With a potential recession looming, the upcoming downturn will challenge organizations’ security more than ever before
While privilege access is not a new cyber challenge, the rapid adoption of the cloud and the resulting infrastructure sprawl has led this to become the #1 threat vector faced by Enterprises today. With this rapid evolution in the way organizations conduct business and the expansion of user access across different environments, this sprawl makes controlling who is granted access to which resources increasingly challenging. Security teams are faced with a whole new set of identity management challenges including maintaining an active set of user privileges, gating malicious behavior, formation of ghost accounts, and most importantly, the clean onboarding and decommissioning of users. This is likely to be exacerbated in the coming months as more organizations retrench their workforce in line with the emerging market downturn.
Risk-Prone User Commissioning and Decommissioning Process
Unlike traditional IT, where development environments were simple and user activities were tightly controlled, multi-cloud environments pose a much greater challenge to organizations given that users play multiple roles and have multiple privileges which are constantly changing.
Let's look at a quick example: When a new employee starts at a company, the user is provided access to the network, and granted all requisite access to the infrastructure including cloud environments, internal applications, and other SaaS applications which are managed separately. The user normally starts with minimum privileges to begin with, but over a period of time, they accumulate privileges based on specific requirements like access to legacy apps and on-premise systems which may require elevated privileges. Repeated usage of “Group” policies, persistent privileges without expiry, legacy users, legacy access, etc. results in the user ending up having more privileges than they need and certainly more than to the IT team’s liking.
While current IAM solutions enable the identity systems administrators to decommission users in the Active Directory or other LDAP systems, they fail to recognize the footprint left by the exiting users including services and activities across other cloud environments. The reason being that, the current solutions do not account for the overall lineage of users, their avatars, privileges and access to resources which may span across multiple cloud environments.
Hence the decommissioning of the users in the Active Directory or LDAP systems leave behind traces of the user accounts, their lurking privileges, and independent set of activities like periodic health checks which are sitting ducks vulnerable to potential account takeovers by external hackers or malicious insiders. In addition, the fact that users may have access to numerous SaaS applications, internal applications, and custom directory systems leaves the prospect of clean decommissioning of users from all the systems almost impossible with the current solutions
Who Has Access to What, When, Where, and Why?
It is critical to analyze who has access to what applications and data, where they are accessing it from, what is the context behind their activity, and why they are doing what they are doing. CISOs need to manage proper access to teams while also having the capability to provide reporting to their boards as to their employee access profiles, activities, and privileges. Unfortunately, the current systems don’t equip the practitioners with compliance reports across environments, systems, and applications, and all personas of users.
SaaS Applications Have a Mind of Their Own
The emergence of SaaS applications requires organizations to extend their infrastructure and user access. Each application has its own identity store with its own login URLs and access requirements. Organizations struggle to extend their security policies to the SaaS applications which have their own security controls including identity management. Although the SaaS products make it easier for users to access their applications, complexity is realized by integrating the organizations' security policies into these applications which isn't easy, and the order of complexity magnifies with the number of applications. The maturity of the SaaS applications is across the spectrum and not all of them provide native integration into the centralized IAM solutions. Organizations currently don’t have an option but to leverage customers’ existing investments into the SaaS applications, rather than create a parallel directory and access management infrastructure just for those new SaaS applications.
Remote Workforce
The ongoing pandemic has refocused the need for supporting the remote workforce without compromising security which is a challenging feat from a user access perspective. Remote access adds another layer of complexity increasing the number of vulnerability points, and available software solutions are just not equipped to properly manage the lineage of the users and remediate problems in real-time.
Why Can’t the Current IAM/PAM and SIEM Solutions Address the Problem?
Organization security has become more challenging than ever before, as IAM/PAM and SIEM solutions are being outpaced by smarter and faster threats. The current vendors mostly focus on single-user activities to determine potential red flags and aggregate them for further processing without taking the overall context of the user and their activities across the environments. Secondly, they usually integrate with a workflow system to establish a backlog of access requests which cannot scale with the increased user activities. User's privileges are constantly changing, they usually don’t and shouldn’t persist. Ex: An entitled user for a specific video download at a particular point in time, may not have the same entitlement the next day. Elevated privileges aren’t simple (as in admin/ordinary user or Read/Write/Delete) in nature, they are several admin personas with entitlement inclusions and exclusions over resources, tools, logs, etc. This has an important consequence as real time remediation is much more complex than a simple removal of a user account. This is a HERE and NOW problem and should be addressed as such. Stretch-fitting the current solutions to solve this dogged problem is like fitting a square peg in a round hole.
Why Should the Customers Care?
In our engagements spanning several industries, Inside-Out Defense has observed diverse consequences resulting from the above challenges. Though the use cases have varied, there are common patterns of privilege access abuse including:
Users launching privilege escalation
Lateral movements
Privilege persisting launched through 3rd party accounts over compromised zombie user accounts to orchestrate data exfiltration
IP counterfeiting
HIPAA compliance abuse and undue access to patient diagnostic data
PoS systems DDoS
Malicious 3rd party access
Unmanaged systems orchestrating attacks at scale
…and more
Despite increased customer investments to secure their organizations, enterprises continue to run the risk of errors and potential exposure. One only has to read the news every day to see a new hack, ransom, denial of surface, or data breach to understand that challenges remain. Organizations not ready to adapt will find themselves in the crosshairs, and its paramount that the market take on the #1 threat vector of privilege abuse creatively as well as technically. That means that Organizations are in dire need of a solution that can continuously validate trust behind every activity irrespective of the privileges and failure to identify synaptic connections behind malicious user behaviors. After all, one can’t solve what they can’t see
Addressing These Challenges with Inside-Out Defense
Managing an organization’s entitlements is messy and almost impossible. We address the biggest challenge of not only identifying the complicit and implicit user behaviors but also providing real-time remedial actions for organizations to deal with the threats. Inside-Out Defense is a privilege governance platform built for continuous Proof-Of-Trust. We make it POSSIBLE to govern access privileges in real-time across your multi-cloud environments.
Please contact us at contact@insideoutdefense.com to discuss your organization’s access governance challenges and see how our solution can address your challenges effectively.