Where identity and cybersecurity fall apart

By David Mahdi, Chief Identity Officer at Transmit Security.

  • 1 year ago Posted in

Identity - it is often said - is the new perimeter. While that might be true in many ways, that is only part of the picture. Identity is fundamentally linked to security but that statement elides a more fundamental truth that, unless recognised, can lead to frustration and failure: That identity and security are distinct disciplines with their own separate skills, cultures and objectives. Mistaking one for the other will lead to serious problems down the line.

At its base, the difference between security and identity is often set by traditional views of general IT and access. Identity specialists are concerned with providing access to users, devices and digital assets. Often, their focus is on enabling productivity and access within the enterprise environment.

Cybersecurity practitioners on the other hand have a very different job and a different mindset: That everyone is a potential threat. Their job is to understand and mitigate cyber-risks. This means that they are often concerned with protecting the environment from threats and right-sizing or even shutting down access, except where it's actually needed. From that starting point, the skills and technologies that each use can vary wildly.

How they get confused

In recent years, identity management has become one of the most important methods of permitting access to corporate data and assets.

When Covid hit, identity became the new perimeter. Previously, the physical network was considered the main layer of security and access control. But when lockdowns forced companies to stay operational with quick roll-outs of mass remote work for their workforces, they had to rely on identity as the new control plane. As a result, identity platforms became crucial survival tools for enterprises.

Since then, remote work has become a fundamental plank of modern business, and as it has grown we’ve all started to rely on identities in order to authenticate the users and technologies we use remotely. They serve a crucial security function here but are still only a part of the full cyber and identity security picture.

The rise of the machine identity has played a big role too. The fact that digital assets, devices, endpoints and all manner of “machines” require their own identity has also emphasised the crucial role that identity plays for security. However, just because traditional identity technologies are complementary to security - doesn’t mean they can take its place.

If identity is the new perimeter, it's the new attack surface too

Identity-based attacks are now a leading vector and identities need their own security. In addition, the identity platforms themselves require vigilant monitoring as their role in digital business is paramount.

As identity has now become the new perimeter, the old ways of defaulting to “wide open access” to avoid business disruptions needs to change. This is a relic of the pure productivity focus and identity leaders must now understand that identities and their infrastructure are far too critical to be treated that way.

Complicating these matters, many enterprises often use multiple identity platforms to address different locations or different parts of their environment. This leads to inconsistent access policies, and challenges with centralised visibility, which can be exploited by attackers. Those identity platforms don’t integrate with each other making it supremely difficult to get visibility and control access.

Many identity platforms don't come with comprehensive risk detection and trust assessment and while they might be able to provide and authenticate user identities - but have a hard time fending off threats to identity infrastructure. Attackers know these weaknesses, and they weaponise them against organisations today. One all-too-common attack pattern is to call into a help desk, leverage social engineering, reset an account via a compromised email, and they are in. Without a comprehensive view of identity combined with risk and trust assessment, detecting and responding to these common and growing threats will continue to be problematic and damaging.

Identity infrastructure is a target

Gartner is now warning that advanced threat actors are increasingly targeting identity infrastructure. The goal, a compromised, trusted identity, for which provides attackers with access to critical corporate resources.

We’re already seeing this with identity-giants like Okta. In fact, hackers recently hit two historic Las Vegas Casinos by exploiting Okta user identities and their infrastructure. From there the attackers hit MGM and Caesar’s with ransomware and, according to the Wall Street Journal, managed to extract $15 million from Caesar’s.

Okta announced in a blogpost that they’d seen these attacks against a number of US customers, showing a “consistent pattern of social engineering attacks” against IT service desks. The attacker would convince the service desk to reset MFA for Okta super administrator accounts, thus allowing them to exploit those highly privileged identities.

This example speaks not only to the ways in which attackers exploit identity infrastructure, but the ways in which identity technologies - such as Multi Factor Authentication (MFA) or Single Sign On (SSO) - don’t fulfil a security role, but one of access.

This is not particularly surprising - attackers will go where there are targets to hit. Just as mobile malware authors write malware to target Windows - the most popular operating system in the world, they’ll do the same for identity infrastructure. Okta just happens to be a prevalent platform, and so it comes as no surprise that attackers would be looking at this ever-expanding attack surface.

How they work together

The fact that they are distinct disciplines and technology categories doesn’t mean they aren’t both necessary and complementary categories. However, identity technologies can’t be considered security on their own. Given the rise of credential theft and looming attacks on identity infrastructure, identity technologies need security of their own.

That is where traditional IAM solutions need to evolve. They need to evolve to become identity security platforms. Identity security platforms focus on balancing productivity with comprehensive identity-security.

But security cannot exist without visibility. As such, while there are a number of critical capabilities, one such aspect of identity security platforms is identity orchestration. Identity security platforms with orchestration at the core enables identity and security leaders to design, create, test, deploy, maintain and monitor their identity security posture enterprise-wide. From there, identities - and all the policies and configurations that go with them - can be managed centrally, even with disparate systems.

By gaining this real-time top down, strategic view of identity. An individual identity system might tell you that someone is logging into an application, but it won’t be able to flag concurrent logins, across disparate systems, to multiple applications as a potential threat. From there, a defender will have to hop between multiple different security and identity products to understand the true picture - thus dragging out the time to discovery and remediation of the threat.

Identity and cybersecurity are evolving, and so should you

The tooling is changing, rapidly. With the rise of identity threats, identity-security platforms must include identity threat detection and response (ITDR). In addition to this, organisations must also determine how they deal with identity and access management from a people and process perspective. Simply put, identity and access management teams now need to lean into cybersecurity; and cybersecurity teams need to lean into IAM.

Nadir Izrael, Co-Founder and CTO at Armis discusses the importance of critical infrastructure...
By Darren Thomson, Field CTO EMEAI at Commvault.
By Asher Benbenisty, Director of Product Marketing at AlgoSec.
By Steve Purser, former Head of Core Operations at the EU Agency for Cybersecurity, and Zivver’s...
By Graham Jarvis, Freelance Business and Technology Journalist, Lead Journalist, Business and...
By Graham Jarvis, Freelance Business and Technology Journalist, Lead Journalist, Business and...
By Graham Jarvis, Freelance Business and Technology Journalist, Lead Journalist – Business and...