Vincent Goh, Senior Vice President, Asia Pacific and Japan, CyberArk
Organisations, industry observers and vendors have discussed a lot about the pace of change in technology rollout and adoption in recent months. We have seen how services provisions have been transformed, how rapidly new apps were deployed, how new workflows are developed, and new ways of serving customers were launched. Our sheer ability to adapt to changing conditions has been hugely impressive. Yet, this incredible advancement and technological adoption will demand a payoff. In fact, it has already created a payoff in the shape of identity-related security debt that is getting bigger and requiring settlement sooner than later.
The pivot to digital has been beneficial in many ways. However, it has forced us into a place where the nature of digital identity must be revisited and re-imagined into something that is much, much more than access. Within organisations, access is beyond the cumbersome exercise of getting permissions for people and Things such as machines, apps, servers, devices, to perform their roles or tasks.
To a certain degree, it has been recognised that some of these people and connections may have access permissions that need special attention. For instance, the CEO of a public company is granted specific rights to enable access to privileged information of all kinds. This privileged access is managed and secured to avoid disclosure of market-sensitive information before an earnings announcement.
However, what if market-sensitive information can be accessed by other means? What if a cyberattack compromises employee information and gains access to an executive’s payroll? For instance, seeing that no bonus was awarded for the year, the attacker can make that logical leap of faith and conclude that the company’s targets have not been achieved. The stock is likely to tank when this information is announced. In this scenario, the payroll’s administrator’s identity and access also become a problem. It has to be secured and managed in such a way that only they can access this privileged data.
Based on Accenture’s survey of 4,644 executives covering 24 industries and 16 countries across North and South America, Europe and Asia Pacific, 40 percent of security breaches are now indirect. With cyber threat actors targeting the weak links in the supply chain or business ecosystem, companies should consider the need to secure other things that can still be critical in the right circumstances.
More often, firms only secure the obvious routes to critical assets and tend to forget the backdoors, which can undermine the company’s cybersecurity strategies. In addition, there is the pervasive issue of lifecycle mismanagement. Access is granted to a user but when the user moves to another function, the permissions of the old function are not retired. In the on-premises world, the result is referred to as ‘orphaned’ permissions and, in the cloud, as ‘excessive’ permissions. This situation is also applicable to services that are no longer used. Unmanaged access associated with various human and non-human identities can be used by attackers to access potentially sensitive data and assets, like forgotten forest trails.
Over the last 15 months, in the rush to reposition – and in some cases simply survive – many organisations have encountered several challenges. With limited resources, IT teams have been managing their company’s digital infrastructure amidst growing business complexities and diminishing perimeter security walls. With this, many companies have moved to the cloud to perform the functions that on-premises infrastructure could no longer do. The move to the cloud may require the creation of new identities and new access rights. For an average-sized organisation, each new cloud service, collaboration tool or customer-facing application could mean hundreds if not thousands of new sets of credentials. For an attacker, new identities and access rights are ‘potential’ entry points. In the recent Solar Winds cybersecurity breach, the attackers utilised Golden Security Assertion Markup Language (SAML) attacks, modified trusted domains, abused privileged roles, stuffed credentials and hijacked Azure AD applications, which bypassed endpoint and network-based security controls, thus emphasising how crucial privileged identity management is to implement.
To further underscore the value of a robust identity management strategy, consider this: The Verizon 2021 Data Breach Investigations Report states that social engineering such as email phishing, and the use of stolen credentials were the top two actions taken by attackers in the 5,258 breaches studied, with privilege abuse featured in at least 60% of the breaches. Undoubtedly, the use of permissions, identities and access to progress an attack is so prevalent and firms must take solid steps to secure and manage access rights and privileges.
IT leaders planning for a hybrid future need to act fast and must be acutely aware of the identity-related risk that businesses face nowadays. Security teams should be a step ahead by anticipating potential security issues that can stem from access rights and user privileges, and creating behavioural change by training employees to take security and authentication seriously.
Over a short period of time, the scale and impact of identity-related security debt on businesses have been vast and quite alarming. How security professionals will address this will define how vulnerable our data and assets will be, at least, over the course of the rest of 2021 and into 2022.