Posts tagged ‘ZeroTrust’

Jul 7

Forrester’s top ten trends defining identity and access management in 2024

Stolen identity and privileged access credentials now account for 61% of all data breaches. This figure continues to increase as nation-state attackers, cybercrime groups, and rogue attackers integrate AI into their attack tradecraft.

Adversarial AI is taking aim at identities

80% or more of breach attempts aim first at identities and the systems that manage them. CrowdStrike’s 2024 Global Threat Report found that identity-based and social engineering attacks are reaching a new level of intensity. CrowdStrike found that attackers are using AI to launch advanced phishing attacks to impersonate legitimate users and infiltrate secure accounts. Attackers have long sought account credentials, but in 2023, their goals centered on authentication tools and systems, including API keys and OTPs.

“What we’re seeing is that the threat actors have really been focused on identity, taking a legitimate identity. logging in as a legitimate user. And then laying low, staying under the radar by living off the land by using legitimate tools,” Adam Meyers, senior vice president counter adversary operations at CrowdStrike, told VentureBeat in an interview early this year. Two of the most infamous Russian nation-state attackers, Fancy Bear and Cozy Bear, led these efforts, with the former exploiting a Microsoft Outlook vulnerability (CVE-2023-23397) for unauthorized server access.

Top ten trends defining identity and access management (IAM) in 2024

Forrester’s recent report, The Top Trends Shaping Identity And Access Management In 2024, provides an insightful view into the future of Identity and Access Management (IAM) and Privileged Identity Management (PIM). The report predicts that threat detection and remediation will improve with the help of A.I. Forrester also predicts that FIDO passkey authentication will go mainstream. In contrast, biometric authentication will slow down due to concerns regarding deepfakes.

Leading IAM providers include AWS Identity and Access Management, CrowdStrike, Delinea, Cradlepoint, ForgeRock, Ivanti, Google Cloud Identity, IBM Cloud Identity, Microsoft Azure Active Directory, Palo Alto Networks, and Zscaler.

Here is a summary of the top ten trends Forrester believes will shape IAM in 2024:

Trend 1: AI Will Improve Identity-Based Threat Detection and Remediation. Generative AI (genAI) is helping to redefine the future of IAM by improving outlier behavior analysis, increasing alerts’ accuracy, and streamlining administrative tasks while guarding against new threats.

98% of security professionals believe AI and machine learning (ML) will be beneficial in fighting identity-based breaches and see it as a pivotal technology in unifying their many identity frameworks. The majority, 63%, predict AI’s leading use case will be greater accuracy in identifying outlier behavior. 56% believe AI will help improve the accuracy of alerts, and 52% believe AI will help streamline administrative tasks.

Forrester asserts that AI will help short-staffed security teams triage alerts and automate time-consuming, mundane aspects of their jobs. Forrester also envisions genAI being used to query, “Which five applications are the riskiest from an identity entitlement perspective?” CrowdStrike announced at RSAC 2024 that Charlotte AI, CrowdStrike’s Generative AI security analyst, can automatically correlate all related contexts into a single incident and generate an LLM-powered incident summary for security analysts.

Trend 2: IAM Platforms Face Increased Scrutiny Of Their Underlying Security. High-profile breaches that began with impersonation leading to identity theft, including MGM and Okta, reflect how social engineering can still bypass IAM safeguards. CISOs are pushing back on their IAM vendors to improve operational processes and security practices and prioritize security for cloud-based SaaS applications and multi-cloud configurations. Forrester writes that their clients running IAM systems expect their vendors to comply with standards like SOC 2, FedRAMP, ISO 27002, and PCI. CISOs and security teams are also asking to vet a vendor’s workforce, including both employees and contractors and understand how the vendor communicates about and addresses security issues.

Forrester’s advice to security and risk management professionals is to “Demand multifactor authentication for all workforce business and admin users, without exception. Prioritize IAM vendors that embrace secure-by-design and secure-by-default principles and value continuous two-way customer engagement to improve their overall cybersecurity posture.”

Trend 3: IAM And Non-IAM Vendors Respond To Identity-Centric Threats. More CISOs and their security teams are taking a zero trust mindset to breaches. They see them as inevitable, and as part of their zero trust frameworks, they’re looking to shut down lateral movement after an intrusion. Forrester observes that “both IAM vendors and non-IAM cybersecurity vendors keep making advances in identity threat detection and response (ITDR). As a result of organic development and acquisitions, ITDR capabilities are being incorporated in platforms from privileged identity management (PIM) vendors like ARCON, BeyondTrust, CyberArk, and Delinea, as well as XDR vendors, such as Cisco, CrowdStrike, Proofpoint, and SentinelOne.”

Trend 4: FIDO Passkey Authentication Goes Mainstream For Workforce And B2C Uses. Forrester notes that a large number of customer-facing sites, including H&R Block, PayPal, and Verizon, are moving to passwordless authentication. At the same time, smaller financial institutions like coinbase.com offer optional fast identity online (FIDO) Authentication and FIDO passkey-based authentication. The research firm expects 30% of B2C websites and apps to offer FIDO passkeys by the end of 2024.

Trend 5: Biometric Adoption Slows Due To Concerns Around Deepfakes. Despite biometric authentication being a security standard on smartphones, CISOs and consumers alike are becoming more concerned about deepfakes. Designing liveness detection and other advanced features for facial and fingerprint recognition systems reduces the threat of spoofing generated by deepfake technology.

As multiple breach attempts have proven, voice biometrics are more susceptible to attack. Forrester notes that in response, the FTC set a Voice Cloning Challenge to “encourage the development of multidisciplinary solutions—from products to procedures—aimed at protecting consumers from artificial intelligence-enabled voice cloning harms, such as fraud and the broader misuse of biometric data and creative content.” Vendors will add additional deepfake detection to their solutions in 2024, resulting in a rebound in biometrics adoption in 2025.

Trend 6: IMG And PIM Vendors Expand Coverage Of Cloud Administrator Identities. Getting multicloud and hybrid cloud security right is getting more challenging and complex to achieve at scale due to configuration complexity. Forrester notes that “zero trust in the cloud starts with understanding the data access entitlements of identities like cloud infrastructure administrators, SaaS administrators, and business users.” Security and risk management professionals need to review cloud administrators’ entitlements that grant access to sensitive data assets and, when necessary, cancel them. Forrester writes, “While tools offer detection and remediation automation, they are no substitute for documented and consistent identity governance processes.”

Trend 7: Government-Issued Digital Identities Continue To Spread. Forrester believes acceptance of government-issued decentralized digital identities (DDIDs) beyond government use cases will grow in 2024. Mobile digital identities, including driver’s licenses, are now available in the US states of Arizona, California, Florida, and Iowa. Jurisdictions that have or will soon issue mobile driver’s licenses include the European Union (based on the eIDAS 2.0 approved set of standards), Estonia, Hungary, and Sweden. Nigeria and the Philippines have digital identities active today. .

Trend 8: B2B IAM Becomes A Differentiating Feature. Security teams and CISOs running them who are operating without an extended IAM ecosystem for partners like contractors, suppliers, and resellers face more severe security risks. B2B IAM involves managing joiner, mover, and leaver (JML) processes differently than internal employees. Forrester predicts that in 2024, IAM vendors will enhance platforms with features like simplified federation onboarding, verifiable credentials for ID verification, and improved access review processes for the extended enterprise.

Trend 9: Commercial and homegrown IAM Solutions Face Growing Demand For Upgrades. Maintaining on-premises IAM systems is becoming more costly and inefficient, making it more attractive to move to a cloud-based platform. Forrester is finding that the brittle, less secure nature of on-premise legacy systems also makes them more difficult to upgrade. Demand is so high for replacing legacy systems that a recent Forrester survey found that the intention to replace homegrown solutions jumped from 4% in 2022 to 18% in 2023.

Trend 10: The Fine-Grained Authorization Market Heats Up. As digital platforms and business app creation continue to proliferate, the need for dynamic and fine-grained access controls is extending beyond security. Forrester says that the IAM market is moving toward centralized and external authorization patterns because of B2B2E and B2B2C relationships and the possibility that genAI could make it easier to create and manage authorization policies.

Mar 5

74% Of Data Breaches Start With Privileged Credential Abuse

Enterprises who are prioritizing privileged credential security are creating a formidable competitive advantage over their peers, ensuring operations won’t be interrupted by a breach. However, there’s a widening gap between those businesses protected from a breach and the many who aren’t. In quantifying this gap consider the typical U.S.-based enterprise will lose on average $7.91M from a breach, nearly double the global average of $3.68M according to IBM’s 2018 Data Breach Study.

Further insights into how wide this gap is are revealed in Centrify’s Privileged Access Management in the Modern Threatscape survey results published today. The study is noteworthy as it illustrates how wide the gap is between enterprises’ ability to avert and thwart breaches versus their current levels of Privileged Access Management (PAM) and privileged credential security. 74% of IT decision makers surveyed whose organizations have been breached in the past, say it involved privileged access credential abuse, yet just 48% have a password vault, just 21% have multi-factor authentication (MFA) implemented for privileged administrative access, and 65% are sharing root or privileged access to systems and data at least somewhat often.

Addressing these three areas with a Zero Trust approach to PAM would make an immediate difference in security.

“What’s alarming is that the survey reveals many organizations, armed with the knowledge that they have been breached before, are doing too little to secure privileged access. IT teams need to be taking their Privileged Access Management much more seriously, and prioritizing basic PAM strategies like vaults and MFA while reducing shared passwords,” remarked Tim Steinkopf, Centrify CEO. FINN Partners, on behalf of Centrify, surveyed 1,000 IT decision makers (500 in the U.S. and 500 in the U.K.) online in October 2018. Please see the study here for more on the methodology.

How You Choose To Secure Privileged Credentials Determines Your Future

Identities are the new security perimeter. Threats can emerge within and outside any organization, at any time. Bad actors, or those who want to breach a system for financial gain or to harm a business, aren’t just outside. 18% of healthcare employees are willing to sell confidential data to unauthorized parties for as little as $500 to $1,000, and 24% of employees know of someone who has sold privileged credentials to outsiders, according to a recent Accenture survey.

Attackers are increasingly logging in using weak, stolen, or otherwise compromised credentials. Centrify’s survey underscores how the majority of organizations’ IT departments have room for improvement when it comes to protecting privileged access credentials, which are the ‘keys to the kingdom.’ Reading the survey makes one realize that forward-thinking enterprises who are prioritizing privileged credential security gain major cost and time advantages over their competitors. They’re able to keep their momentum going across every area of their business by not having to recover from breaches or incur millions of dollars on losses or fines as the result of a breach.

One of the most promising approaches to securing every privileged identity and threat space within and outside an organization is Zero Trust Privilege (ZTP). ZTP enables an organizations’ IT team to grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.

Key Lessons Learned from the Centrify Survey

How wide the gap is between organizations who see identities as the new security perimeter and are adopting a Zero Trust approach to securing them and those that aren’t is reflected in the results of Centrify’s Privileged Access Management in the Modern Threatscape survey. The following are the key lessons learned of where and how organizations can begin to close the security gaps they have that leave them vulnerable to privileged credential abuse and many other potential threats:

Organizations’ most technologically advanced areas that are essential for future growth and attainment of strategic goals are often the most unprotected. Big Data, cloud, containers and network devices are the most important areas of any IT infrastructure. According to Centrify’s survey, they are the most unprotected as well. 72% of organizations aren’t securing containers with privileged access controls. 68% are not securing network devices like hubs, switches, and routers with privileged access controls. 58% are not securing Big Data projects with privileged access controls. 45% are not securing public and private cloud workloads with privileged access controls. The study finds that UK-based businesses lag U.S.-based ones in each of these areas as the graphic below shows:

Only 36% of U.K. organizations are very confident in their company’s current IT security software strategies, compared to 65% in the U.S. The gap between organizations with hardened security strategies that have a higher probability of withstanding breach attempts is wide between U.K. and U.S.-based businesses. 44% of U.K. respondents weren’t positive about what Privileged Access Management is, versus 26% of U.S. respondents. 60% of U.K. respondents don’t have a password vault.

Just 35% of U.S. organizations and 30% of those in the UK are relying on Privileged Access Management to manage partners’ access to privileged credentials and infrastructure. Partners are indispensable for scaling any new business strategy and expanding an existing one across new markets and countries. Forward-thinking organizations look at every partner associates’ identity as a new security perimeter. The 35% of U.S.-based organizations doing this have an immediate competitive advantage over the 65% who aren’t. By enforcing PAM across their alliances and partnerships, organizations can achieve uninterrupted growth by eliminating expensive and time-consuming breaches that many businesses never fully recover from.
Organizations’ top five security projects for 2019 include protecting cloud data, preventing data leakage, analyzing security incidents, improving security education/awareness and encrypting data. These top five security projects could be achieved at scale by having IT teams implement a Zero Trust-based approach to Privileged Access Management (PAM). The time, cost and scale advantages of getting the top five security projects done using Zero Trust would free up IT teams to focus on projects that deliver direct revenue gains for example.

Conclusion

Centrify’s survey shows organizations are granting too much trust and privilege, opening themselves up to potential internal and externally-driven breaches initiated with compromised privileged access credentials. It also reveals that there is a strong desire to adhere to best practices when it comes to PAM (51% of respondents) and that the reason it is not being adequately implemented rarely has to do with prioritization or difficulty but rather budget constraints and executive buy-in.

The survey also shows U.K. – and U.S.-based organizations need to realize identity is the new security perimeter. For example, only 37% of respondents’ organizations are able to turn off privileged access for an employee who leaves the company within one day, leaving a wide-open exposure point that can continue to be exploited.

There are forward-thinking organizations who are relying on Zero Trust Privilege as a core part of their digital transformation efforts as well. The survey found that given a choice, respondents are most likely to say digital transformation (40%) is one of the top 3 projects they’d prefer to work on, followed by Endpoint Security (37%) and Privileged Access Management (28%). Many enterprises see digital transformation’s missing link being Zero Trust and the foundation for redefining their businesses by defining every identity as a new security perimeter, so they can securely scale and grow faster than before.