SAN FRANCISCO -- Identity may be the new perimeter in a cloud-centric world, but too many enterprises see their cloud identities stolen.A Cloud Securi
SAN FRANCISCO — Identity may be the new perimeter in a cloud-centric world, but too many enterprises see their cloud identities stolen.
A Cloud Security Alliance Summit panel discussion, dubbed “Surviving the Identity Apocalypse,” during RSA Conference 2018 Monday tackled identity and access management (IAM) issues in the cloud, including how the theft and comprise of cloud credentials can lead to large-scale breaches. The panel, moderated by Phil Dunkelberger, president and CEO of Nok Nok Labs, discussed the problem and offered approaches on how to better protect and manage credentials in order to limit attack surfaces in corporate cloud environments.
“It’s a telltale sign for the industry at the moment that the biggest problem we’ve got is around compromised credentials, and identity management still isn’t working for us,” said Bill Mann, senior vice president of products and chief product officer at Centrify.
Sami Laine, director of technical marketing at Okta, said “identity used to be a boring IT problem,” but that’s no longer the case. “You’re still going to have all those [security] investments that you made your moats and sharks with lasers,” he said, “but now everything outside of that really comes down identity and authorization events.”
The problem, Laine said, is that companies had many “identity siloes” in their on-premises networks, and those siloes need to be consolidated so there is one control points all accounts. That consolidation, he said, will make onboarding and de-provisioning people and giving them the right amount of access much easier.
The panelists largely agreed that current IAM approaches can be problematic for cloud environments. Ash Devata, vice president of products at Duo Security, said there’s “more working than not working” with identity and access management today, but many companies are still transitioning from “the old school to the new school.”
Mann said there are several reasons why identity management doesn’t currently work for enterprises. First, he said, the industry hasn’t really solved the problems of IAM in the on premise world, and those problems are even more complicated in the cloud. In addition, too many applications don’t have proper IAM controls built in from the start.
“The depressing thing for me about identity management is that we all know it needs to be done,” Mann said. “But the legacy solutions out there are not going to resolve it. And there are modern solutions, but there’s a slowness in the market to understand that this is so much more important than everything else we’re doing.”
Sol Cates, vice president of technology strategy at Thales eSecurity, said the problems he sees enterprises often are not technical in nature; instead, it’s the management aspect of IAM, such as handling privileged accounts, provisioning third-party access and governing different identity groups across an enterprise. “They struggle not so much with technical implementation — it’s the organization,” he said.
Root accounts and other problems
The panelists said that often, the compromised cloud credentials being abuse by threat actors aren’t even tied to a specific employee.
Mann said he typically finds root accounts with weak passwords lingering within enterprises. Those accounts are usually provisioned for limited time use for super users within an organization, but they aren’t always de-provisioned. Therefore, when an attacker gains entry to a specific system, there may be old root accounts tied that system that have been forgotten about but are still active.
“That root account can do everything,” Mann said. “What we find is really working is going into organizations and getting rid of those root accounts, and getting people to log in as themselves.”
Forcing users to consistently log in as themselves instead of using anonymous root or super user accounts is better for security, Mann said, because enterprise security teams can better track each individual user’s activity and pinpoint problems.
“We’re been living with this for 40-plus years. Root accounts are not new. DBA accounts are not new,” Cates said. “How we look at them as identity pieces — as service accounts instead of a human that acquires them — is where we struggle with the whole concept of identity management.”
In addition to tying all accounts to actual human users, Cates recommended strict segregation of duties for privileged accounts. That way, if someone’s cloud credentials are compromised in a malware or phishing attack, the threat actor will have a very limited scope of capabilities and it will be harder to move laterally and gain high privileges.
Devata said one positive in the IAM space is the push toward standards such as SAML and FIDO. The technology to better manage cloud credentials and prevent compromises is available, he said, but customers have to have the right IAM strategies.
Laine agreed and said IAM standards make it easier for enterprises to quickly provision and de-provision access and manage privileges for those accounts.
“That’s attack surface reduction. As security practitioners, that’s gold,” he said.
But the panelists also warned of falling victim to too much technology hype in the IAM space. Devata joked that too many c-level executives “probably read a magazine on an airline and saw something on blockchain identity,” which won’t solve underlying IAM issues unless the company has the right strategy in place. “Don’t start a project saying ‘I want blockchain identity management.’ Please don’t,” he said.
Mann agreed and encouraged audience members to focus on developing the right strategies, processes and approaches for cloud IAM before investing in products or services to solve their problems. “We’re spending money on the wrong things,” he said. “We’re spending $18 billion a year on security, and it’s not working.”