96% Could Have Prevented Their Identity Breach – IDSA
Identity-related breaches are on the rise but security and IAM pros are not idle. Learn from this survey how they are staving off the next attack.
Cloudification and digital transformation – two important business trends accelerated by the pandemic – led to a major increase in the sheer number of digital identities that organizations need to manage and secure. Organizations are feeling the effects of this new cloud security reality. Increasing identity-related attacks with noticeable business impacts have caused security and identity professionals to sit up and include identity-related strategies in their plans.
In their recent survey, 2022 Trends in Security Digital Identities, the independent group Identity Defined Security Alliance (IDSA) analyzed the impact of identity-related cybersecurity trends on the security, technological and business plans of large-scale organizations. The IDSA study was based on an online survey by Dimensional Research of more than 500 security, IAM and identity professionals at U.S. organizations in diverse industries with more than 1,000 employees.
This post looks at the IDSA report’s key findings, including the impact of digitization and public cloud use on the organizations’ identity security plans.
Cloud's Impact on Digital Identity Growth
Cloud infrastructure has introduced important new business capabilities like agility, scalability, powerful compute and use of SaaS applications. Yet cloud complexity - in large part due to the thousands of services, configurations, identities and policies required to manage cloud permissions - is creating new challenges for IT, DevOps and DevSecOps teams.
According to the IDSA report, nearly all (98%) of the security and identity professionals surveyed confirm that the number of identities in their organization is increasing. According to 52% of respondents, this increase is mainly due to the adoption of cloud applications. Other leading reasons include an increase in third-party relationships (46%) and in new machine identities (43%).
The growing number of cloud identities and multilayered way in which entitlements are configured and determined obscures visibility into access risk in an organization's cloud environment, and hampers effective and secure governance of cloud infrastructure.
Growth in Identity-Related Cyber Attacks
Given the growing number of identities in organizations, it’s probably no surprise that 84% of respondents report having had an identity-related attack in the past year. Managing and monitoring permissions at such a high scale and in convoluted environments is extremely difficult. Attackers are exploiting this challenge and seem to be attempting to escalate their attacking capabilities - in the previous year the attack frequency was significantly lower, with 79% reporting they had an attack in the past two years.
How do attackers exploit identities? According to 59% of respondents, the main type of breach involved phishing. Additional reasons include inadequately managed credentials (36%), stolen credentials (33%) and social engineering (27%).
Vulnerabilities like inadequately managed privileges and excessive privileges are a direct result of the inability to “see” into and subsequently mitigate related risk in the cloud infrastructure. IT, DevOps, DevSecOps and security teams have blind spots with regard to which identities have access to which resources. As a result, digital identities may have excessive permissions or toxic permissions combinations that go undetected in the cloud environment. Upon penetrating the cloud environment, an attacker can easily exploit these permission trails to access critical applications and resources.
Employee Identities Seen as Most Breachable
While all identity types need to be securely managed to minimize the attack surface, some identities are perceived as being at greater risk than others. Not surprisingly, employee identities were viewed by 70% of respondents as the most likely to be breached. The study’s authors note that this finding may be due to the “potentially higher access levels [of employees” compared to non-employees,Third-party vendors and B2B customers came in second and third as seen as the most likely to be breached, with 35% and 25% of respondents mentioning them. According to 58% of respondents, employee identities were also perceived to be more likely to have the largest direct business impact.
Are organizations overlooking the potential business impact of misconfigured permissions among service, or machine, identities? In the cloud, applications are architected from microservices; each microservice has an identity that is granted entitlements to access data or communicate with other microservices. These machine identities – in the cloud in the tens of thousands – are part of an organization’s attack surface and need securing against data breaches and lateral movement. A warning to identity and security professions: do not easily disregard machine identities.
Cost of a Cyber Attack
Sadly, the pain of a cyber attack isn’t over once the attack is identified and the attacker is removed from the system. Of the identity and security professionals who experienced an identity-related breach, 78% incurred a hefty business cost that manifested itself over time.
In identifying the associated costs of a cyber attack, 44% described the operational and financial cost of recovery, 42% described the cost of distraction from the business’s focus, 35% noted the negative impact on the business’s reputation and 29% talked about the loss of revenue. Additional reasons included lawsuits, customer attrition, needing to purchase additional equipment and more.
Preventing Identity-Related Attacks
Given the IDSA data, finding solutions for preventing identity-related attacks should be a key component in any organization’s security plan. By implementing security controls that raise the barrier to entry for attackers, help quickly identify an identity-based breach and limit access to sensitive resources, security and identity teams can reduce the risk posed by data breaches by preventing or minimizing them and their potential impact.
According to the respondents, many solutions and strategies could have helped, including:
- MFA (Multi-factor authentication) for all or, at least, for privileged users
- Timely reviews of privileged access
- Revoking access when detecting high risk events
- Implementing the principle of least privilege
- Continuous discovery of user access rights and evaluating expected user behavior for authentication (i.e anomaly detection)
- Continuous discovery of privileged access rights
- Timely reviews of access to sensitive data
Securing Identities - Its Seat at the Table
Identity and security professionals aren’t just highly aware (96%) that identity-related security solutions and strategies can be effective – 64% of them place identity security and management in their top three priorities. Notably, this awareness is up from 2021, when 93% reported that their identity breaches could have been prevented. Everyone is on board.
As a result, IT leaders are taking security and business goals into account as part of their IAM investments. IAM enables managing identities while enforcing verification policies. By leveraging IAM with a CIEM solution, IT leaders can also gain visibility into their cloud identities, continuously monitor risk and enforce least privilege permissions including Just-in-Time privileged access.
According to the IDSA study, organizations are investing substantially in identity and identity security are part of their strategic cloud (62%) and zero trust (51%) initiatives. These planning choices can help organizations effectively control cloud access privileges and enforce least privilege principles.
Let’s shine a light for a moment on zero trust and the importance of identity. This novel approach enhances organizational security by eliminating implicit trust and continuously authenticating, authorizing and validating users before granting or allowing continuation of access to applications and data. The first step to achieving zero trust is to gain visibility into all identities and their access relationships across the cloud environment’s data, compute and network resources. In short, you can not achieve zero trust without managing identity visibility and security.
Identity-Related Security Controls
The good news is that organizations are already implementing a broad range of identity-related security controls. But which ones are the most prevalent? Out of all organizations that implemented such identity security strategies, in the past year or prior - 74% of respondents implemented continuous discovery of all user access rights, 76% of respondents implemented the ability to revoke access upon detection of high risk events and 83% of respondents implemented more timely reviews of privileged access and access to sensitive data.
The survey found a significant increase in the last two years in efforts to apply these cloud security practices. Continuous discovery of all user access rights and anomaly detection, i.e the evaluation of expected user behavior for authentication alongside revoking access upon detection of high risk events, gained significant traction in this time period, with these security endeavors undertaken by at least 55% - 63% of organizations.
It is interesting to note that organizations are to a lesser degree implementing or planning to implement revocation of access upon detection of a high risk event associated with an identity (55%). Perhaps this reflects a reticence to rescind access rights for fear of disrupting development – or due to the sheer difficulty of carrying out least privilege practice.
To date, many organizations are still in the process of implementing these identity-related security controls. For example, for 63% of respondents, the implementation of more timely reviews of privileged access is in progress or in plan (and 4% have no plans to implement them at all!). For 61% of respondents, the implementation of behavioral anomaly (“evaluated expected user behavior for authentication”) is in process or in plan.
The IDSA finding that a large majority of organizations have not implemented timely reviews of privileged access aligns with State of Cloud Security Maturity 2022 findings by Osterman Research (commissioned by Ermetic). According to the report, some 60% of organizations are not performing an access review of their cloud infrastructure at the minimal security practice of a quarterly review.
How can organizations improve their success in implementing cloud security controls? According to the same Osterman study, organizations investing more than 50 hours per week in cloud security achieved the highest levels of cloud security maturity. In fact, cloud security maturity also increases when organizations spend more money on cloud infrastructure. But both factors are limited. At the end of the day, cloud security maturity is not about investing more; rather, about prioritizing and investing wisely in tools, training and processes.
The identities trend will continue: 97% of organizations plan to invest in identity-focused security outcomes in the coming year. The top three focus areas for cloud security investment are: implementing MFA, continuously discovering user rights and more timely reviews of sensitive data access.
Next Steps for Identity and Security Professionals
According to the Osterman study, 81% of organizations lack full visibility into all resources directly accessible from the Internet and 52% of organizations lack full visibility into which resources an identity can access and the permission level granted. Identity-related security controls and strategies like those trending in the IDSA report can help overcome these visibility and mitigation gaps. Controls for timely reviews of privileged access, continuous discovery of user access rights and revoking access when detecting high risk events can further help with more effective and secure permissions management.
Such controls are also part of an organization’s broader cloud security strategy, which needs to include tools, people and security best practice processes like least privilege and JIT access. To understand where your organization stands we recommend reading the Cloud Security Maturity Model white paper and taking the online cloud security maturity self-assessment, which can help you understand your current maturity level with regard to securing your cloud identities and cloud infrastructure overall, and assist you in prioritizing your next steps.