The complexity of information security grows at a rapid pace in lock step with the increasing sophistication of threat actors and malicious attacks. Organizations deploy an ever-increasing number of security tools to address the problem and rarely do these new tools provide the promised increase in security. The root problem is the foundation of information security: identity.
The root problem is the foundation of information security: identity.
Security systems are a series of walls, roofs, and finish in the form of detection and enforcement systems built on a foundation of authentication and authorization. That authentication and authorization foundation has cracks large enough to affect the structural integrity of the rest of the InfoSec structure. This is evident in current events like the Okta compromise, outlined HERE by Cloudflare.
Okta itself is a leading identity provider, along with Azure Active Directory and others. Okta’s identity service provides an enhancement to the native distribution of cloud identity, which by default requires independent identity and verification for each site or service. A breach of an identity provider like this provides the potential for authenticated and authorized access by malicious actors. Some of the risk exposed here can be mitigated with properly implemented Multi-Factor Authentication (MFA), but in this case, administrative accounts with access to reset or remove MFA were breached. This compromise highlights the cracks in the foundation of identity and access (i.e., authentication and authorization).
In today’s world identity is a fragmented architecture. Even modern tools like Okta leave gaps in unsupported systems, especially with on-premises resources. Matching identities across these systems ranges from difficult to impossible. Users exist with multiple identities on the network, on-premises, and in the cloud. Complexity and risk increase when a single tool is used as an identity repository without correlation across platforms as seen in this attack. If a compromised Okta account attempts to access a system like Office 365, Office 365 has no way of knowing of a potential issue. With a high-resolution identity, correlated across users, devices, and services, this type of propagation compromise becomes more transparent.
Using Cloudflare’s description of this breach as an example, customers were forced to review logs for specific activity (password reset & MFA changes) to define at risk identities. This is time consuming and error prone. It also leads to heavy-handed decisions for the sake of security. As described, Cloudflare made the difficult decision to assume any identity with those transactions was compromised, forced a password reset, and required a human verification step before enabling the identity again. This is a cumbersome, but correct decision.
There is an easier way.
Mitigating the compromise is only the first step. With today’s identity systems the second step of evaluating exposure and forensics is far more challenging. How does an organization go about evaluating what has been breached? Identifying which actions were authorized versus malicious? Which customers were affected? What they need to report? The post-mitigation analysis is more cumbersome and costly than stopping the threat itself.
What’s missing is a globally correlated identity capable of creating a single user view from disparate on and off-premises identity providers.
What’s missing in the current identity and access foundation is a globally correlated identity capable of creating a single user view from disparate on and off-premises identity providers. Effective access authorization requires verifying who or what (identity), is attempting access and verifying that against defined policy. An individual identity should not have different copies based on the device being used, the resource being accessed, or other factors. Simply put: an identity actor is the same regardless of what they’re accessing or from where they’re accessing a resource.
A global identity correlated in this fashion provides major security advantages. It is possible to see all actions across systems a given actor is taking (i.e., person, device, service). In the Okta breach example, you would be able to immediately determine what systems a potentially compromised identity was accessing. You could also easily ascertain which access events occurred after a potential breach event.
The way to fix identity is to rely on a correlated identity comprised of multiple, independent, and distributed identities.
Another major advantage is the ability to rely on multiple points of identity like actor, device, and application as filters for access. Okta is simply a user identity. If a breached Okta user attempts access from an unknown asset, the Security Operations Center (SOC) can be alerted, and the connection refused. With a proper integration and correlation, this is done without additional complexity or operational overhead.
Information security can be thought of as granting trust for an actor to perform an action. Our identity systems become more antiquated as the industry focuses more and more on enforcement and detection systems. This leaves gaps between the authentication and the authorization portions of an actor performing an action. These identity gaps are the cracks in information security’s foundation.
These identity gaps are the cracks in information security’s foundation.
Transformation Continuum works with a select group of industry leading emerging technology across data center, cloud, and information security. To find out how our client partners are solving today’s big technology problems, please reach out to us.
Need help? Book a consultation with Continuum.