October was National Cyber Security Awareness Month, which served as an important annual reminder for organizations to never let their guard down when it comes to protecting access to data. The most recent wave of data breaches (e.g., Simon Fraser University, Twitter, Universal Health Services, and Shopify) demonstrate that cyber adversaries no longer need to ‘hack’ in — instead they can log in using weak, stolen, or phished credentials. This takes on increased significance when it comes to privileged credentials, such as those used by IT administrators to access critical infrastructure. These types of credentials are estimated to be involved in 80% of data breaches.
Today’s dynamic threatscape requires security professionals to adjust to an ever-expanding attack surface. It doesn’t matter where the data they need to protect resides, or who is ultimately trying to access the data — be it human or a machine. What counts is that they minimize the risk of data exfiltration. Period.
Consider the following threats that are on the horizon and which companies need to start preparing for now:
Once COVID-19 hit, a lot of organizations realized they lacked the scalability to support work from home business needs, which accelerated moving workloads to the Cloud. However, a lot of companies haven’t figured out how to secure their cloud infrastructure. In fact, 92 percent of organizations admit that they face a cloud security readiness gap. Unfortunately, there is still widespread misunderstanding of who is responsible for securing privileged access to cloud workloads.
According research conducted by Centrify among 700 respondents from the US, Canada, and UK, 60% of organizations incorrectly believe the cloud provider is responsible for securing privileged access, whereas the shared responsibility model clearly states that it is the responsibility of the organization. However, this shift to the cloud has not gone unnoticed by threat actors. In fact, data breaches in the cloud due to misconfigurations and privileged credential abuse have increased in the past couple of years.
While politicians and security experts are constantly warning about the risk of cyber-attacks, they rarely, if ever, mention the risks associated with the Internet of Things (IoT). They should, since there are already plenty of examples of successful IoT security breaches including STUXNET, Mirai botnet, connected cardiac devices, etc. IoT in all its flavors (e.g., physical security systems, lights, appliances, as well as heating and air conditioning systems, and artificial intelligence-based automated agents such as chatbots) exposes companies and consumers alike to a wide range of security threats. In fact, according to a survey conducted by Altman Vilandrie & Company, nearly half of US-based firms using IoT have been hit by a security breach.
Therefore, IoT must be considered part of a broader attack surface that requires protective measures. While consumer IoT devices like Amazon Alexa, Google Home, Nest Labs home automation systems, and smart wearables get all the headlines, the largest proportion of IoT devices aren’t used in homes. They are deployed in manufacturing plants, retail businesses, and the healthcare industry. The strong adoption rates in these verticals is tied to the benefits IoT devices provide in terms of tracking inventory, managing machines, increasing efficiency, improving customer interaction and service, reducing maintenance costs, and even saving lives.
Today, identities include not just people but workloads, services, and machines. In fact, Non-Human Identities represent the majority of “users” in many organizations. They are often associated with privileged accounts and typically have a much larger footprint than traditional human privileged accounts within modern IT infrastructures. This is especially true in DevOps and cloud environments, where task automation plays a dominant role. These often pose a blind spot, since machine, IoT, service account, and application identities are not always considered when establishing security controls. Besides underestimating the risk associated with non-human identities, many organizations have recognized that static password authentication which often requires manual and time-consuming configurations is not suitable in fast-moving multi-cloud and hybrid environments, where access needs are often temporary, and changes are constant.
Establishing a solid perimeter and investing in a well-built security team is still important, but organizations need to adjust their security strategies to match modern threats and focus on identity and credentials. In this context, granting ‘least privilege‘ is essential to preventing unauthorized access to business-critical systems and sensitive data by both insiders and external threat actors. Establishing granular, role-based privileged access controls and granting just-enough, just-in-time access to target systems and infrastructure limits lateral movement.