Governing the ungovernable: Why cybersecurity must adapt to identity sprawl

You may remember the Colonial Pipeline ransomware attack. Launched in May of last year, DarkSide’s attack cost the Colonial Pipeline Company something on the order of $4.4 million dollars (though the FBI was able to claw some of that money back). The attack set the stage for President Biden’s Executive Order on cybersecurity, shut down pipeline production, and caused panic buying across the Southeast.

That’s how the Colonial Pipeline attack ended. It began far more simply: with hackers breaching the company’s networks through a virtual private network (VPN) account that was no longer actively in use.

Colonial Pipeline was the biggest and highest-profile symptom of a much more widespread disease: ungoverned accounts, including orphaned accounts, over-entitled accounts, inactive accounts and service accounts and over-provisioned entitlements are far too available for threat actors to use. By one estimate, organizations have up to five times as many service accounts as they have employees, 70 percent of organizations fail to fully discover accounts, and 40 percent don’t even bother to try. In another survey, 80 percent of respondents reported that the identities they need to manage had more than doubled and 25 percent reported a 10x increase since the pandemic began. The survey also found that 85 percent of organizations have employees with “more privileged access than necessary.”

The sad truth is that, because ungoverned accounts and unnecessary entitlements are in organizations’ blind spots, we don’t know what we don’t know. We just know that it’s already a big problem, it’s growing, and it can add up to significant costs. IBM’s Cost of a Data Breach 2021 report found that in 20 percent of breaches, the most frequent first step in any kill chain was the use of compromised credentials.  Verizon found that 61 percent of breaches involved the misuse of credentials. Hackers return to credentials so frequently because they tend to be successful ways into a secure network and because credential abuse is difficult for organizations to identify and contain. IBM reported that, on average, "a breach caused by stolen credentials that occurred on January 1 would take until December 7 to be contained."

These stats are already bad -- and they’re poised to get worse. A record 4.4 million Americans left their jobs in September 2021 during the Great Resignation. As that trend continues, it means many more ungoverned accounts and entitlements. And that’s just human workers -- Deloitte’s Global Robotic Process Automation (RPA) Survey found that 53 percent of business have started on their RPA journey, and 72 percent expect to within the next five years. Gartner predicts that, by 2024, businesses using cloud resources can expect at least 2,300 least privilege policy violations, per account per year.

We’re already starting to see how security teams are struggling to adapt to identity sprawl, particularly for cloud solutions. While compromised credentials were the most frequently used initial attack vector in data breaches, IBM found that the third most frequent initial attack vector was cloud misconfiguration, which was exploited in 15 percent of all reported instances. Last year, a cloud misconfiguration resulted in Cognyte posting 5 billion records. 61 percent of organizations say their cloud environments change every minute or less -- and nearly a third say their cloud environments change at least once a second.  

Adaptations move organizations closer to zero trust

The first step in solving a problem is admitting that there is one. As an industry, we’ve recognized that ungoverned accounts and over-provisioned entitlements represent significant vulnerabilities, and that -- in the cloud era -- older forms of performing attestation like role-based access control and exception-based security no longer adequately address the problem they were intended to solve. Noting that the "challenge of managing privileges in [Identity-as-a-Service] is worsening," Gartner recommended that "security and risk management leaders" combine identity and access management with Cloud Infrastructure Entitlement Management (CIEM) to inventory, track, manage and control users’ permissions.

Making that shift now can help businesses prepare for what’s taking shape. As Colonial Pipeline, Cognyte and the Cost of a Data Breach 2021 report make clear, businesses are already falling behind when it comes to managing users’ identities and their entitlements. That gap will only widen if we try to apply manual processes on automated systems. With businesses embracing RPA, bot accounts and elastic resources, we’ll need security systems that can make attestation decisions as quickly as our automated tools do. We need our machines to police our machines.

These trends also demand that cybersecurity do a better job of reacting to every access or entitlement request in real-time. Integrating context can help security teams get to that point -- if I log on every day using the same device from the same IP address at the same time, then my security system should be able to authenticate me with a high degree of confidence. Integrating those signals can help validate my requests as frequently as I make them and help organizations move closer to zero trust.

Identity First

Cloud services, bot accounts, and changing labor markets are going to make it even harder for security teams to protect what matters most. Ultimately, we’ve built too many windows and doorways into our homes -- and we don’t have enough eyes to watch them all.

The best way to adapt to these trends is to recognize that identity is common across each of them. We must eliminate unmanaged accounts. We must understand who has access to what, why they need it and how they’re using it. We must prioritize identity as the foundation of a zero trust mindset -- or we’ll be exploited by it.

Photo Credit: Fer Gregory/Shutterstock

Jim Taylor is Chief Product Officer, SecurID. He is responsible for the organization’s overall product strategy, delivery and development. In this role, Jim will deliver the solutions and innovations that will ensure that SecurID achieves its vision to be the trusted identity platform for the world’s most security-sensitive organizations by supporting hybrid workers, deploying modern authentication and accelerating businesses’ cloud strategies. Jim brings more than two decades of identity product strategy, cloud security, SaaS and enterprise software development to the role.