Meeting the challenges of the digital workspace [Q&A]
Remote and hybrid teams are increasingly adopting digital tools to get their jobs done. But while this strengthens productivity for workers it risks compromise to the business's security. In turn, this has exacerbated the need for additional layers of supervision and oversight.
Ungoverned connections leave businesses open to supply chain attacks, data breaches and more. We spoke to Astrix Security CEO and co-founder Alon Jackson to discuss these challenges and how to safely and securely manage the new digital workplace.
BN: What would you say is the most overlooked security challenge of the new digital workspace?
AJ: Non-human connections are the sweet spot in this digital workspace environment. In the past 10 months, there has been an onslaught of attacks where third party app connections, i.e., API keys and OAuth tokens, were stolen from the most trusted vendors like GitHub, Mailchimp, Slack, and more. As a result of these attacks, hackers are gaining access to thousands of organizations worldwide. So while there are multiple layers of security for human connections like MFA, SSO, etc., non-human connections have little to no protection. Most security teams have zero visibility to these entities, which leaves them ill equipped against this threat vector.
BN: What's the biggest contributing factor to these attacks?
AJ: Product-led growth is here and it's here to stay. The proliferation of third-party applications is only expanding, meaning that the barriers to deployment and trial of new third-party applications has never been lower. In fact, SaaS leaders like Okta, Shopify, and Slack all have 2,000+ integrations. In fact, any company with at least 1,000 employees has around 10,000 access tokens, providing third-party app vendors straight access to the heart of organizations.
BN: Supply chain attacks seem to always be top of mind ever since the SolarWinds breach, why do you think this area of risk is being overlooked?
AJ: A new generation of supply chain attacks have been on the rise. In these types of attacks, hackers abuse third-party app connections as a means of accessing core business systems. However, when supply chain security risks are discussed, the focus is usually on vulnerabilities in software application components themselves, or the human-to-app connections. The critical area of supply chain security risk they are overlooking are the third-party integrations or non-human entities.
BN: Do you think these kinds of attacks will get worse before they get better?
AJ: Yes, unfortunately, the magnitude of the problem is only expanding. Gartner even touched on it last year saying that, "only 23 percent of security and risk leaders monitor third parties in real time." Businesses aren't helping themselves, or don't realize it as they don't have much oversight into how their app environments operate. For instance, the rise of low-code and no-code platforms has empowered citizen developers to connect apps with no oversight or security permissions. While the reliance on third-party applications helps fill productivity gaps, the price a business pays is an ever-expanding potential attack surface. Overall, the enterprise is focused on growth and productivity, so while hyper-automation is in overdrive, the security for this space should be escalated as well.
BN: Looking ahead, what's your number one piece of advice to organizations looking to reduce their attack surface?
AJ: The key is to organize. Businesses should create an inventory of all connections into their systems, across all environments, and assess their permission levels. This includes anything connected to the business's core systems via non-human identities, such as API keys, OAuth tokens, and service accounts. Every identity and connection should be evaluated for risk level and exposure (e.g., redundant access, excessive permissions, suspicious behavior) on an ongoing basis, and remediation strategies cannot be a one-size-fits-all affair. Security professionals need contextual mitigations that acknowledge the complex range of interconnected apps that comprise the attack surface. Overall, without managing the lifecycle management of all non-human connections from creation to expiry, they won't be able to leverage these connections to their full capacity without compromising security.