
Hiding in Plain Sight: The Single Biggest Risk in your Enterprise is Something that Everyone has Completely Forgotten About
Ah, the early days of identity in the digital world….it was a simpler time. Computing systems were isolated, networks were virtually non-existent, and we stuffed punch cards into blinky-lighted boxes and spooled their memories onto magnetic tapes (btw, magnetic tape is still a thing- and it’s used a ton). Identity management was as simple as someone assigning you an account, and you safeguarding it with your very soul. Even with the earliest indications that we were addressing the challenges of identification in the digital world in entirely the wrong way, it was a quiet and quaint time of relatively limited risk and just giving people access to stuff. How hard could it be? …right?
Then, one day, the internet came along. And shortly after that, the cloud. But I’m getting ahead of myself.
The 20 years or so before both the ubiquitous internet and cloud computing that we know today, organizations became highly-networked with disparate operating systems, networks, applications and centralized technology functions. These were the days of single sign on and federation and Active Directory and Lightweight Directory Access Protocol and SAML and OIDC and 2FA and MFA. In truth, these days are still very much those days.
We started with a corrupted foundation for security, using a simple account and password structure. Then, instead of changing this fundamentally flawed approach, we built systems to bundle many of those accounts and passwords together and put them under the umbrella of a single account and password. The reason? To make things easier for the account holders. Not to make things more secure or protect company assets or to provide privacy. Nope, we have spent decades building “easy access” and now everyone stands around looking dazed when, yet another massive breach or exploit is successful proving that we made access easier for everyone – hint: criminals included.
A very easy argument can be made that most of the cybersecurity spend by enterprises, organizations, and agencies exists today because of the broken beginnings of identity-centric security and the constant demand by everyone for easy access. And even in the face of overwhelming data that proves that identity is the single largest exploit and attack surface, companies simply refuse to fix what is their most obvious weakness.
It might be easy for you then to believe that the risks that are hiding in plain sight must but all of those associated with identity. This isn’t the case, however. Identity-centric security is often the known risk that companies and leaders just choose to willfully ignore. While someone might take exception to such a strong statement, let’s be intellectually honest about the current state of the world. PayPal just lost 25% of its market value and millions upon millions of dollars because their identity controls weren’t sufficient to keep 4.5 million fake accounts from being created. No, identity is the risk that is hiding in plain sight. The identities you don’t know anything about is the risk you’re neglecting.
The identities you don’t know anything about represent the bottom 90% of the iceberg directly in the path of your company. Think for a moment; do you really know that the partner you have in your supply chain (digital or physical) is who they say they are? How do you know that partner isn’t the designated account holder, but is instead 18 different people reusing that designated account holder’s credentials? How do you know that HVAC technician who is going into the most sensitive areas in your building is who they say they are? Or that the device calibrator who is leveraging your system for engineering schematics isn’t working with a direct competitor after bribing that calibrator for their account access? This raises an incredibly important follow-on question…
How many unknown identities can you allow to access your systems before all your security spend and control processes are at risk of being breached? I know that answer. It’s one. One unknown identity has been the singular most effective method of breach and attack in the history of the digital age. One unknown identity has the power to invalidate and sub-optimize every single dollar you have spent and will ever spend trying to deliver security to your organization, your nation, your employees, and your customers. …And it’s hiding right in front of us, in plain sight. While many companies have programs focused on employee IAM and some have added programs focused on customer IAM, where are the programs for all other identities?
It is fair to argue that this notion of all other identities isn’t new, or even novel. This only amplifies the reality that we are either willfully choosing to ignore them or that we fully believe that those identities are absolutely and totally impossible to manage. Frankly, the latter point, that of not being able to manage or control all these other identities, is simply not accurate from a process or a technology standpoint. SecZetta provides the solutions needed to manage these identities as well as other complicated workforce related issues such as mergers and acquisitions. Since the technical means exist to solve this set of problems, then we can only view resistance to addressing these identities as a choice to willfully ignore the risks they pose.
If we choose to ignore the existence of solutions to solve these challenges or refuse to modify our business processes to mitigate the risks of all these unknown identities interacting with our organization, those risks don’t simply go away. It is time to shine a light on these identities, these risks that are hiding in plain sight. It is time to manage and control all of our identities.
Request a demo from SecZetta, the identity authority who’s leading the fight against the risk of what’s hiding in plain sight.
*** This is a Security Bloggers Network syndicated blog from Industry Blog - SecZetta authored by Richard Bird. Read the original post at: https://www.seczetta.com/hiding-in-plain-sight/