Identity Security Posture Management: A new sheriff in town

An open door for attacks

Identity-based attacksare a rising threat, and every organization is responsible for protecting itself.

What do we mean? Just as you have a door and a lock at home, Identity security protects your cloud and SaaS assets: It's the external perimeter of your organization's assets. Identity security means controlling who accesses what and verifying that all environments satisfy the organization's policies.

Reducing Identity security risk should be a core strategy for protecting your organization's online crown jewels. Research shows that 80% of enterprise attacks involved some kind of compromised credentialslast year. So, Identity is the new perimeter of your organization and has become a focus point for its cybersecurity threats.

Tall tales? Or potential threats?

Identity-based attackscan be internal and external. To help you understand them, we'll present two stories that show the importance of preventing Identity-based risks.

External attack: Authentication with a leaked password

Let's assume an external attacker has a leaked password of a cloud Identity provider (IdP) account with access to your organization. This account is stale: A few years ago, it was mistakenly synced from your on-prem Active Directory to your IdP. No one has ever used it in the cloud IdP. You were responsible; you enforced a multi-factor authentication (MFA) policy. Last year, you required every account to authenticate with MFA.

But the attacker uses the leaked credentials and passes the first authentication step. Then, the IdP prompts them to register their authentication factor. They register a virtual number SMS factor. With that, they have access to the account, meaning they have all its privileges. In the following story, we can see the consequences.

What a mess. In this story, a combination of Identity security threats caused a breach to one of your accounts.

• Account sprawl:Managing accounts in multiple IdPs and SaaS apps without verifying a single source of truth increases the risk of unwanted stale accounts, old passwords, or unneeded cloud expenses. Increased Identity entropy also increases the risk of exposure within your organization.
• Stale accounts:Unused accounts are like abandoned doors to a store. Don't need that door? Replace it with a wall.
• Password hygiene:Rotate leaked passwords ASAP. You should be aware of all your accounts and their exposure and be able to request credentials rotations when a breach happens.
• Factor enrollment policies:You should use strong authentication factors and make it hard to enroll a factor by an unauthorized person.

Use Identity Security Posture Management toolsto prevent and reduce these risks. Later in this blog, we'll help you understand how to take control of your Identity jungle.

Internal attack: Terminated employee

Imagine this internal threat: someone within your organization who attacks it. For example, a terminated employee who wants to damage the company or someone who gets paid for corporate espionage. It's essential to tackle this threat, as different reports estimate that 60-80% of organizations encounter at least one insider attack.

Assume a malicious actor has access to an account in your organization. What can they do with it? They can do everything the account is assigned to be able to do.

• Authenticate to other accounts with SSO
• Read from your organization's repositories
• Corrupt data in production's S3
• Leak customers' PII

Insider threats, like external attackers, can leak your most sensitive data and damage your production environments.

To minimize that risk, you should enforce least-privilege-based access policies: Your employees should access things only on a need-to-know basis. This can reduce the blast radius in the case of a breach. Your finance team shouldn't have access to GitHub, and your R&D team probably doesn't need to access Salesforce. Assign those assignments by group memberships, and track whether groups use their accesses (which can hint stale access you can revoke). Deactivating allaccounts of terminated employees is another critical step to prevent internal threats.

Identity security: The new Wild West?

Identity security relies on the adage "trust but verify." You may think you've got everything under control. But security is never fully hermetic, and attackers will find a loophole to attack. Some applications or accounts may not comply with your Identity security strategy but you don't even know it.

Identity security posture management helps to highlight the surprising situations in which the actual state differs from the intended. We classify these off-policy use cases into three categories: the good, the bad, and the ugly.

The good

Let's first look at the bright side: You may have accounts that shouldn't be under the standard policy. Break-the-glass accounts are used only when locked outside the tenant because of a misconfiguration. They don't need to comply with the policy; they should be accessible only with their complex, solid passwords and recovery codes. There may also be situations where service accounts require a slightly different policy.

The bad

On the flip side, you may encounter applications for which you missed some configurations. It may happen because every application has Identity and Access Management (IAM) caveats. Also, employees are humans and may try shortcuts. Sometimes, engineers or admins will try to "trick" the system and keep AWS IAM accounts, for example, to reduce friction for themselves. These cases are knownbads or known situations where people break the rules.

The ugly

Then we have the ugly, or worst-case scenarios, in which applications leave a particular URL, or a side door, that enables users to authenticate directly to the app, even withs SSO. These create SSO bypasses that increase the risk of an identity attack. Another case would be that the IP range in the "office IPs" is too large, exposing you to all servers in North America.

You want to track all these cases, be aware of them, and decide how to remediate the most critical risks.

Between your IdPs and crown jewel applications, the amount of data you need to track and manage is overwhelming. Not all apps are accessible or readable for the security team, and organizational friction is natural. Also, each application requires identifying its caveats, whether a unique default authentication policy puts you at risk or surprising privileges that are not explicitly visible to you.

The better: Okta Identity Security Posture Management

Okta Identity Security Posture Management identifies your biggest Identity risks, delivers unmatched visibility, prioritized remediations, and continuous validation of your Identity security posture.

Okta Identity Security Posture Management can help you:

• Learn the actual MFA status: See existing MFA policies that aren't as intended and help you track the usage of strong vs. weak authentication factors.
• Detect terminated employees with active access: Avoid the insider threat using our "partially off-boarded" detection.
• Classify your accounts: Our AI-based classifier helps you track your NHI in one place and control your service accounts' posture with appropriate handling.
• Observe your identities in a single place: Use the inventory to see accounts, groups, accesses, and applications in a single inventory. Filter them by your queries, and find your answers across different applications in a single console.

Okta Identity Security Posture Management is architectured to deliver a deep, Identity-focused posture analysis that connects to your infrastructure and focuses on actionable outcomes.

The key capabilities of the solution are:

• Simple integrations: Okta Identity Security Posture Management collects data from your cloud providers. It's a secure, read-only, agentless integration that takes minutes to connect to each one. We transform the unique terminology and caveats into a common-language set of tables accessible to you in the unified inventory view.
• Account classification:Classifying each account's nature helps us detect its proper classification and avoid false positives.
• Person linking: We find correlations between accounts and cluster them as the same person. This helps us find partial employment terminations when they happen.
• Automatic SSO paths and actual MFA evaluation: We will help you find off-path authentications (SSO bypasses) with our SSO correlations. This feature also allows us to show you the actual MFA status of each account.
• Issues engine: All of the data in the Identity inventory goes into our security detection engine, which finds the most critical Identity security issues.

Identity is security. You can take action today to prevent the next internet-based attack Learn more about Okta ISPM here.

Public link

Please use the above public link if you want to share this noodl on another website.