Organisations, industry observers and vendors have all talked a lot about the pace of change in recent months. We have seen how services provision has been transformed, how rapidly new apps are rolled out, how new workflows are developed, and new ways of serving our customers. Our sheer ability to adapt to changing conditions has been hugely impressive.
And yet this incredible advance will demand a payoff. In fact, it has already created a payoff, in the shape of an identity-related security debt that is big, getting bigger, and must be repaid…or called in.
The pivot to digital has been beneficial in many ways, but it’s forced us into a place where the nature of digital identity must be re-thought and re-imagined into something that is implemented within organisations as something much, much more than access; this cumbersome exercise whereby people and, latterly, Things (machines, apps, servers, devices), get the permissions needed to perform their roles or tasks.
To a degree, we’ve always recognised that certain of these people and things have access permissions that need special attention. The access rights of the CEO of a public company are such that they enable access to privileged information of all kinds. This privileged access is managed and secured in order to avoid, for instance, market-sensitive information becoming known prior to an earnings announcement.
But what if you can get this information by other means? What if, for instance, an attacker makes the logical leap of faith that an executive’s pay at certain points in the year would reflect – in the shape of no bonus being awarded – the fact that targets have not been achieved, and the stock is thus likely to tank when this information is announced?
And so, the payroll’s administrator’s identity and access also becomes a problem, in that it has to be secured and managed in such a way that they and only they can access this privileged data. This is often a blind spot for many firms. They oftentimes only look at how to secure the obvious routes to critical assets; they are not taking into consideration the need to secure other things that can still be critical in the right circumstances.
Added to this, we have the issue of lifecycle mis-management. In the on-premises world, the result is referred to as ‘orphaned’ permissions and, in the cloud, as ‘excessive’ permissions. These permissions are pervasive and are created for instance when people join one function, then move over to another. The permissions of the old function are not retired. The situation is replicated with services that are no longer used. In each case, they can be used by attackers to access potentially sensitive data and assets, like forgotten (but perfectly useable) forest trails. Unmanaged access associated with various human and non-human identities abounds.
Over the last 15 months or so, in the rush to reposition – and in some cases simply survive – organisations have exacerbated the problems described above. We have heard of many instances where employees were told to run into the office before it closed, grab their laptop and work via whatever connection that they could access. Or they were thrown some money and told to buy their own equipment. Cloud services have been rolled out in order to perform the functions that on-premises infrastructure could no longer do.
All the above means new identities and new access rights have had to have been created. Not just a few per company, either. For an average-sized organisation, each new cloud service, each new collaboration tool, and each new customer-facing application means hundreds if not thousands of new sets of credentials. An attacker thinks of these as ‘potential’. Consider this: The Verizon 2021 Data Breach Investigations Report says that phishing (the act of obtaining information – often credentials – through deception) and the use of stolen credentials were the top two actions taken by attackers in the 5,258 breaches studied. And privilege abuse featured in at least 60% of breaches. In practice, this means permissions, identities and access being used to progress an attack.
Speed has trumped security. CISOs planning for a hybrid future are probably aware of the identity-related risk that has been created. And what is going to happen is what we always see with access and security; they are going to try and add-in security to all the access that has been created after the fact. In doing so, CISOs will run into the problem of trying to effect behavioural change. People who have got used to full admin access to systems, secured over a VPN with little in the way of MFA are going to try and push back. The act of imposing least privilege on remote endpoints will similarly create friction.
What been incurred, then, over a very short period of time, and at an unimaginable scale, is a vast identity-related security debt. How security professionals address this will define how vulnerable our data and assets will be at least over the course of the rest of 2021 and into 2022.