In May, the Biden Administration issued a new Executive Order calling to modernize the nation’s defenses against the steady escalation of cyber attacks that have hit the United States over the past year.
In the EO, the administration explicitly calls for the Federal Government to adopt best practices that will, “Advance toward Zero Trust Architecture and accelerate movement to secure cloud services.”
With attacks like SolarWinds, Colonial Pipeline, and Microsoft Exchange putting everyone from consumers to corporations to the government at risk, this order is recognition that the legacy approach to security with its focus on the network perimeter is no longer relevant in the era of cloud computing.
In its place, Gartner has called for organizations to adopt an Identity-First Security approach (read the report) that can adequately protect them from the risks of operating in the cloud where identity is the key to accessing our most valuable assets.
Source: Gartner Identity-first security Cool Vendor report
Defining Identity-First Security
How we think about accessing our valuable assets has shifted significantly in recent years as work has moved out of the network and into the cloud.
Organizations now depend on Software as a Service (SaaS), Infrastructure as a Service (IaaS), and other cloud services for larger portions of their operations.
Research for 2019 shows that enterprises are already using 288 SaaS apps like O 365, Salesforce, and Google Workspaces. Mid-sized companies are following the trend with their average of 137 SaaS apps. Workloads are increasingly run on AWS, Azure, and GCP, while data has also migrated upwards.
Accessing these services depends not on connecting through your organization’s network. They are not a part of your network. Instead, we access them with our identities.
With the right credentials, a user can gain access to your organization’s most valuable assets like customer PII, financial data, IP, and other “Crown Jewels” that could have a sizable negative impact if exposed.
Recognizing that identities are the “keys to the kingdom”, organizations are shifting their focus to how to better protect them. This means adopting a Zero Trust approach that better fits the needs of the cloud environment.
The Perimeter isn’t Dead –– It’s Just Been Flipped
In the previous mode of security where work was mostly confined to the network back at the office, the thinking was that if we put up high walls around our assets with a strong perimeter, then we had a reasonable chance of keeping our data safe.
This approach assumes that whoever was inside the perimeter can freely access assets, having “proved” that they should be there by right of being on the network. Everyone else out on the open web was persona non grata.
Think about network perimeter security like a walnut (paraphrasing boxing legend Muhammad Ali) that is hard on the outside but soft on the inside. Once you are past the outer shell, the delicious insides are there for the taking.
This model has proved to be less than effective –– to put it mildly. Attackers have shown that they can easily penetrate past the high walls and gain access to the valuable assets inside. Instead of a walnut, we have more of a grape situation with a soft outside and inside.
In response to the reality in the field, the cybersecurity industry has moved towards adopting Zero Trust principles that take the approach of “never trust, and always verify.” We assume that a breach has already happened and establish a strategy that will allow us to defend our assets that are held within our various cloud services.
Since we do not have a network to put a tall perimeter around, we now have to put perimeters around our assets. What we want is a pomegranate –– hard on the outside and hard on the inside with each berry segmented off from the other.
So how do we accomplish this and reduce the risk of attackers accessing our assets?
3 Practical Steps for Implementing an Identity-First Security Strategy
Identity is at the center of how we approach protecting our cloud assets, making it essential to confirm that each identity looking to access our assets can prove that they are who they say they are and that they have the right permissions for those assets.
Here are a few of the best places to start your Identity-First Security implementation.
MFA Everywhere, Every Time
The most basic of the basic, multi-factor authentication (MFA) provides an additional layer of security beyond the password. These tools look to verify that the user not only knows the username and password, but has another legitimate connection to the account.
This is a very important security measure because credentials are constantly being compromised. Phishing is one of the most common methods for attackers to acquire a user’s identity. In other cases, hacked lists of credentials are posted or sold on the deep or dark web for hackers to spray at different services –– often to great effect.
MFA goes the extra step after the credentials are entered and will send a code or push notification to the user. In the best case scenario this is done through a security app on the user’s mobile device. Alternatively (read unfortunately), many MFA codes are sent via SMS that is far less secure.
Using MFA is incredibly effective at blocking illegitimate access. Research from Microsoft has shown that MFA can help block 99% of attacks. But it only works if it is enabled, so despite the little extra bit of friction, make sure to use MFA whenever the opportunity arises.
Microsegment Your Assets with Authorization Controls
While important, the question of authentication is relatively straightforward. Are you who you say you are?
What comes next is a bit trickier to pin down.
The next step in Identity-First Security looks at authorizations, asking questions like:
- Which assets should a given identity have access to?
- What level of access?
- How long should that access remain open?
Mitigating risk with authorizations means adhering to the Principle of Least Privilege that states that each identity should only have the exact level of access that they need to do their job. Anything more and the organization is raising its level of risk by widening its threat surface.
Taking on this challenge means continuously assessing each identity’s authorizations, right-sizing them and eliminating authorizations that they no longer need or have rights/reason to have.
This is important because it helps mitigate against the damages from both malicious insider attacks as well as a hacker that has compromised an employee’s credentials. By restricting the scope of what they are allowed to access, you can significantly limit the damage from an incident.
Understand the Identities and Assets in Your Environments
The number of identities and assets has been rising exponentially, making it harder for organizations to keep track of what they have.
To give you a sense of the scale that we are talking about here, one of Authomize’s mid-size (~4.3k employees) customers has:
- 46.5k Identities
- 7.5M Assets (not including files)
- 6.75M Identity/Asset Security Policies
- 65M Access actions taken per month
Adding to the challenge is that each cloud environment and service is siloed off from one another, making it hard to map who has access to what.
And yet, gaining this observability is essential to securely managing your authorizations.
One of the first steps that should be taken is to identify your Crown Jewels and understand who can access them.
Make sure that the good folks from Marketing do not have access to your production environments and that your devs cannot flip through customer financial information in Salesforce.
Manage Your Identities Securely
Looking back at many of the attacks that have caught the headlines during the past year, we see that identity has been at the center of most of these incidents.
Whether it is the creation of a new admin account with a Golden SAML attack or compromising a legacy VPN, attackers understand that the weak identity security is their best bet for success.
“Cloud-based user entitlements cannot be managed effectively by traditional identity tooling, such as identity governance and administration (IGA) and privileged access management (PAM) solutions.”Gartner
The challenge for organizations is in figuring out ways to strengthen their identity security posture to meet the risks in the cloud. In their report, Gartner analysts have concluded that, “Cloud-based user entitlements cannot be managed effectively by traditional identity tooling, such as identity governance and administration (IGA) and privileged access management (PAM) solutions.”
Moving forward, organizations will need to adopt the right tools to handle the scale of their identities and assets. This requires both AuthN and AuthZ solutions.
But most of all, it means moving on from the outdated approaches that were passable in the network era and embracing Identity-First Security as the right way forward for working securely in the cloud-native future.