In May 2021, the U.S. national gas price average hit its highest level in six years. The cause: A ransomware attack on fuel distribution company Colonial Pipeline, made possible by the most common kind of attack—misused or stolen credentials. A stolen password belonging to a legacy VPN account led to the company paying a ransom of $4.4 billion bitcoin to the attackers to get control of their systems back. As tech companies tout the benefits of the biggest buzzword in security today—zero-trust—the attack on Colonial Pipeline highlights a critical point. Adopting zero-trust methodology must start with identity and access management (IAM).
IAM is the foundation of zero-trust and makes every other facet of the methodology possible, from multifactor authentication (MFA) and single sign-on (SSO) to the context- and risk-based policies that trigger authentication requests to keep your network secure. It ensures every account is onboarded and offboarded properly, avoiding access creep that can make your network vulnerable. And it’s the first step to a passwordless authentication future, eliminating the most common way malicious actors can access and attack your network.
Passwords Aren’t Proof
During a U.S. Senate committee hearing about the Colonial Pipeline attack in June, the company’s CEO told senators that the password belonging to the compromised account was “complicated,” but that the legacy VPN did not have MFA enabled.
This is the peril of password-based security. Even the most complicated passwords provide no protection if they are misused and measures to monitor access and require additional identity verification are nonexistent. When it comes to identity, passwords aren’t proof.
Cyberattacks continue to rely on credentials. In 2020, 61% of breaches involved credentials, according to the Verizon Data Breach Investigations Report—the most common attack vector by far.
These kinds of attacks can be malicious actors within an organization or passwords stolen through phishing attempts or data breaches. Close to six billion accounts had credentials compromised during data breaches in 2021, according to a report by Atlas VPN. But simple human error can also open your network for attacks, whether through coworkers emailing each other passwords for resources or old accounts that haven’t been properly offboarded.
This is why zero-trust methodology relies on identity—and continuous verification of identity—for network access. It comes down to three key questions:
- Who is the user?
- What does the user have access to?
- And what are they doing with that access?
Simplified Yet Stronger
Answering those questions begins with a unified user directory across all applications. This reduces the attack surface area, eliminating the multiple passwords needed to access applications, resources and data used by an organization. Instead, SSO grants access to everything a user needs to do their tasks, whether cloud-based applications or local network resources and MFA is used to verify that the user entering their password is who they say they are.
This approach is not only stronger security, but it simplifies user experiences. People are less likely to share passwords when they only need one. It also simplifies IT management as well, particularly the onboarding and offboarding of users.
When a new employee is onboarded, their user account is created and gives them day-one access to the basic tools of the job, like their email account. IT can then add that user to the appropriate working groups to enable access they need. When an employee leaves or a contractor’s work is completed, access can easily be revoked while maintaining the account for archival logging of important data and history.
To Trust is to Verify in a Zero-Trust Environment
Once a unified user directory with SSO and MFA is in place, IT management can enable one of the most powerful parts of zero-trust security—context- and risk-based policies. Unlike the perimeter-based protection of the past, zero-trust methodology doesn’t implicitly trust users once they’re inside the system. Instead, these policies can be used to trigger MFA to verify a user’s identity.
For example, it’s expected now that a bank website will trigger MFA, often in the form of a texted code, if someone is accessing an account from a new, unrecognized device. This is context-based policy, using a user’s purported identity in combination with additional information like device, time and geolocation to determine whether access can be granted.
Risk-based policies can then add an additional layer of security for resources deemed particularly sensitive by an organization. This can be financial information, data subject to regulations like HIPAA, or whatever an organization determines to need MFA to access every time.
With the help of machine learning and AI, your access policies can be automated to adapt to changes in your business in real-time. The AI can enforce them, too, safely granting and denying access without human intervention, another way zero-trust can simplify IT management.
Finally, a zero-trust environment can ready an organization to implement passwordless authentication—the next phase of better security, which can use physical traits like fingerprints or behavioral traits like typing and touch screen dynamics, or possession factors like an authenticator app or hardware token.
The Foundation of the Future of Security
Again, none of this is possible without identity access management in place. Context- and risk-based policies, multifactor authentication, single sign-on—none of this can be accomplished without first having a strong IAM system. For every organization looking to improve their security in a world where remote and hybrid work models are becoming the norm and asking where to begin, the foundation is identity.