With high-profile data breaches and hacks becoming all too common in recent years, the need to protect user identities and secure digital assets has never been more crucial. In this blog post, we will explore the challenges surrounding identity management in the cloud era and how the cloud has changed the fundamentals of identity management.
As we dive deeper into the subject, we will examine the shared responsibility in cloud security, the governance aspect of cloud security, and the interconnectedness of identity in the cloud. We will also discuss the role of supervisors and management in addressing security concerns and explore the Okta breach case study to understand the importance of third-party trust better.
The shift in responsibility for cloud security
One of the key challenges organizations face in the cloud era is the shift in responsibility for cloud security. The shared responsibility model in the cloud dictates that identity and access management is mostly the enterprise’s responsibility rather than the cloud service provider’s. The implications led to an organizational divide between the traditional Identity and Access Management (IAM) teams that handle tasks such as provisioning and de-provisioning and the “newer” cloud security teams that have emerged over the last five to six years.
As identity becomes the new security perimeter, these teams must work closely together under a unified IAM fabric. However, many organizations still deal with identity in silos, leading to potential vulnerabilities and inefficiencies. At the C-suite level, there needs to be a realization that collaboration between IAM and cloud security teams is crucial for maintaining a robust security posture.
Furthermore, the governance aspect of cloud security has become more complex as organizations increasingly rely on third-party vendors and federated identity systems. This complexity is compounded by the fact that many control teams assume they have a strongly authenticated user when, in reality, the authentication process may not be as secure as they believe. Unfortunately, the cloud has not made this issue easier – it may have even exacerbated it by encouraging siloed roles and responsibilities in the IAM and cloud security domains.
To navigate the challenges of third-party trust, organizations must be vigilant about the risks associated with supply chain attacks and other potential vulnerabilities that arise from relying on external partners. By fostering a culture of collaboration and adopting a holistic approach to identity and access management, organizations can better protect their digital assets and maintain a secure environment in the cloud era.
Understanding the governance model in cloud security
Governance plays a critical role in ensuring the security of cloud-based systems. Many control teams working on cloud security controls assume they have a strongly authenticated user, meaning the authentication process has been done correctly. However, this assumption can be problematic, as it may overlook the crucial governance aspect in maintaining a robust security posture.
In the cloud era, the governance aspect of security has become more complicated due to the fragmentation of responsibilities and the reliance on federation, third-party vendors, and interconnected systems. This complexity is further exacerbated by the fact that people no longer see identity management as a continuum; instead, they view it as a set of siloed roles and capabilities. This siloed approach makes maintaining a strong and unified security framework challenging.
Third-party trust has emerged as a significant concern in cloud security governance. With supply chain attacks and other vulnerabilities resulting from reliance on external partners, organizations must diligently manage and monitor their relationships with third parties. This includes understanding the risks of granting access to their systems and ensuring appropriate security measures are in place.
To improve governance in cloud security, organizations should:
- Foster a culture of collaboration between IAM and cloud security teams, breaking down silos and promoting a unified approach to identity management.
- Continuously assess and validate the strength of their authentication processes, ensuring they maintain a high level of security.
- Implement robust governance frameworks to manage and monitor third-party relationships, mitigating the risks associated with external partnerships.
By addressing these challenges and adopting a holistic approach to cloud security governance, organizations can create a more secure environment and protect their digital assets more effectively.
Case study: The Okta breach and its implications
The Okta breach in 2022 is a prime example of the identity governance challenges organizations face today. The breach had two incidents, highlighting the need for a comprehensive and diligent approach to identity governance.
Incident #1: Compromised 3rd party credentials
The first incident involved a contractor from a third party setting a password for an account that was ultimately used to breach Okta. Although the damage was limited and contained, this incident underscores the importance of end-to-end identity governance, even for organizations that are professionals in the industry.
Incident #2: Source code exposure
In December, untrusted users gained access to Okta’s GitHub, resulting in the exposure of source code. This incident raises significant concerns, as many organizations trust companies like Okta to manage their identity and federated authentication. If the compromised source code reveals a way to access user data or enables an attacker to impersonate users, the integrity of a widely-used identity and authentication service could be at risk.
These incidents demonstrate the criticality of governance in the context of interconnected systems. It is evident that more than a piecemeal approach to identity governance is needed; organizations must adopt a systemic perspective to address the challenges posed by interconnectedness.
Key takeaways from the Okta breach
The importance of end-to-end identity governance: Organizations must diligently manage their entire identity lifecycle, from onboarding to offboarding, including third-party relationships.
- The need for a systemic approach: Identity governance cannot be thought of in isolated pieces or parts; it must be considered holistically across the entire enterprise.
- The risks of interconnected systems: The interconnectedness of identity and access management systems increases the importance of governance, as vulnerabilities in one area can have far-reaching implications.
- The role of third-party relationships: Organizations must establish robust governance frameworks to manage third-party relationships and reduce the risk of security breaches resulting from external partnerships.
By learning from the Okta breach and addressing the identity governance challenges highlighted by the incidents, organizations can improve their overall security posture and better protect their digital assets.
The sprawl of machine identities
There is also a significant growth of machine identities in the cloud, which include service identities, pipeline identities, and other identities representing non-human entities. This growth has led to a more complex identity landscape that extends beyond human users to a broad array of machines and endpoints. Furthermore, as organizations increasingly engage in app development and digital transformation, the number of machine identities on infrastructure platforms such as AWS, GCP, and Azure surpasses the number of people identities, making identity governance even more challenging than before.
In addition to traditional users like employees and consultants, organizations must now manage servers, serverless functions, and storage nodes with their own roles, privileges, access keys, and credentials for authentication. Furthermore, unlike human users, these machine identities may not be stored in a central directory, further complicating their management. To navigate this growing complexity, companies need upfront planning and automation to maintain a clear understanding of an organization’s environment and to ensure its security.
Third-party trust: Challenges and best practices
As the Okta breach example demonstrates, managing third-party trust is critical to maintaining a secure posture in modern organizations. Many enterprises have a Governance, Risk, and Compliance (GRC) team for evaluating third-party software and applications. However, once these tools are deployed, there is often a lack of ongoing monitoring and evaluation of their usage, the number of accounts, and the assigned permissions. This can leave organizations vulnerable to security breaches.
One common challenge faced by organizations undergoing digital transformation is ensuring that they can trust the code and how it is updated. While many organizations focus on checking software licenses to avoid legal issues, there often needs to be more emphasis on evaluating the code itself and the authentication practices of its contributors.
To address these challenges and create a more holistic approach to third-party identity and access management, organizations must consider the following best practices:
- Continuously monitor and assess the usage of third-party software, ensuring that only trusted and authorized accounts have access to sensitive information.
- Develop and implement strong authentication practices for contributors and developers working with third-party code.
- Conduct regular audits of third-party software to verify its security and compliance with organizational policies.
- Invest in automation and tools that can help keep track of machine identities, roles, and privileges, enabling better oversight of both human and non-human entities within the organization’s environment.
By implementing these strategies, organizations can create a more secure environment, minimizing the risks associated with third-party trust and the ever-evolving landscape of identity governance.
Opportunity: Automation and collaboration for enhanced security
As the challenge of securing software and managing digital transformations grows, companies often focus on scanning software to determine its open-source license type, aiming to avoid inadvertently deploying open-source software that could pose licensing concerns. However, there needs to be more focus on checking the code itself or ensuring that it can be trusted, both in terms of updates and strong authentication for contributors.
Identity and access vulnerabilities are now the leading cause of data breaches. With the multitude of identities, permissions, access keys, and certificates, tracking them all without automation is impossible. In addition, excessive permissions granted to users, unused service accounts, and third-party privileged access contribute to the complexity of the security landscape.
Recognizing the need for an automated solution that works with multiple stakeholders in an organization is crucial. Collaboration between security, IT, compliance, DevOps teams, application owners, and supervisors is necessary to address this challenge. Governance and policies play a significant role, but there’s also a human element that can sometimes fail us. Thus, there’s a need for tooling that considers the situation systemically, removing some of the human involvement to maintain consistency and ensure the systems work as intended.
AI and machine learning are expected to play a more significant role in the future, automating more manual tasks while still relying on the context provided by human expertise. In the meantime, organizations should start with the basics: implementing multi-factor authentication (MFA) everywhere, flawless offboarding, securing third-party supply chains, and focusing on critical vulnerabilities in the infrastructure platform and identity management.
By taking a holistic view of identity and breaking down silos, organizations can implement automation to secure their identity posture and track changes. Maintaining a strong security posture is not just about achieving it but also about managing changes effectively. By actively monitoring recently changed controls, organizations can better safeguard their cloud environments and ensure a more secure future with a comprehensive, end-to-end governance model and as much automation as possible.
How can Zilla Security help?
Zilla Security can help organizations navigate the complex challenges of identity security. Zilla continuously monitors and assesses SaaS, cloud identity, and access settings, including machine identities and accounts linked to third-party emails. As a result, organizations can create a more secure environment and ensure a more secure future by focusing on automation and collaboration. Contact us to learn more about Identity Governance and Administration in the cloud era.