Identity compromise has become one of the greatest security threats organizations face. According to Google Cloud’s 2023 Threat Horizons Report, 86 percent of all data breaches involve credentials obtained from unwitting users. More broadly, credential issues play a role in more than 60 percent of security incidents.
In many cases, however, enterprise security strategies are not aligned with this risk. In an Identity Defined Security Alliance study, 90 percent of organizations reported an identity-related security incident in the preceding 12 months. However, just 49 percent invested in identity protection tools prior to suffering an incident.
Many IT teams struggle with a fragmented array of identity and access management (IAM) tools. To combat today’s security threats, organizations need a governance-based approach that provides a holistic view of users and the resources they can access. It should also provide granular, automated management based on centralized policies.
A Growing Array of Identities
Protecting privileged account credentials is especially critical because they provide hackers with virtually unfettered access to IT resources. However, all user credentials — including those of contractors, vendors, suppliers and customers, as well as employees — represent a potential vulnerability.
Organizations are now grappling with a new definition of “identity” — one that is not just contained within the enterprise IT environment. In a supply chain, for example, organizations must figure out how to integrate external user groups into their security controls to provide access to appropriate resources. Organizations must also manage user credentials scattered throughout the distributed enterprise and in the cloud.
Machine identities are another growing threat. The term “machine” refers not only to physical devices but to software, APIs, containers and services — any “thing” that needs access to network resources. According to the CyberArk 2024 Identity Security Threat Landscape Report, machine identities are seeing explosive growth and are considered the greatest risk. Up to half of machine identities have access to sensitive data.
A Fragmented Approach to IAM
A robust, well-architected IAM solution will provide for effective administration of users, roles and credentials, reducing the risk associated with orphaned accounts, excess privileges, and weak or shared passwords. However, the complexity of today’s IT environment has made IAM a daunting challenge for enterprise security teams. In a recent ConductorOne survey, 47 percent of IT security leaders cited the complexity of existing systems as their top IAM challenge.
A fragmented approach to IAM also creates significant security risks. Many IT teams must manage numerous IAM systems that don’t always work together. Without centralized policy management, there’s no real way to identify unauthorized access, compliance violations or excess privileges. Additionally, this fragmented approach makes it virtually impossible to propagate policy changes accurately across multiple systems.
Part of an Overarching Strategy
It’s true that human error plays a significant role in identity-related security incidents. The people who have access to systems and networks are the weakest links in the security chain.
Training can help boost cybersecurity by reminding users of the risks associated with phishing attacks and other social engineering techniques. Organizations should also develop and enforce strict policies related to user credentials and data loss prevention. That said, it is impossible to eliminate human error. IT teams must bolster education and policy enforcement with more effective IAM processes.
The key takeaway is that the network perimeter has become a porous boundary that exists wherever users access applications and data. All it takes is one compromised account to cause a security incident. However, a fragmented approach to IAM leaves gaps that weaken security. Contact us to discuss how end-to-end, policy-based IAM can help reduce the risks associated with credential theft and access exploitation.
Comments