In years past, identity and security fell under two different domains. Identity was usually owned somewhere mixed in between IT and HR, while security was, well, under security.
However, as more organizations have made the shift to the cloud and access to resources has become a question more of your credentials than where you are, the distinction between the folks wearing the identity and security hats during the past couple of years has begun to blur.
Now at the end of 2022, you have to squint pretty hard to tell them apart.
Simply put, security professionals understand now that identity has become an integral part of securing our valuable assets, and organizations are making the necessary shifts internally to meet these challenges.
The question is what has led us to this point of convergence and what does it mean for how organizations need to approach identity and access security in the year to come?
An Evolving Threat Landscape
The short answer to why we have seen such a significant change in recent years is that as we have shifted how we access our work environments, moving from on-prem to the cloud where identity is the key to accessing our data, attackers are showing themselves to be adept at targeting us there too.
A fact that the “Identity at the Center“ podcast host Jim McDonald says has become clearer, telling me that, “We call our podcast ‘Identity at the Center’ because this trend has grown over time where identity is the last and primary control plane for securing IT assets.”
What McDonald explains is that the perimeter as we knew it is long gone because attackers are already inside.
And chances are they already have credentials to access your data. According to the Verizon Data Breach Investigations Report, 48% of breaches involved the illegitimate use of credentials.
With the right credentials and privileged access, an attacker — either an insider or a hacker who has taken control of the credentials — can access sensitive information and systems, causing harm to the organization, its products, and customers.
Given these risks, we see that along with its usefulness, the identity is also a liability whose risk has to be mitigated.
Identity and Access as Risk
Over-privileged identities, stale access, and privilege escalation.
These terms are not new but have entered the common lexicon like a ton of bricks in the past couple of years as identity has become a more significant security concern.
You only have to look at the series of attacks like the Colonial Pipeline where credentials with privileged access for an unused account gave the attackers access to shut down oil supply for the east coast to see why security teams are making identity a priority up there with supply chain and ransomware.
A litany of incidents involving identities, including the recent Uber breach, have only added to the pressure for security teams to harden their identity security posture.
In practical terms, the first steps for hardening your posture means looking at your apps and services to:
- Gain visibility across all their environments, including IaaS (AWS, Azure, GCP) and SaaS (GitHub, Salesforce, O365, G Suite, etc)
- Identify access privileges that are excessive or gone stale and privilege escalation paths
- Reduce those privileges with the goal of achieving Least Privilege and narrowing their threat surface
These goals may have previously fallen mostly under the identity category, though they do include elements of interest to the security crew.
But this will only get you so far.
The next step is to secure the Identity and Access Management (IAM) systems that you use for managing your access.
These IAM tools, including Identity Providers (IdPs), Privileged Access Management (PAM), and Identity Governance and Administration (IGA), play a critical role in enabling us to manage our identities and access. They have traditionally been the purview of the Identity team.
However as we have seen over the course of attacks from the past year, IAM solutions are decidedly not security tools. They are themselves in need of securing as they have become the focus of innovative adversaries looking to break open the box with the keys to the target’s kingdom.
Once an attacker gains privileged access to an IdP or PAM, they can grant or change privileges, create new identities, or perform one of a thousand other actions that can negatively impact the organization.
If the Golden SAML attack on SolarWinds was the first major wake up call that IAM tools need their own layer of security, then Okta and Uber were the one-two punches showing a lot of security folks the damage that can happen when an adversary takes control of the very systems that we depend on to manage our identities.
This has led to a new category of security discipline called Identity Threat Detection and Response (ITDR) to secure identities, access, and IAM infrastructure.
Identity is the New Security Perimeter
Security teams now understand that they need to secure their identity and access layer just like they would any other surface like their end points, network, and cloud.
ITDR, which you can read about in one of our many fine blogs on the topic, seeks to help security teams fill their identity security obligations by enabling them to:
- Harden their Identity Security Posture with Just Enough Access Everywhere
- Detect Active Threats Across Clouds (IaaS & SaaS) and IAM Infrastructure
- Respond Effectively and In-line with Security Operations
- Accelerate Investigation and Prioritize By Context
These are all definitionally security goals, focused on identity as the perimeter that needs to be continuously and proactively defended. And responded to.
Speaking to CISOs who now see identity as falling under their responsibility, they understand that they need to also find better ways to investigate identity and access after an incident occurs, looking to see what that identity had access to and using that context for more effective incident response. Automating the flow of this identity and access data into their existing security response workflows is a key part of this process that far too many are currently doing manually.
If they do not take identity into account as one of their data inputs, then security teams know that they are only seeing part of the picture.
There are of course a couple of caveats and clarifications. First, security people are not about to take over identity’s functions, and vice versa, despite the cross pollination of knowledge. Additionally, the larger the organization, the more individuals will have the opportunity to also specialize in their particular field of expertise.
But the clear shift that this past year has shown us is that identity is the newest pillar of security, and it needs to be a clear part of every organization’s security outlook as they move into 2023.
To learn more about Authomize’s approach to enabling security with our ITDR, please visit us and request a FREE Assessment of your organization’s IAM infrastructure.
