There’s been considerable talk in cybersecurity over the years about “attack surface management.” But this talk often excludes one of the most fast-growing and vulnerable components of any organization’s attack surface: its identities. The importance of identity security has become painfully apparent for security professionals as threat actors focus on phishing and other identity-based attacks to penetrate networks and move laterally across the organization to access applications and compromise data sources. This is why it's not unusual for security thought leaders to trumpet “identity-first” strategies and treat identity as “the new perimeter.”
Recent statistics do support a clear trend for identity-based attacks:
- Verizon’s 2024 Data Breach Investigations Report, which found that 80% of web application attacks used stolen credentials.
- The same survey found that 71% of web application attacks and 50% of social engineering attacks targeted credentials.
- The Identity Defined Security Alliance's (IDSA) Trends in Security Digital Identities report showed that 90% of organizations experienced one or more identity-related breaches in the previous year and 45% of organizations experienced a negative reputational impact from an identity incident.
- Expel, a leading managed security services provider, found that 64% of the incidents investigated by its SOC involved identities.
Another compelling stat to layer on top of these data points – from CyberArk’s Identity Security Threat Landscape Report for 2024 – shows that the overall number of human and non-human identities used by our digital solutions has grown at least 240% in each of the last 2 years. In the simplest terms: when the attack surface increases by that much, we can only expect that governance, compliance enforcement, and just good, consistent implementation of identity best practices will fall behind. It’s practically a foregone conclusion in fact, as fulfilling business needs will always outpace security implementation, hardening, policy formulation and implementation.
In this article, we’ll explore some of the reasons identities are so difficult to protect and how new thinking and new tools can better defend this expanding attack surface.
Identities are Hard to Protect
Why are identities so hard to protect? There are four primary reasons:
- The credentials/accounts that serve as identity foundations are scattered—Depending on the applications in use, the quality and handling of user and machine credentials in unfederated applications, is often very much unknown. They are largely established and managed by function-centric staff that have the motivation to establish an integration, or set up team accounts in a applications unable to be federated, and these staff are not necessarily aware of security best practices like least-privilege, avoidance of phishable credentials, or rotating weak credentials where only weak credentials are the option. These are not your 80% or so of applications that rely on a modern IDP with all its policy enforcement capabilities, but the 20% that represent weak links and often sit out of sight and decentralized. For these applications, there are many unknowns:
- Are your staff/contractors using passwords or MFA? Worse, are they weak or reused passwords? Do they have poor password manager practices (or none!)? How secure are the endpoints from which they log in to your systems?
- Who is tracking levels of privilege or account lifecycle?
- In addition, the accounts, associated entitlements, credentials and secrets that effectively represent physical people (the “real” identity) are also scattered across numerous sources. They are found in applications, identity management systems, secrets managers, etc. They are in devices ranging from workstations to servers, they’re in on-premises applications, in cloud platforms, and SaaS services. Because so many assets and resources are widely distributed and poorly tracked, most organizations have no way to assemble a complete picture of the identity information for any one entity, whether person or machine. Trying to build that picture for an entire enterprise is even harder.
- Command and control in silos—IT and security teams devote a lot of time and effort to find and remediate vulnerabilities, adjust misconfigurations, and stay ahead of identity attack vectors like interception (man-in-the-middle), brute force (password spraying), and automation (credential stuffing). Unfortunately, they perform most of these activities in organizational, architectural, and policy silos: identity teams don’t mingle with infrastructure teams; identity management systems don’t integrate with cloud operations systems; machine identities often don't interact with IGA and PAM solutions. This makes it difficult or near impossible to obtain a picture complete enough to enable detection of identity-centered risks. Risky patterns of user status/credentials/behavior representing a single staff member or system are invisible. IT staff trying to do the “right thing” only see their corner of the world, whether HR or Cloud Ops or App Development. Business factions don’t have time, the access, or the remit to collaborate/coordinate and address these types of risks. Case in point: if user credentials for a personal account are available on the dark web, but the user has brought the same or similar credentials to secure their work account, the transition from risk-to-threat-to-vulnerability-to-compromise can happen before siloed teams are made aware and can respond.
- Ecosystems are increasingly complex—Applications and services are no longer monolithic and homogenous. More often than not they are comprised of collections of services and architectures running on multiple cloud services. Every component in that ecosystem may have its own authentication process for managing identity and access. They also have their own management and administration accounts which, if protected by weak credentials, could open the door to threat actors as a means to bring business operations to a halt. Digital nomads, remote workers, contractors, and business partners add more identities to the ecosystem that need to be reconciled. Different tools have evolved to tackle new architectures—like CASB, CSPM and CIEM—but they rarely share with one another, let alone combine and enrich the data to present a collective state. That is left to the SIEMs of the world and enterprise’s in-house staff to build out rulesets for what the staff can see and have already experienced, often resulting in known incomplete projects or worse, a false sense of security based on the assumption of completeness.
- Machine identities are everywhere—There are generally two types of machine identities: software entities such as workloads, service accounts, roles for API use, etc.; and physical devices such as workstations, internet-of-things (IoT) devices, industrial systems, etc. Both types require consistent management of identity lifecycle, privileges, and credentials in order to secure access and interact with other systems and business resources. And according to some estimates, machine identities outnumber human identities in our networks by a 50:1 ratio or higher. These typically invisible, often overprivileged, intermittently managed or unmanaged, non-human identities dramatically increase the complexity of identity management and security, and as they proliferate from decentralized sources, the chances of them appreciably increasing an organization’s attack surface are high.
Combined, these factors raise the need for identity security to a critical level. What’s needed is a new way to significantly improve identity security without incurring high costs or disrupting existing identity management and cybersecurity infrastructure investments and processes. What’s needed is a new “zoomed out” approach to identity that focuses on understanding and mitigating risk: identity risk management (IdRM).
A New Approach to Identity Security
IdRM is a synthesis of technology and processes that enables disparate, security and identity management teams to collaborate and quickly and accurately and collectively discover and resolve identity risks without the impediments of complexity and silos. By doing this, they can detect identity-related risks from across the entire enterprise that affect their scope, quantify the true scale of the risks, setting priorities for their remediation, and fortify identities against now known risks through effective and targeted remediations.
While these steps sound easy, they take considerable work. For example:
- Identifying risky identities requires a complete picture of identity information across widely distributed systems: for every human and machine user, discovering and collecting information about these identities, accounts, entitlements, credentials, and behavior from a wide variety of sources.
- Quantifying risks and setting priorities entails the correlation of identities—including reconciliation of multiple identities being used for the same user or machine—as well as assessing the risks they present, including those only apparent when looking at the collection of identities, and evaluating the potential to be realized as an attack, it’s severity, and it’s scale of impact.
- Fortifying identities against risk requires a knowledge base of remediation actions for each risk, and automated integrations to assist in coordinating the actions of people and processes. It should include tips to “harden” identities without breaking processes, and signoff and workflow management for adjacent systems.
Fortunately, almost all of this work can be done by computers without involving people, except a few in supervisory roles. A new generation of IdRM solutions has begun to evolve with these characteristics:
- Integration with many other systems—An IdRM solution should not be a “rip and replace” proposition, nor a “definitive platform.” Rather, it should readily integrate with existing infrastructure elements to tap into their identity information and act as a force multiplier. To accomplish this, it should offer out-of-the-box integrations with popular identity and access management (IAM) and cybersecurity tools, cloud platforms, and SaaS applications.
- Enterprise-wide visibility—Many identity security issues and risks can be detected and assessed only by creating a comprehensive image of the identity landscape and relationships across the entire enterprise. This means that any effective IdRM solution should be able to discover and ingest identity information from a wide range of sources. But at the same time, it should be able to normalize, correlate, analyze, and enhance, that information.
- Enterprise-wide scalability—To be effective, an IdRM solution needs to ingest and correlate large amounts of data from the start, and the quantities of data grow to massive proportions over time. In addition, analysis and remediation need to be performed quickly, so identity and security teams can stay ahead of risks before they’re capitalized by bad actors.
Beyond these elements, an IdRM solution should create risk assessments that are easy to interpret and act upon. They should reflect a wide range of meaningful risk factors that can be used to rank and compare the risk levels of both individual identities and areas of risk in business. Additionally, they should be usable by many teams such as IAM, SOC, DevOps, IoT, etc., not to mention senior executives. An IdRM solution should provide the professionals in these groups with tools that visualize identity risks over time, drill down on areas of risks and individuals and, where oversight is needed, enable better decision-making, at scale, by understanding structures, relationships, and contextual information at the scope of focus of the professional involved.
With identity security continuing to lag fast-moving attack vectors, IdRM has room to evolve as threats do, while still providing a timely solution today for an industry in need.
By John Babbidge, Chief Technology Officer, Axiad