The term “zero trust” was popularized in 2009 by John Kindervag, who was then an analyst at Forrester. In the 15 years since, we’ve seen zero trust take off and take on a life of its own. It’s spawned entire philosophies and toolsets that have vastly improved the ability for enterprises to protect themselves from cyberattacks.
Zero trust is based on the principle of “never trust, always verify,” which means that nothing inside or outside of an enterprise’s environment is trusted by default. Anyone trying to access data, applications, and resources must be verified before gaining entry. (There’s still the issue of privilege management, but more on that later…)
Because zero trust worked so well, many of the “traditional” attack methods used a decade ago have become much more difficult to execute successfully today. Attackers are instead shifting their tactics toward identity-based attacks. The goal of these attacks is to log into an enterprise’s environment as an employee or admin to gain unauthorized access to data and systems. Attackers can achieve this through a number of tactics, such as stealing session cookies or login mechanisms.
SaaS explosion creates new identity complexity
According to the 2023 Verizon Data Breach Investigations Report, nearly half (49%) of all data breaches involve compromised credentials — and the identity perimeter is only continuing to expand. One of the main culprits of this “identity sprawl” is the explosion in SaaS adoption. As SaaS becomes more pervasive, it’s creating several new layers of complexity for IT and security departments.
When SaaS first arrived, there was this idea that moving to SaaS would make IT’s life easier. There is some truth to that notion — SaaS apps are a little bit simpler to host than on-prem solutions. However, the problem is that companies have adopted SaaS at incredibly high volumes across every facet of the business. In fact, according to Zylo’s 2023 SaaS Management Index, the average organization has 291 SaaS applications.
Beyond volume, SaaS has also created a new layer of hybrid complexity in enterprise environments. Cloud migration is definitely happening, but not all at once, and not overnight. In most cases, enterprises today still have some applications on-prem in addition to in the cloud.
From a security perspective, it’s also important to keep in mind that each SaaS is on its own authorization maturity curve. Many of the larger, more prominent SaaS or cloud providers like Salesforce and AWS have expansive and mature authorization management, with dedicated APIs and controls. However, newer products have a wide spectrum of authorization tooling. This means there isn’t even consistent terminology or mechanisms for controlling authorization. In an enterprise environment, this authorization complexity can create significant headaches for IT.
Steps to prevent identity-based attacks
In 2024 (and for the foreseeable future), SaaS complexity will only compound the overall problem of identity management and security. Thankfully, there are several practical ways for enterprises to shore up identity defenses and bolster their existing zero trust strategies:
- Multi-party authorization: Implementing multi-person workflows for authorization is by far one of the most effective ways to prevent identity-based attacks. This concept has been used in engineering for more than a decade (known as pull requests in GitHub). In software development, anytime you want to put code into production, it has to have a second review. Similarly in the world of finance, the concept of separation of duties (SoD) is used as an internal control to prevent fraud and error in financial transactions. SoD ensures that no one person has total control over the lifespan of a transaction. The same approach can be applied to review and approve access to key applications. This method is also a great way to prevent insider threats, which are still a very real concern for enterprises.
- Decentralized decision-making: Building on the concept of multi-party authorization is the decentralization of access decision-making. Historically, many enterprises have relied on IT to determine who should or shouldn’t have access to a specific application. However, especially at larger organizations, IT is rarely going to know what any given person’s job role is, let alone the permissions they should have for any given application. Instead, businesses should push access decision-making to the individual in the best position to make that decision, which in many cases is the app owner or the data owner.
- Monitoring and alerting: When it comes to improving identity security, the seemingly simple concepts of monitoring and alerting are not to be underestimated. Continuously monitoring for unusual access patterns or permissions changes — especially for high-value applications — can significantly reduce the impact of an identity-based intrusion. One of the biggest challenges with monitoring is that it’s hard to do it everywhere. Start by picking a few key apps with the most sensitive data or most operational importance.
- Zero standing privileges (ZSP): Building on the concept of zero trust, zero standing privileges (ZSP) helps businesses move away from birthright access (i.e., granting access to a user by default based on their role) and long-lived access (i.e., granting access to a user for a longer timeframe than is required). In an enterprise with ZSP in place, a user is only granted the minimum levels of access and privilege needed to complete a task, and only for a limited amount of time. This means that should an attack gain entry to a user’s account, there is far less potential for them to access sensitive data and systems.
In cybersecurity, one of the few constants is that attackers are always going to look for the most value with the least amount of effort. As of today, that least-amount-of-effort attack vector is increasingly shifting towards the identity perimeter. The only way to change this paradigm is to significantly reduce the amount of value from an identity-based exploit — ideally, down to zero. That way, if and when an attacker gets in, there is nothing of value for them to take or tamper with. With concepts like ZSP and other advanced access policies to reduce risk, I have hope that we as an industry can make a significant dent towards reducing the value of identity-based attacks.
Go deeper → Moving Beyond Zero Trust
Want to learn more about how ConductorOne can help you protect identity? Take a self-guided product tour or talk to our team!
