Winter is Coming...
Venkat Thummisi
June 19, 2023
min read

While privilege access is not a new cyber challenge, the rapid adoption of the cloud and the resulting infrastructure sprawlhas led this to become the #1 threat vector faced by Enterprises today.  With this rapid evolution in the way organizationsconduct business and the expansion of user access across different environments, this sprawl makes controlling who isgranted access to which resources increasingly challenging. Security teams are faced with a whole new set of identitymanagement challenges including maintaining an active set of user privileges, gating malicious behavior, formation ofghost accounts, and most importantly, the clean onboarding and decommissioning of users.  This is likely to beexacerbated in the coming months as more organizations retrench their workforce in line with the emerging marketdownturn.

Risk-Prone User Commissioning and Decommissioning Process

Unlike traditional IT, where development environments were simple and user activities were tightly controlled, multi-cloud environments pose a much greater challenge to organizations given that users play multiple roles and have multipleprivileges which are constantly changing.

Let's look at a quick example: When a new employee starts at a company, the user is provided access to the network, andgranted all requisite access to the infrastructure including cloud environments, internal applications, and other SaaSapplications which are managed separately. The user normally starts with minimum privileges to begin with, but over aperiod of time, they accumulate privileges based on specific requirements like access to legacy apps and on-premisesystems which may require elevated privileges. Repeated usage of “Group” policies, persistent privileges without expiry,legacy users, legacy access, etc. results in the user ending up having more privileges than they need and certainly morethan to the IT team’s liking.

While current IAM solutions enable the identity systems administrators to decommission users in the Active Directory or other LDAP systems, they fail to recognize the footprint left by the exiting users including services and activities across other cloud environments. The reason being that, the current solutions do not account for the overall lineage of users, their avatars, privileges and access to resources which may span across multiple cloud environments.

Hence the decommissioning of the users in the Active Directory or LDAP systems leave behind traces of the useraccounts, their lurking privileges, and independent set of activities like periodic health checks which are sitting ducksvulnerable to potential account takeovers by external hackers or malicious insiders. In addition, the fact that users mayhave access to numerous SaaS applications, internal applications, and custom directory systems leaves the prospect ofclean decommissioning of users from all the systems almost impossible with the current solutions

Who Has Access to What, When, Where, and Why?

It is critical to analyze who has access to what applications and data, where they are accessing it from, what is the contextbehind their activity, and why they are doing what they are doing. CISOs need to manage proper access to teams whilealso having the capability to provide reporting to their boards as to their employee access profiles, activities, andprivileges. Unfortunately, the current systems don’t equip the practitioners with compliance reports across environments,systems, and applications, and all personas of users.

SaaS Applications Have a Mind of Their Own

The emergence of SaaS applications requires organizations to extend their infrastructure and user access. Each applicationhas its own identity store with its own login URLs and access requirements. Organizations struggle to extend theirsecurity policies to the SaaS applications which have their own security controls including identity management.Although the SaaS products make it easier for users to access their applications, complexity is realized by integrating theorganizations' security policies into these applications which isn't easy, and the order of complexity magnifies with thenumber of applications. The maturity of the SaaS applications is across the spectrum and not all of them provide nativeintegration into the centralized IAM solutions.  Organizations currently don’t have an option but to leverage customers’existing investments into the SaaS applications, rather than create a parallel directory and access managementinfrastructure just for those new SaaS applications.

Remote Workforce

The ongoing pandemic has refocused the need for supporting the remote workforce without compromising security whichis a challenging feat from a user access perspective. Remote access adds another layer of complexity increasing thenumber of vulnerability points, and available software solutions are just not equipped to properly manage the lineage ofthe users and remediate problems in real-time.

Why Can’t the Current IAM/PAM and SIEM Solutions Address the Problem?

Organization security has become more challenging than ever before, as IAM/PAM and SIEM solutions are beingoutpaced by smarter and faster threats.  The current vendors mostly focus on single-user activities to determine potentialred flags and aggregate them for further processing without taking the overall context of the user and their activitiesacross the environments. Secondly, they usually integrate with a workflow system to establish a backlog of accessrequests which cannot scale with the increased user activities. User's privileges are constantly changing, they usuallydon’t and shouldn’t persist. Ex: An entitled user for a specific video download at a particular point in time, may not havethe same entitlement the next day. Elevated privileges aren’t simple (as in admin/ordinary user or Read/Write/Delete) innature, they are several admin personas with entitlement inclusions and exclusions over resources, tools, logs, etc.  Thishas an important consequence as real time remediation is much more complex than a simple removal of a user account. This is a HERE and NOW problem and should be addressed as such.  Stretch-fitting the current solutions to solve thisdogged problem is like fitting a square peg in a round hole.  

Why Should the Customers Care?

In our engagements spanning several industries, Inside-Out Defense has observed diverse consequences resulting fromthe above challenges. Though the use cases have varied, there are  common patterns of privilege access abuse including:

  • Users launching privilege escalation
  • Lateral movements
  • Privilege persisting launched through 3rd party accounts over compromised zombie user accounts to orchestratedata exfiltration
  • IP counterfeiting
  • HIPAA compliance abuse and undue access to patient diagnostic data
  • PoS systems DDoS
  • Malicious 3rd party access
  • Unmanaged systems orchestrating attacks at scale
  • …and more

Despite increased customer investments to secure their organizations, enterprises continue to run the risk of errors andpotential exposure. One only has to read the news every day to see a new hack, ransom, denial of surface, or data breachto understand that challenges remain.  Organizations not ready to adapt will find themselves in the crosshairs, and itsparamount that the market take on the #1 threat vector of privilege abuse creatively as well as technically.  That meansthat Organizations are in dire need of a solution that can continuously validate trust behind every activity irrespective ofthe privileges and failure to identify synaptic connections behind malicious user behaviors.  After all, one can’t solvewhat they can’t see

Addressing These Challenges with Inside-Out Defense

Managing an organization’s entitlements is messy and almost impossible. We address the biggest challenge of not onlyidentifying the complicit and implicit user behaviors but also providing real-time remedial actions for organizations todeal with the threats. Inside-Out Defense is a privilege governance platform built for continuous Proof-Of-Trust. Wemake it POSSIBLE to govern access privileges in real-time across your multi-cloud environments.

Please contact us at to discuss your organization’s access governance challenges and seehow our solution can address your challenges effectively.