Identity-based cybersecurity intrusions are now a major headache for organisations, many of whom are turning to Zero Trust defences to protect infrastructure and data. There’s no doubt the need is urgent and that by addressing identity management and access controls, it also offers a robust approach to the challenges of compliance as well as security.
The problem is, many organisations still lack these vital identity-related security defences, Indeed, an IDSA study showed that credential-based data breaches are both ubiquitous (94% of survey respondents experienced an identity-related attack) and highly preventable (99%).
Hackers don’t hack anymore
At the heart of the matter is a sobering truth that – in many cases – hackers don’t actually ‘hack’ their way into networks anymore, at least not in the traditional sense. Instead, they walk in through the front door by using weak, default, stolen, or otherwise compromised credentials.
The problem is well understood, but has been exacerbated by the impact of the COVID-19 pandemic. In particular, the acceleration in digital transformation seen over the past 12 months is putting identity and access management (IAM) practices under even further pressure. In turn, this creates new challenges for organisations that are focused on access-related risks across traditional data centres, cloud, and DevOps environments.
And the problems don’t end there. Companies usually prioritise human users, including customers, employees, IT administrators, consultants, or business partners, among many others. Yet, identities are not just tied to people – they are also about workloads, microservices, and applications.
In reality, these ‘machine identities’ actually represent the majority of “users” in many organisations, and because they are often associated with privileged accounts they often have a much larger footprint than traditional human privileged accounts. This is particularly the case in DevOps and cloud environments, where task automation plays a central role.
A Strategic Rethink
These widespread and urgent risks are encouraging organisations to focus on this major blindspot, and in the process, rethink their IAM strategies. As pointed out in a 2020 Gartner report, there is “an uneasy feeling of not being in control”, as companies struggle to deal with machine identities.
In addition, many organisations now understand that the traditional static password concept – that often requires manual and time-consuming configuration – is not fit for purpose in today’s fast-moving multi-cloud and hybrid environments, where access needs are often temporary, and changes are constant. As a result, the way organisations control access to their sensitive resources in general, and the future of passwords in particular, needs to change.
For instance, Gartner suggests going back to the drawing board to build an enterprise-wide identity, secrets, and key management strategy. In particular, organisations should define a common nomenclature for a machine identity to distinguish between how machine identities are stored in central and local identity repositories (e.g., Active Directory or a database) and the credentials the machines use.
It’s also important to develop a full understanding of the needs of different business units and regulatory requirements the organisation has to fulfill alongside an assessment of the different technologies that can assist in managing machine credentials. These include options such as hardware security modules (HSM), key management systems (KMS), secrets management systems, privileged access management (PAM), as well as built-in capabilities and tools in the offerings from IaaS/PaaS providers.
Eliminate the reliance on static passwords
Having dealt with these priorities, organisations can then focus on eliminating their reliance on a static password model, and instead move to a dynamic approach. In doing so, these certificate-based access credentials can address core weaknesses of static passwords without impacting usability and agility in highly digitised IT environments.
By implementing ephemeral certificate-based authorisation, systems can be accessed without the need for permanent access credentials, establishing a “zero standing privilege” stance based on Zero Trust principles. This means that all access to services must be authenticated, authorised, and encrypted, and for each session (human or machine), the ephemeral certificate is issued from the Certificate Authority (CA), which serves as the trusted third-party and is based on industry-standards such as the temporary X.509 certificate. This also encodes the user identity for security purposes and its short lifetime, helps mitigate the risk of ‘man-in-the-middle’ attacks.
As a result, the CA controls access to the target system based on user roles (including roles assigned to workloads, services, and machines). Furthermore, the rules for particular roles are generated according to security policies and access requirements. The CA then obtains the rules for each role from the traditional enterprise directory (e.g., Microsoft Active Directory) and uses them to determine proper authentication. This approach alleviates setting up access for each individual user/machine and enables streamlined updates to groups of users/machines.
In general, building robust zero trust security infrastructure remains a work in progress, and many businesses have yet to fully implement key identity-related access controls. But as more organisations recognise the importance of an identity-centric approach that focuses on humans and machines, the better placed they will be to meet the urgent need for preventative action and to defeat the risks cybercriminals gaining access to networks with existing credentials.