Apr 12, 2024The Hacker NewsDevSecOps / Identity Management

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems?

Let’s break it down.

The challenge

Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or retrieving information from databases. Communicating seamlessly through APIs, they ensure the seamless operation of services for us users. However, to utilize these APIs, microservices must authenticate themselves using non-human identities and secrets, akin to programmatic access keys.

Now, consider the ramifications if a malicious actor were to obtain one of these non-human identities or secrets. The potential for chaos is immense—secrets could be stolen, data tampered with, or even the entire system brought to a standstill.

Without strong security measures, a system is wide open to these kinds of attacks. Companies need to lock things down tight to keep data safe and systems running smoothly.

The solution

What’s needed is a comprehensive suite of features to meet the needs of managing non-human identities.

Comprehensive secrets visibility

To manage non-human identities and secrets at scale you need a bird’s-eye view of all machine identities in your systems. From ownership details to permissions and risk levels, all this critical information needs to be centralized, empowering your security teams to understand the secrets landscape thoroughly. No more guessing games—just clear insights into non-human identities and their potential vulnerabilities.

Real-time monitoring & protection

To effectively oversee non-human identities, it’s crucial to employ real-time monitoring, enabling constant vigilance over your sensitive information. Any signs of dubious behavior should be promptly detected and flagged without delay. Whether it involves an unauthorized access attempt or an unforeseen alteration in permissions, ongoing scrutiny of secrets guarantees proactive defense against potential risks. Mere alerting isn’t sufficient; a comprehensive solution providing actionable steps for immediate resolution is imperative when suspicious activities arise.

Centralized governance

Centralized governance simplifies secrets management for non-human identities. By consolidating all security controls into one streamlined platform, it becomes easy for you to oversee access to non-human identities. From identification to prioritization and remediation, you need seamless collaboration between security and development teams, ensuring everyone is on the same page when it comes to protecting your digital assets.

Vulnerability detection & false positive elimination

Not all alerts warrant immediate alarm. Hence, vulnerability detection must extend beyond merely highlighting potential risks; it should differentiate between genuine threats and false alarms. By eliminating false positives and honing in on actual vulnerabilities, your security teams can efficiently address issues without being sidetracked by unnecessary distractions.

This is what it takes to manage secret security for non-human identities. It’s what we obsess about here at Entro.

Why Entro

With Entro’s non-human identity management solution, organizations can:

• Gain complete visibility of secrets that protect code, APIs, containers, and serverless functions scattered across various systems and environments.
• Identify and prioritize security risks, remediate vulnerabilities, and prevent unauthorized access to critical financial systems and data.
• Automate the remediation of identified security risks, saving time and resources for the security and development teams.
• Ensure compliance with regulatory requirements such as SOC2, GDPR, and others by maintaining robust access controls and security measures.

Get in touch with us to learn more about Entro’s machine identities and secrets management solution.

Apr 10, 2024The Hacker NewsWebinar / Identity Security

We all know passwords and firewalls are important, but what about the invisible threats lurking beneath the surface of your systems?

Identity Threat Exposures (ITEs) are like secret tunnels for hackers – they make your security way more vulnerable than you think.

Think of it like this: misconfigurations, forgotten accounts, and old settings are like cracks in your digital fortress walls. Hackers exploit these weaknesses to steal login information, gain sneaky access, and move around your systems unnoticed, whether they’re in the cloud or on-site.

This upcoming webinar, “Today’s Top 4 Identity Security Threat Exposures: Are You Vulnerable?“ isn’t just for tech experts—it’s about protecting your business.

We’ll use real-world examples and insights from Silverfort’s latest report to show you the hidden dangers of ITEs. You’ll learn about:

• The Top 4 Identity Threats You Might Be Overlooking: We’ll name them and explain why they’re so dangerous.
• Shadow Admins: The Secret Superusers in Your SaaS: How these hidden accounts can put your data at risk.
• Service Accounts: Your Biggest Weakness? Why they’re so easy to exploit, and how to fix it.
• Actionable Steps To Find and Fix Your Weak Spots: Practical, easy-to-follow advice you can start using right away.

Don’t Let Hackers Win. Register for our free webinar and take control of your identity security.

This webinar is a wake-up call. We’ll help you uncover the unseen risks lurking in the shadows and give you the tools to fight back. Think of it as an X-ray vision for your digital security!

Your digital identity is your most important asset. Protect it with the knowledge you’ll gain in this webinar.

Apr 09, 2024The Hacker NewsPrivileged Access Management

As cyber threats loom around every corner and privileged accounts become prime targets, the significance of implementing a robust Privileged Access Management (PAM) solution can’t be overstated. With organizations increasingly migrating to cloud environments, the PAM Solution Market is experiencing a transformative shift toward cloud-based offerings. One Identity PAM Essentials stands out among these as a SaaS-based PAM solution that prioritizes security, manageability, and compliance.

Security-first, user-centric design

PAM Essentials boasts a user-centric and security-first design – not only prioritizing the protection of critical assets, but also ensuring a seamless user experience. By providing privileged sessions and access controls, PAM Essentials mitigates the heightened risks associated with unauthorized users, safeguarding critical data against potential breaches. Designed for ease of use, it ensures that robust security does not come at the expense of usability.

Simplified PAM approach with full visibility

One of the standout features of PAM Essentials is its simplified PAM approach, coupled with full visibility. Unlike traditional on-premises PAM solutions, PAM Essentials eliminates unnecessary complexities and the need for additional infrastructure investments. This streamlined approach not only reduces operational overhead but also provides organizations with comprehensive visibility into privileged access activities, facilitating proactive threat detection and mitigation.

Cost-effective and compliant

In today’s regulatory landscape, compliance is non-negotiable. PAM Essentials aids organizations in meeting compliance and industry-specific standards, ensuring adherence to regulatory requirements and enabling them to fulfill cyber insurance requirements. Its cost-effectiveness creates significant savings for businesses, eliminating the need for costly infrastructure and resource allocations associated with traditional PAM solutions.

Cloud-native architecture for scalability and flexibility

Built on a cloud-native architecture, PAM Essentials offers unparalleled scalability, flexibility and accessibility. This ensures seamless integration with cloud services, allowing organizations to adapt and scale their privileged identity management strategies in response to evolving business needs. PAM Essentials also provides a seamless experience for remote teams, enabling secure access to critical systems and resources from anywhere at any time.

Native integration and seamless experience

PAM Essential’s native integration with OneLogin access management solutions enhances its capabilities. By leveraging OneLogin’s robust identity and access management platform, PAM Essentials delivers a seamless privileged access management experience. This integration not only enhances security but also streamlines administrative tasks, improving overall operational efficiency.

Conclusion

As organizations navigate the complexities of modern cybersecurity threats and the constantly evolving digital landscape, the importance of effective Privileged Access Management cannot be overstated. PAM Essentials represents a shift in PAM tools, offering a comprehensive, cloud-native approach to security, manageability and compliance. With its user-centric design, simplified approach and seamless integration capabilities, PAM Essentials is set to redefine the future of Privileged Access Management, empowering organizations to safeguard their most critical assets.

In today’s rapidly evolving SaaS environment, the focus is on human users. This is one of the most compromised areas in SaaS security management and requires strict governance of user roles and permissions, monitoring of privileged users, their level of activity (dormant, active, hyperactive), their type (internal/ external), whether they are joiners, movers, or leavers, and more.

Not surprisingly, security efforts have mainly been human-centric. Configuration options include tools like MFA and SSO for human authentication. Role-based access control (RBAC) limits the level of access; password complexity guidelines block unauthorized humans from accessing the application.

Yet, in the world of SaaS, there is no shortage of access granted to non-human actors, or in other words, 3rd party connected apps.

Service accounts, OAuth authorizations, and API keys are just a few of the non-human identities that require SaaS access. When viewed through the lens of the application, non-human accounts are similar to human accounts. They must be authenticated, granted a set of permissions, and monitored. However, because they are non-human, considerably less thought is given to ensuring security.

Non-human Access Examples

Integrations are probably the easiest way to understand non-human access to a SaaS app. Calendly is an app that eliminates the back-and-forth emails of appointment-making by displaying a user’s availability. It integrates with a user’s calendar, reads the calendar to determine availability, and automatically adds appointments. When integrating with Google Workspace through an OAuth authorization, it requests scopes that enable it to see, edit, share, and delete Google Calendars, among other scopes. The integration is initiated by a human, but Calendly is non-human.

Figure 1: Calendly’s required permission scopes

Other non-human accounts involve data sharing between two or more applications. SwiftPOS is a point-of-sale (POS) application and device for bars, restaurants, and retail outlets. Data captured by the POS is transferred to a business intelligence platform, like Microsoft Power BI, where it is processed and analyzed. The data is transferred from SwiftPOS to Power BI through a non-human account.

The Challenge of Securing Non-human Accounts

Managing and securing non-human accounts is not as simple as it sounds. For starters, every app has its own approach to managing these types of user accounts. Some applications, for example, disconnect an OAuth integration when the user who authorized it is deprovisioned from the app, while others maintain the connection.

SaaS applications also take different approaches to managing these accounts. Some include non-human accounts in their user inventory, while others store and display the data in a different section of the application, making them easy to overlook.

Human accounts can be authenticated via MFA or SSO. Non-human accounts, in contrast, are authenticated one time and forgotten about unless there is an issue with the integration. Humans also have typical behavior patterns, such as logging on to applications during working hours. Non-human accounts often access apps during off-peak time to reduce network traffic and pressure. When a human logs into their SaaS at 3 AM, it may trigger an investigation; when a non-human hits the network at 3 AM, it’s merely business as usual.

In an effort to simplify non-human account management, many organizations use the same API key for all integrations. To facilitate this, they grant broad permission sets to the API key to cover all the potential needs of the organization. Other times, a developer will use their own high-permission API key to grant access to the non-human account, enabling it to access anything within the application. These API keys function as all-access passes used by multiple integrations, making them incredibly difficult to control.

Figure 2: A Malicious OAuth Application detected through Adaptive Shield’s SSPM

Sign up for THN’s upcoming Webinar: Reality Check: Identity Security for Human and Non-Human Identities

The Risk Non-human Accounts Add to SaaS Stack

Non-human accounts are largely unmonitored and have wide-ranging permission scopes. This makes them an attractive target for threat actors. By compromising any of these accounts, threat actors can enter the application undetected, leading to breaches, unauthorized modifications, or disruptions in service.

Taking Steps to Secure Non-human Accounts

Using a SaaS Security Posture Management (SSPM) platform in concert with Identity Threat Detection & Response (ITDR) solutions, organizations can effectively manage their non-human accounts and detect when they behave anomalously.

Non-human accounts require the same visibility by security teams as human accounts and should be managed in the same user inventory as their human counterparts. By unifying identity management, it is far easier to view access and permissions and update accounts regardless of who the owner is. It also ensures a unified approach to account management. Organizational policies, such as prohibiting account sharing, should be applied across the board. Non-human accounts should be limited to specific IP addresses that are pre-approved on an allow list, and should not be granted access through the standard login screens (UI login). Furthermore, permissions should be tailored to meet their specific needs as apps, and not be wide-ranging or matching their human counterparts.

ITDR plays an important role as well. Non-human accounts may access SaaS apps at all hours of the night, but they are usually fairly consistent in their interactions. ITDR can detect anomalies in behavior, whether it’s changes in schedule, the type of data being added to the application, or the activities being performed by the non-human account.

The visibility provided by SSPM into accounts and ITDR into non-human identity behavior is essential in managing risks and identifying threats. This is an essential activity for maintaining secure SaaS applications.

Read more about protecting against non-human identities

Feb 29, 2024NewsroomThreat Intelligence / Cyber Threat

Cybersecurity researchers have disclosed a new attack technique called Silver SAML that can be successful even in cases where mitigations have been applied against Golden SAML attacks.

Silver SAML “enables the exploitation of SAML to launch attacks from an identity provider like Entra ID against applications configured to use it for authentication, such as Salesforce,” Semperis researchers Tomer Nahum and Eric Woodruff said in a report shared with The Hacker News.

Golden SAML (short for Security Assertion Markup Language) was first documented by CyberArk in 2017. The attack vector, in a nutshell, entails the abuse of the interoperable authentication standard to impersonate almost any identity in an organization.

It’s also similar to the Golden Ticket attack in that it grants attackers the ability to gain unauthorized access to any service in a federation with any privileges and to stay persistent in this environment in a stealthy manner.

“Golden SAML introduces to a federation the advantages that golden ticket offers in a Kerberos environment – from gaining any type of access to stealthily maintaining persistency,” security researcher Shaked Reiner noted at the time.

Real-world attacks leveraging the method have been rare, the first recorded use being the compromise of SolarWinds infrastructure to gain administrative access by forging SAML tokens using compromised SAML token signing certificates.

Golden SAML has also been weaponized by an Iranian threat actor codenamed Peach Sandstorm in a March 2023 intrusion to access an unnamed target’s cloud resources sans requiring any password, Microsoft revealed in September 2023.

The latest approach is a spin on Golden SAML that works with an identity provider (IdP) like Microsoft Entra ID (formerly Azure Active Directory) and doesn’t require access to the Active Directory Federation Services (AD FS). It has been assessed as a moderate-severity threat to organizations.

“Within Entra ID, Microsoft provides a self-signed certificate for SAML response signing,” the researchers said. “Alternatively, organizations can choose to use an externally generated certificate such as those from Okta. However, that option introduces a security risk.”

“Any attacker that obtains the private key of an externally generated certificate can forge any SAML response they want and sign that response with the same private key that Entra ID holds. With this type of forged SAML response, the attacker can then access the application — as any user.”

Following responsible disclosure to Microsoft on January 2, 2024, the company said the issue does not meet its bar for immediate servicing, but noted it will take appropriate action as needed to safeguard customers.

While there is no evidence that Silver SAML has been exploited in the wild, organizations are required to use only Entra ID self-signed certificates for SAML signing purposes. Semperis has also made available a proof-of-concept (PoC) dubbed SilverSAMLForger to create custom SAML responses.

“Organizations can monitor Entra ID audit logs for changes to PreferredTokenSigningKeyThumbprint under ApplicationManagement,” the researchers said.

“You will need to correlate those events to Add service principal credential events that relate to the service principal. The rotation of expired certificates is a common process, so you will need to determine whether the audit events are legitimate. Implementing change control processes to document the rotation can help to minimize confusion during rotation events.”

Feb 28, 2024The Hacker NewsZero Trust / Cyber Threat

Traditional perimeter-based security has become costly and ineffective. As a result, communications security between people, systems, and networks is more important than blocking access with firewalls. On top of that, most cybersecurity risks are caused by just a few superusers – typically one out of 200 users. There’s a company aiming to fix the gap between traditional PAM and IdM solutions and secure your one out of 200 users – SSH Communications Security.

Your Privileged Access Management (PAM) and Identity Management (IdM) should work hand in hand to secure your users’ access and identities – regular users and privileged users alike. But traditional solutions struggle to achieve that.

Microsoft Entra manages all identities and basic-level access. With increasing criticality of targets and data, the session duration decreases, and additional protection is necessary. That’s where SSH Communications Security helps

Let’s look at what organizations need to understand about PAM and IdM and how you can bridge and future-proof your PAM and IdM.

PIM, PAM, IAM – you need all three of them

Privileged Identity Management (PIM), Privileged Access Management (PAM), and Identity and Access Management (IAM) – all three are closely connected, and you need all three of them to effectively manage and secure your digital identities, users and access.

Let’s quickly review what PIM, PAM, and IAM focus on:

Not all digital identities are created equal – superusers need super protection

Think about this: Your typical user probably needs access to regular office tools, like your CRM or M365. They don’t need access to any of your critical assets.

The identity verification process should correspond to this. A regular user needs to be verified with strong authentication methods, e.g. Microsoft Entra ID, but there’s usually no need to go beyond that.

These typical users form the majority of your users, up to 99,5% of them.

On the other hand, you have your privileged high-impact users – there’s only a small number of them (typically around one in 200 users), but the power and risks they carry are huge because they can access your critical data, databases, infrastructures, and networks.

Similarly, appropriate identity verification procedures should apply. In the case of your high-impact users, you need access controls that go beyond strong identity-based authentication.

Enter the Zero Trust – Borderless, Passwordless, Keyless and Biometric Future

Traditional solutions are not enough to bridge your PAM and IdM. They just can’t handle the security that you need to protect your critical assets. Nor can they offer effective and future-proof security controls for access and identities of your typical users as well as high-impact users.

The future of cybersecurity is borderless, passwordless, keyless, biometric, and Zero Trust.

This means that you need a future-proof cybersecurity model with no implicitly trusted users, connections, applications, servers, or devices. On top of that, you need an additional layer of security with passwordless, keyless, and biometric authentication.

Learn the importance of implementing the passwordless and keyless approach into your cybersecurity from the whitepaper provided by SSH Communications Security. Download the whitepaper here ➜

With SaaS applications now making up the vast majority of technology used by employees in most organizations, tasks related to identity governance need to happen across a myriad of individual SaaS apps. This presents a huge challenge for centralized IT teams who are ultimately held responsible for managing and securing app access, but can’t possibly become experts in the nuances of the native security settings and access controls for hundreds (or thousands) of apps. And, even if they could, the sheer volume of tasks would easily bury them.

Modern IT teams need a way to orchestrate and govern SaaS identity governance by engaging the application owners in the business who are most familiar with how the tool is used, and who needs what type of access.

Nudge Security is a SaaS security and governance solution that can help you do just that, with automated workflows to save time and make the process manageable at scale. Read on to learn how it works.

1 . Discover all SaaS apps used by anyone in the org

As the old saying goes, you can’t secure what you can’t see, so the first step in SaaS identity governance is to get a full inventory of what technology is actually being used, and by whom.

Nudge Security discovers and categorizes all SaaS apps ever introduced by anyone in the organization and provides a vendor security profile for each app to give IT and security teams the context they need to vet new SaaS providers. And after they’ve reviewed an app, they can assign a status like “Approved,” “Acceptable,” or “Unacceptable” to indicate if usage should be permitted. For any apps that are deemed “Unacceptable”, automated nudges can be triggered in response to new accounts to redirect the user towards a similar, approved app or ask for context on why they need to use that particular app.

2. Share a directory of approved apps with employees

In an ideal world, IT teams want to empower employees to adopt technologies that will both enhance productivity and keep the business secure and compliant. Unfortunately, employees often have no way of knowing which tools fit the business’s requirements as well as their own.

Nudge Security makes it easy to create and share an app directory with employees, so everyone in the org can view a comprehensive list of approved applications that meet appropriate security and compliance standards. Employees can peruse the list by category and submit access requests that are routed directly to each application’s technical owner, whether or not that person sits within central IT. This removes the need for IT to be the “event forwarder” between users and app owners, while still retaining visibility and centralized governance.

3. Keep app owners up to date

Ever feel like you’re on the world’s worst scavenger hunt when tracking down the right people in your organization to get context on a SaaS application or user account? You’re not alone. This knowledge is often siloed and changes frequently. Nudge Security uses various methods to deduce the likely “technical contact” (like the first user) for every SaaS application discovered in your environment and gives you the ability to automate nudges to confirm app ownership periodically.

With this technical contact discovery process, Nudge Security automates emails or Slack messages to assumed technical contacts with a simple nudge that asks them to either validate that they are the correct technical contact or update this information. No more strings of emails and Slack threads to figure it out. With Nudge Security, you can automate the process of keeping this information up to date as administrative responsibilities change.‍

4. Automate user access reviews

For companies subject to any of a number of compliance standards like SOC 2, HIPAA, PCI DSS, and others, it is typically required to do periodic user access reviews of in-scope systems to ensure that only those who need access actually have access. And, for anyone who’s had the pleasure of conducting user access reviews, you know it usually involves an assortment of spreadsheets with inconsistent and incomplete information and a lot of manual effort to track down who’s using what.

Instead of this spreadsheet puzzle, with Nudge Security you can automate the process. First, you can group your in-scope assets together and automate nudges to app users to verify if they still need access. Then, Nudge Security collects the responses for you and routes the consolidated list of accounts to be removed to the app owners. Finally, it collects responses from the app owners to confirm they’ve completed the removals and documents all the actions taken in a .pdf report you can share with auditors.

5. Identify and clean up unused accounts

Meeting compliance requirements is one good reason to regularly review who needs access to what, but cost savings is another. Gartner’s research shows that 25% of SaaS is underutilized or over-deployed. No matter what the size of you organization, that can add up quickly.

Nudge Security monitors cloud and SaaS account status across your entire organization, so you can easily find and prune inactive and abandoned SaaS accounts. And, you’ll have up-to-date information at your fingertips in some very good-looking charts, so you can monitor SaaS account statuses right next to SaaS adoption trends.

While you can always discover unused accounts one app at a time from each application’s overview page, Nudge Security’s playbook for removing unused accounts enables you to audit multiple applications at once so you reduce SaaS sprawl at scale.

6. Ensure complete offboarding

Here’s a dirty little secret: most employees have signed up for apps outside the purview of IT, or even their department managers. With Nudge Security, you can see every account ever signed up for by anyone using an email associated with your organization. This includes domain registrations, social media accounts, developer accounts, and other assets that are often overlooked. You can also see if those apps are connected to other apps via OAuth grants, so you can minimize the chance of something breaking when an employee leaves the organization.

And, better yet, with Nudge Security, you can automate key steps of IT offboarding like suspending accounts, resetting passwords, revoking OAuth grants and more. And you’ll start with a full inventory of every account ever created for the departing employee so you can ensure all access is revoked.

Try Nudge Security for free

Our mission at Nudge Security is to help IT and security professionals everywhere regain control over SaaS security and governance while minimizing manual work for themselves and friction for end users. Start a free 14-day trial now to see what it can do for you.

Feb 08, 2024The Hacker NewsUnified Identity / Cyber Security

If you’ve listened to software vendors in the identity space lately, you will have noticed that “unified” has quickly become the buzzword that everyone is adopting to describe their portfolio. And this is great! Unified identity has some amazing benefits!

However (there is always a however, right?) not every “unified” “identity” “security” “platform” is made equal. Some vendors call the combination of workforce IDaaS and customer IDaaS a unified identity solution, while others offer a glorified 2FA service – unified only in the mind of their marketers.

Your landscape matters!

So forget for a moment what the vendors claim, and think back to your organization and your identity security landscape. Consider this new definition: “unified” is what has the ability to consolidate your identity challenges with a complete identity solution.

Here’s an example: you’re responsible for the identity infrastructure of a large hospital. Frontline workers, administrative employees, audit/compliance needs and a large number of external users. You are using Active Directory, and your LOB application doesn’t do identity. For this hospital, unified identity means strong access management for customers and frontline workers, strong joiner-leaver-mover handling, AD hardening and enterprise-grade reporting. Anything less fails the unified promise and means their internal identity landscape stays fractured.

Another example: a small software dev studio. They need extra strong controls on Privileged Access Management (PAM) to protect the development pipeline and make sure they won’t become the initial attack vector in a supply chain attack. But they also need Identity Governance and Administration (IGA) for machine entities and their owners, working on the many automated tasks they are running. A solution which covers PAM and IGA independently from each other is not unified.

What is the value of unified identity anyways?

So why has “unified identity ” become such a hot buzzword? Well, there are some really good arguments for it. Traditionally, the identity space was very fractured, with many experts not even considering it a singular market until fairly recently. Identity Governance and Administration (IGA), Access Management (AM), and Privileged Access Management (PAM) were the key sub-markets, with a wide array of adjacent spaces such as AD bridging and endpoint privilege management.

The key driver for unified identity is this extreme fragmentation: a large organization has on average 45 different security tools. Add to this the identity sprawl, a trend where organizations keep getting more and more identity silos in-house – a One Identity survey shows half the organizations are using more than 25 different systems to manage access rights. This is simply not sustainable, and adding a new tool each time a new threat approaches is completely unworkable. So organizations are looking to consolidate vendors, reduce complexity and slim down the number of suppliers they work with. The benefits of a Unified Identity Platform are a better cybersecurity posture and greater resilience in the face of security threats, whilst increasing simplicity and enabling agility.

Another reason is top line cost: bundles, volume discounts and ELAs are a simple way to reduce costs. Vendor consolidation also brings some less obvious savings too: a single tech stack helps the skills gap, easing the stress on hiring and training, which in turn means significant savings on headcount and may lessen the requirement for highly trained senior staff, creating more value from security with less resources or put another way, working smarter not harder.

Integration is a key aspect of the identity landscape – and one of the largest headaches. Security tools need to work together smoothly, but that’s rarely a given. The industry is not keen on common standards, which makes interoperability very hard to achieve. With some effort (meaning customization, support hours and overhead) identity solutions can work together pairwise, but creating a complete ecosystem of identity tools that work flawless together is a rare achievement. It’s easy to see the value a unified identity platform brings here. The tools are pre-tested, pre-validated to work together, usually without any customization required, and the platform components are supported as one by the vendor.

This brings us to the final benefit: faster time to value, an expression worthy of any MBA graduate. Identity and access management (IAM) projects are famous for taking a long time to implement, as specialists meticulously formalize business processes and implement them in code or configuration. In large organizations, this is an incredibly complex task, as the IAM setup needs to mirror every aspect (and quirk) the business has built up – sometimes over decades. Implementations become so complex that they just fail – the cost and time overruns exceeding the patience of business leaders. In a nutshell: time to value matters in IAM. And a unified identity solution removes the complexity of the multi-vendor approach, eliminating at least one factor.

After these benefits, let’s talk a downside: vendor lock-in. Unified identity sounds wonderful but betting the house on a single vendor is a high ask. And what if you already have some solutions in place that you’re happy with? It’s important to remember that not all unified identity vendors are the same; Some vendors offer modular identity platforms which allow you to keep what you want and unify what you need. This approach enables customers to start the unification at any point (for example with PAM) without the need to embrace and implement all areas in one giant leap. When picking vendors, look for this flexible approach.

IT professionals have developed a sophisticated understanding of the enterprise attack surface – what it is, how to quantify it and how to manage it.

The process is simple: begin by thoroughly assessing the attack surface, encompassing the entire IT environment. Identify all potential entry and exit points where unauthorized access could occur. Strengthen these vulnerable points using available market tools and expertise to achieve the desired cybersecurity posture.

While conceptually straightforward, this is an incredibly tedious task that consumes the working hours of CISOs and their organizations. Both the enumeration and the fortification pose challenges: large organizations use a vast array of technologies, such as server and endpoint platforms, network devices, and business apps. Reinforcing each of these components becomes a frustrating exercise in integration with access control, logging, patching, monitoring, and more, creating a seemingly endless list of tasks.

However, what makes the enterprise attack surface management unsustainable is its constant expansion. As businesses increasingly digitize, each new device, app, infrastructure component, and network extension creates a new attack surface. The struggle to continuously adapt, incorporating new security tools, becomes increasingly unsustainable over time.

This issue doesn’t stem from a lack of tools. With each generation of attacks and the emergence of new attack surfaces, a plethora of specialized startups pop up, offering new tools to combat these challenges. Whether it’s addressing business email compromise or other threats, there’s always a new tool tailored just for the job. It’s exhausting, it’s expensive and it’s just not sustainable. Large organizations are drowning in security technology, missing critical breach indicators because the security tools get in the way with a flood of false positives that need human work hours to investigate and categorize as such.

It’s time to break the cycle of acquiring another tool for another surface and get off the hamster wheel.

Let’s explore what’s driving this explosion in attack surface:

Increased use of cloud services

More businesses are transitioning to cloud-based services and storage. While these services offer significant benefits, they also increase the potential for cyber attacks if not properly secured. The cloud is here to stay – and on-prem is not going anywhere either. This means that the typical organization needs to account for duplication of attack surface across the environment – embracing a hybrid model as the new norm.

Cloud service providers excel in securing specific layers of the stack they oversee: the hypervisor, server and storage. However, safeguarding the data and apps within the cloud is the responsibility of the customer. That’s all on you.

1. Remote working

More people working from home and companies adopting more flexible work policies inevitably heightens security risks. And we still haven’t gotten it right. We still don’t have the same managed and secure infrastructure in the home as we had in the office.

2. The Internet of Things

The number of IoT devices in use is skyrocketing, and many of these devices lack adequate security measures. This vulnerability provides a potential entry point for cybercriminals seeking unauthorized access.

3. Supply chains

Cyber attackers can exploit weak links in an organization’s supply chain to gain unauthorized access to data, utilizing these weak links to gain unauthorized access to sensitive data or critical systems.

4. AI and machine learning

While these technologies have many benefits, they also introduce new vulnerabilities. Who are the privileged users at AI companies? Are their accounts secured? Are robotic workers (RPAs) using secure digital identities when accessing sensitive corporate data?

5. Social networking

The rise of social networks and their ubiquitous use across personal and business interactions brings new opportunities for criminals, particularly in the areas of social engineering. With the recent wave of business email compromise, we can see how vulnerable organizations are to these kinds of attacks.

What’s the solution?

The reality is that the traditional perimeter has been eroding for a long time. Security measures such as the physical keycard, firewall and VPN, when used as standalone defenses, became obsolete a decade ago. Identity has emerged as the new forefront in security.

So, what can you do? There isn’t a one-size-fits-all remedy, obviously. However, there are innovative approaches that alleviate some of the strain on CISO organizations. Across all the emerging threats and trends fueling the attack surface expansion, the common thread is digital identities. Prioritizing the security of identities through identity and access management (IAM), securing the directory, and privileged access management (PAM), you can roll out robust access control, enable a sound zero trust approach, and keep an eye on those privileged accounts.

Cyber insurance has emerged as a vital component in the cybersecurity arsenal, acting as a financial safety net in the event of a breach. Investing in cyber insurance can alleviate financial burdens and aid in the recovery process, making it a key piece of any security strategy.

Make no mistake, you still need to patch your systems, and you still need to make sure your configurations are secure. You still need a balanced approach to cybersecurity and to make any kind of attack expensive enough to deter attacks. However, when attackers are lured by vulnerable identities, you need to react.

Conclusion

Identities are vulnerable. As someone coined awhile back: the regular attacker doesn’t hack in the systems. They just log in, using compromised credentials, and rampage through the systems (including Active Directory) if left unchecked. Data supports this claim: The latest CISA analysis shows that using “valid accounts was the most prominent technique used across multiple tactics.” These credentials were not only used for initial access but also to navigate laterally through networks and escalate privileges. Astonishingly, valid credentials were identified as the most prevalent successful attack technique in over 54% of analyzed attacks. This emphasizes the importance of safeguarding digital identities as a fundamental defense strategy.