privileges.
Need more convincing? Almost every successful (that means the threat actors win) cyberattack today exploits identity as an attack vector. In particular, privileged access management (PAM)—a key component of identity and governance administration (IGA)—plays a critical role in the attack chain. Forrester research estimates that privileged credentials are now implicated in over 80% of cyberattacks. By exploiting a privileged identity, a threat actor can fast-track access to an organization’s most sensitive assets. Threat actors commonly exploit vulnerabilities or use stolen credentials to gain a foothold, then leverage privilege to move laterally to procure new identities, access, and assets.
BeyondTrust thought leaders recently forewarned of potential for a new wrinkle in identity-based attacks, coining them "identity-theft royal flush”. These attacks aim to exploit and own every account an individual owns. Such attacks could involve attackers targeting all the accounts associated with an identity (human or non-human) and impersonating users, potentially even leveraging elements of AI or deepfake technology. The rise of identity theft royal flush attacks poses a risk at both the corporate and personal-user levels. It also underscores the perils of credential re-use across multiple accounts for an identity.
While part of the identity management security challenge is technological, another part is organizational. At many enterprises, identity management and security run as parallel and separate entities, each with their own teams, budgets, and priorities. Throw in the variables of time and even modest scale, and invariably, this misalignment will not only create gaps that attackers all-to-willingly exploit, but also result in delayed detection and responses to breach events.
To ensure the most basic levels of security for corporate identities and assets, organizations must be able to clearly answer the following questions:
- Who is this user (Identity)?
- What do they have access to (Privilege)?
- What did they access (Asset)?
- Is that access secured (Privilege)?
- Is that asset secured (Asset)?
- Was the access in accordance within the user’s responsibilities (Identity)?
Yet, most IT teams struggle to consistently answer these questions across their enterprise
New Identity Attack Vectors Book Arms IT & Security Pro’s with Modern Identity Management Know-How
The just-released book, Identity Attack Vectors: Implementing an Effective Identity and Access Management Solution, published by Apress; decodes the modern threat environment, putting the floodlights on identity. Co-authored by two of the world’s top thought leaders on IGA and PAM, Morey J. Haber, CTO/CISO at BeyondTrust and Darran Rolls, CTO at SailPoint, the book covers identity management in breadth and depth—from basic definitions and concepts to attack methods to successful solution implementations, while managing to stay very approachable. For Haber, this marks the third in the trilogy of Attack Vector Books he has authored, including Privileged Attack Vectors, and Asset Attack Vectors, providing the final segment of foundational material covering the three pillars of cybersecurity - Identity, Privilege, and Asset.
Readers will benefit from the authors’ refreshing candor, historical insights, and rich, educational anecdotes pulled from their decades of IT and security experience. Along a journey that touches on light-hearted subjects ranging from John Titor to Star Wars (R2D2’s over-provisioning of privileged access), readers will gain a firm understanding of:
- The concepts of identity, including how they differ from accounts.
- Techniques threat actors use to exploit gaps in IAM processes and compromise identities.
- How to successfully implement an identity governance program to manage both privileged and non-privileged identities and roles and provide certification for regulatory compliance.
- Where identity and privilege management controls play a critical part of the cyber kill chain, and how to leverage this understanding to create identity-based security best practices.
- How to successfully scope and implement an identity management program that prevents attack vectors, while meeting business objectives for an efficient and seamless operation.
The authors explore many other topics, helping you to answer questions such as:
- What has an identity, what doesn’t?
- What are the implications of creating an account versus an identity first?
- While a single, human identity may be associated with multiple accounts, what about for machines, software robots, service accounts, Internet of things (IoT), and other technologies?
- What are the practical (realistic) use cases and limitations for zero trust, just-in-time privileged access, biometrics, and blockchain for mitigating threats?
Modern IAM solutions absolutely must communicate with the rest of the IT security environment to ensure consistent and comprehensive visibility and control over every identity—both human and machine. This necessitates integrating identity management technologies throughout the entire stack of cybersecurity technologies. Mature IAM processes, such as privilege management, can stop, or at least mitigate, an enormous range of threats, such as by enforcing least privilege and automating best practices for managing privileged credentials for human (including for vendors and remote users) and machine identities.
Want to be empowered and prepared to protect the identity everywhere? Get the Identity Attack Vectors eBook on Amazon and learn how to protect your organization from identity-based attacks.
You can also hear from Haber and Rolls in this upcoming webinar: Deconstructing Identity as a Cyberattack Vector.