The numbers are stunning: over 60% of data breaches are the result of credential abuse. Another way of saying this is that by focusing on identity security, you can reduce your likelihood of a breach by up to 60%. No other stratum in a layered security architecture is more consequential to an organization than identity. And yet, inside organizations large and small, identity isn’t always on the roadmap of security priorities.
Let’s explore why identity security is still such a mess.
Credentials are a legacy security paradigm
When information systems were invented, their mere existence was a form of security. Rather than having paper documents or intellectual property floating around the natural world, one could secure them in an information system where they would be protected from things like windstorms, floods, or hungry grizzly bears.
As individual information stores became the systems of record of more and more stuff used by more and more people, the need to control or restrict access to certain information to certain people became a requirement. Thus, the system for securing information needed a security system itself, and credentials were born.
When we look at why identity is a mess inside many organizations today, one of the reasons is because credentials are security, and things that are perceived to be already secure don’t get the attention or funding that the less-secure layers do.
Identity is a hot potato between IT and security
The legacy baggage of identity actually carries over into the modern enterprise as well, most acutely in those with separate IT and security teams. Generally speaking, the IT department existed long before any cybersecurity specialization was needed, and this has created the acceptance that as a baseline for security controls, identity and access management (IAM) is the default domain of the IT department and not security.
Operational tasks at the identity level that we now accept as part of the security domain (access control, privileges, authentication, etc.) are still in many cases stuck in the IT department simply because that’s where they’ve always lived. The IT department thinks they’ve got an identity provider hooked up as a directory, they’re using it for multi-factor authentication, and therefore, identity security can be checked off the IT punch list.
If only it were that easy. Identity and access management is inherently a security operation, and in organizations that have separate security and IT functions, identity should live with security, full stop.
Identity suffers from inertia and low visibility
Identity suffers from low visibility into activity and overall hygiene. Detecting threats, investigating users, and remediating vulnerabilities are all hard to do when you don’t know and can’t see the data you need.
As the saying goes, “out of sight, out of mind,” and this is especially true when it comes to security in general. The high level effort required just to see what’s going on with their identities means that many organizations simply and subconsciously deprioritize this security layer.
Identity is also perceived to be relatively inert when compared to other areas of cybersecurity. While this is certainly possible at smaller organizations, large organizations face a revolving door of identities coming and going nearly 24 hours a day, seven days a week.
The dynamic onslaught of personnel changes means that identity is anything but slow-moving in large organizations, regardless of their lack of visibility into it. Just because they don’t see it happening, doesn’t mean it isn’t a fast-moving, enigmatic challenge.
Identity isn’t cool like EDR and NDR
So called “shiny object syndrome” runs rampant in cybersecurity. We’ve all been seduced by it: the latest dashboard with the colorful charts and the bits of data streaming edge to edge on the screen. Or, take the idea of stopping an attack mid-execution by locking up a device and subsequently spoiling the vacation plans of some distant and anonymous threat actor. Endpoint detection and response (EDR) and network detection and response (NDR) are Hollywood-level cool! But all of the cloak-and-dagger aside, identity threat detection and response (ITDR) is more important than EDR and NDR – here’s why.
Identity threats start with nothing happening. Dormant accounts, accounts with no MFA, or guest users in your Slack (hello, sensitive data!) all represent security threats. There is no bitstream monitoring or endpoint agent that’s going to clean up these risky accounts. You literally have to look for nothing happening to see these threats and then take action to remediate them.
It’s not sexy, but good security – not just identity security – starts with good identity hygiene.
Identity is complicated
On average, organizations with over 500 people use more than 25 systems of identity. That’s a lot of time and money wasted switching between browser tabs, native apps, and SaaS when investigating threats or just in trying to maintain good, consistent identity hygiene. In fact, we recently had a customer tell us that we saved her “like 3 hours” when investigating a user.
When you combine the sheer number of different identity systems with their overlap in security capabilities in terms of things like permissions, conditional access control, and authentication, identity chaos is a virtual certainty.
Importantly, when you consider the reality of having to secure identities inside organizations, you’re never starting from scratch. That would be relatively easy. Instead, you likely inherited legacy systems talking to the latest and greatest technology (and some of the not-so-new and not-so-great tech), and if the people who duct taped them together are still at the company and never get sick, they’ll probably still work. That’s a big ‘IF.”
One thing is for sure. Identity sprawl within and across systems will continue unabated until good technical solutions are implemented. There is simply no way for people alone to stay ahead of the mess.
The best identity security solution should add simplicity
Since the dawn of civilization, whether guarding a castle or a network, the prevailing ethos in security has been “more is better.” While that may certainly be true in some cases, in all cases, the question must be asked, “but at what cost?” Identity touches every person in an organization. The cost of more security in this case is complexity and inefficiency that is felt far and wide each and every day.
The best identity security solutions make simplicity a priority. Getting your arms around your identity population is hard enough; making sense of the data, capabilities, inheritances, and dependencies of your identity systems is an order of magnitude more complicated.
Oort makes securing your identity program easy, with Identity Security Checks run on-demand or on-schedule against your selected identity population and across all of your identity systems. Regardless of whether responsibility for identity sits with IT or security in your organization, IAM and security operations center (SOC) teams love Oort for its simplicity in detecting, investigating, and responding to identity threats at scale. If you want to see what simplicity looks like, get a no-nonsense, 15-minute demo or start a 30-day free trial at oort.io/demo
