Why identity security could be the Achilles heel of your business [Q&A]
Most successful cyberattacks rely on compromised identity or social engineering. Yet this can be a major blindspot for enterprises with basic awareness of the problem lacking and a growing number of personal devices used for work.
We spoke to Jim Taylor, chief product officer of identity platform RSA, -- which recently published a report on the issue -- to learn more about the problem and how it can be addressed.
BN: Why is identity security such a problem for enterprises?
JT: In some ways, identity security isn't a new problem. The Verizon 2023 Data Breach Investigations Report found that the "Use of stolen credentials became the most popular entry point for breaches" over the past five years. Look in any previous year's DBIR and I'm sure you'd see credential theft and poor password practices at the top of the list of initial attack vectors then, too. It's almost always going to be easier for threat actors to try brute force, rainbow tables, or even shoulder surfing to imitate a user than it is for them to attack a technology like multi-factor authentication.
But the scope of the problem has grown exponentially since COVID, and that growth is creating major problems. There are too many users, devices, entitlements, and environments for security teams to manage at any given moment -- and threat actors are taking notice. Whether it's the Push Fatigue or prompt bombing attacks that struck organizations last fall, using an orphaned account to launch a ransomware attack on Colonial Pipeline, exploiting default MFA controls to evade authentication, or any other number of examples, identity is making the attack surface too large and complex for security teams to defend.
BN: Has this been made worse by the shift to more remote and hybrid working?
JT: The shift to more remote and hybrid working has absolutely made things worse. Look at BYOD policies and personal mobile devices: we had to use them when we all headed home during the pandemic out of necessity. They obviously don’t have the same security oversight or capabilities as managed devices, yet we’ve continued using those devices to access professional resources: the Verizon Mobile Security Index 2022 found that 60 percent of businesses allowed users to access email on their own phones and tablets. Not coincidentally, the same report found that mobile-related compromise doubled from 2021 to 2022. It's no wonder that 97 percent of cybersecurity experts agreed that mobile devices are prime targets for identity compromise, per a recent RSA report.
BN: Why are existing identity solutions failing businesses?
JT: Existing identity solutions are failing businesses because change generates risks -- and over the last few years, we’ve seen an incredible amount of change. In reacting to the pandemic and catering to flexibility, many organizations have set significant security traps for themselves. The main accelerants have been the growth of devices used to access professional resources (in 2022, mobile devices accounted for 60 percent of the endpoints accessing enterprise assets), the fact that users are working outside of the traditional security environment, and that users are largely employing unmanaged devices.
Don't get me wrong: there are good reasons to cater to flexibility, and security should enable change rather than try to stand in the way. But organizations have changed so much and so quickly that those transformations have left major vulnerabilities or gaps between identity capabilities. It’s got to the point that threat actors are finding ways to side-step MFA by attacking other points in the identity lifecycle.
BN: What are the first steps to take to address the issue?
JT: As an industry, we typically refer to these functions as components of identity and access management (IAM). While IAM still has value and is still essential for any enterprise, I don't think 'IAM' as a term is sufficient any longer. We need to bring identity security to every part of the identity lifecycle, including when a user is onboarded, when it receives its initial entitlements, when it makes access requests, when its entitlements change, when the user is terminated, and so on.
It's not enough to drop MFA into a stack and walk away: organizations need to look at identity as an integrated whole. The most secure solutions will combine authentication, access, governance, and lifecycle in one platform. They’ll also need intelligence capabilities that help security teams identify high-priority risks and automate responses. Identity tends to be an organization’s defense -- and that makes it an attacker’s target. It's not enough for identity to be good at defense anymore: instead, it also needs to be good at self-defense. Organizations need identity threat detection and response (ITDR) as a core component of their security program, not a ‘nice-to-have’ that they can do without.
BN: How much of role do new technologies like AI have in improving identity security?
JT: AI has a significant role in improving identity security. The amount of information that's changing from moment to moment is overwhelming human security personnel. They can’t keep up -- but AI can. Humans tend to be the weak link in a security system, and many of the vulnerabilities that wind up hurting organizations result from someone forgetting something simple, like eliminating an orphaned account or over-provisioning a user with more entitlements than they need.
AI won't make those mistakes: it doesn’t tire, sleep, or forget. In fact, unlike humans, AI can improve as you feed it more information. I think we’re nearing a point where AI can handle business-as-usual authentication and access requests. When it encounters an exceptional or high-risk event, it can alert human security teams to investigate and respond. Using AI is the only way that I think we can get to zero trust and authenticate every request in real time.
Moreover, many of the events that AI security solutions can monitor are structured data; that type of information lends itself to deterministic AI models, which means there's no black box obscuring how a given algorithm makes its decisions. Deterministic AI can ensure that security and compliance teams can maintain compliance.
Image credit: vchalup2/depositphotos.com