The Identity Defined Security Alliance (IDSA) on Wednesday reported that 98% — the vast majority of companies surveyed — confirmed that the number of identities has increased in their organization, with 52% saying it’s because of the rapid adoption of cloud applications.
Other factors increasing identities at organizations are an increase in third-party relationships (46%) and in new machine identities (43%).
Given the growing number of identities in organizations as they migrate to cloud, it makes sense that 84% of respondents report having had an identity-related attack in the past year.
The IDSA report said managing and monitoring permissions at such a high scale and in convoluted environments has become extremely difficult. Attackers are exploiting this challenge and continuously attempt to escalate their attack capabilities.
Identity breaches are by far one of the most common breaches, said Alon Nachmany, Field CISO at AppViewX, who said he dealt with two breaches of this kind when he was a CISO. Nachmany said the industry slowly evolved to privileged identities and ensured that privileged accounts were a separate identity, but when organizations moved to the cloud, the lines blurred.
“The days of managing your own systems with your own systems were gone,” Nachmany said. “As an example, with on-prem Microsoft Exchange Servers migrating to Microsoft O365 we no longer managed the authentication piece. Our local accounts were now accessible from everywhere. And a lot of security best practices were overlooked. Another issue is that as some companies blew up and more systems came onboard, they were quickly deployed with the thought that we will go back and clean it up later. With the cloud making these deployments incredibly easier and faster, the issues just evolved.”
Darryl MacLeod, vCISO at LARES Consulting, said while it’s effective to invest in IAM solutions, organizations need to go back to the basics and educate their employees about the importance of security. MacLeod said employees need to understand the dangers of phishing emails and other social engineering attacks. They should also know how to properly manage their passwords and other sensitive information, and in doing so, MacLeod said organizations can significantly reduce their identity-related risks.
“With the growth of cloud computing, organizations are now entrusting their data to third-party service providers without thinking of the implications,” MacLeod said. “This shift has led to a huge increase in the number of identities that organizations have to manage. As a result, it’s made them much more vulnerable to attack. If an attacker can gain access to one of these cloud-based services, they can potentially access all of an organization’s data. If an organization doesn’t have the right security controls in place, they could be left scrambling to contain the damage.”
Joseph Carson, chief security scientist and advisory CISO at Delinea, said the growth in mobility and the cloud greatly increases the complexity of securing identities. Carson pointed out that organizations still attempt to try and secure them with the existing security technologies they already have, which results in many security gaps and limitations.
“Some organizations even fall short by trying to checkbox security identities with simple password managers,” Carson said. “However, this still means relying on business users to make good security decisions. To secure identities, you must first have a good strategy and plan in place. This means understanding the types of privileged identities that exist in the business and using security technology designed to discover and protect them. The good news is that many organizations understand the importance of protecting identities.”