By Raj Gopalakrishna, Co-Founder and Chief Product Architect, Acalvio Technologies
The use of stolen credentials and resulting identity compromises have become a top attack trajectory. In the past year, 84% of organizations experienced an identity related breach, and 61% of all cyberattacks are based on stolen credentials, which is a number that should make organizations everywhere sit up and pay attention. Like other cybersecurity threats, threats to identities are ever evolving, so identity security and management must evolve ahead of the techniques and strategies of attackers. The cyber defenses that worked in the past might not work in the future, as attackers continually experiment and innovate to find new footholds in identity compromise and credential misuse. Often, just when an organization thinks they have a handle on their identity security, that’s when an attacker figures out how to break in from a new and unexpected direction. Staying on top of identity security is key for that reason, and to understand the best defense option for your organization, you must understand all of the parts.
The identity security landscape has five notable parts that can link together to form a defense. The first three, Identity Provisioning Governance and Administration (IGA), IAM & PAM, and Directory Service, are all well-established identity components that are widely deployed by organizations everywhere. The other two parts are Attack Surface Management (ASM) and Identity Threat Detection & Response (ITDR), which have recently come into focus as strides have been made in their efficacy. Think of these pieces like a brick wall, with each part being an important brick to create the whole wall.
That wall is built on a foundation that we know as “Zero Trust”, meaning that all users or devices, whether previously known or not, must be authenticated over and over again every time they wish to gain access. This approach is coined Zero Trust because that’s the foundational value: to not trust anyone, no matter what, even if they’ve been trusted in the network before. By definition, Zero Trust continually authenticates access and constantly monitors user activity in order to properly govern access and user privileges within the network. Think of Zero Trust as the mortar supporting the bricks. Having a foundation of Zero Trust is critical, as Identity Management in hybrid and cloud work environments continues to be an issue that plagues organizations. As remote work environments are set to remain popular, building on that foundation is necessary for the health and security of organizations everywhere. Let’s get into the nitty gritty of the five parts of identity security.
Identity Provisioning Governance and Administration (IGA)
IGA is the part of the wall most commonly known as simply “identity security”. In 2012, identity governance was recognized by Gartner as the fastest-growing sector of the identity management market. The “governance and administration” portion refers to quite literally governing and administering identities for all users and applications on a given organization’s network. Ideally, it provides easy and automated access for those users while also defending against unauthorized users attempting to access the network.
Identity Access Management (IAM) and Privileged Access Management (PAM)
IAM and PAM are frameworks that hold different policies and technologies in order to manage digital identities within an organization. The main difference between the two is the focus; IAM is focused on identity management and validates credentials, while PAM validates access to specific resources based on attributes. In essence, IAM deals with validating everyone who wishes to join the network, while PAM serves as a gate-keeper for important information that shouldn’t be accessible to everyone on the network, and directs only “privileged” users to the VIP section, and only after they prove that they’re VIP’s who belong there.
Directory Service (DS)
The Directory Service portion of our cybersecurity brick wall is like an identity database. This is the part of the identity security strategy where information about users, applications, and resources is stored. This is all the small information like usernames, passwords, device locations, and other minutiae that make up the difference between a real user and an attacker. These directory services exist both in on-prem servers and in cloud environments in order to support the growing hybrid working environment. Without this key info being stored somewhere, there isn’t a common framework for all other parts of identity management to work off of.
Attack Surface Management (ASM)
The ASM part of identity security focuses on the perspective of the attacker rather than the perspective of the defender, which is a newer approach to cybersecurity. ASM identifies attack surfaces on endpoints, privileged identities, Identity Stores, and hypervisors where an attacker could potentially get a foothold and then attempts to remediate those weaknesses. ASM is becoming more crucial as the attack surface itself grows. Just like IAM, PAM, and Directory Services have been impacted by hybrid work, remote work also means that the attack surface of a network is larger. In 2022, 67% of organizations saw their attack surfaces grow significantly. Attack surfaces are also a fluid and changing thing, so ASM must function continuously to keep up. Especially as digital transformation continues to take hold of all industries, networks everywhere can’t make attack surfaces smaller, they can just manage what they now have to work with.
Identity Threat Detection & Response (ITDR)
The newest player in the identity security game, ITDR fills a critical role. Instead of focusing on authentication and authorization by focusing on the users (or fake users) and their devices, ITDR protects the identities themselves. The “R” part of ITDR is another step further, where instead of remediation like we see with ASM, we can see attackers actually being caught instead of just fixing what they’ve left behind. With ITDR, attackers are caught based on their behavior. Deception technology plays an important part here by luring potential attackers into interacting with fake assets, and thus detecting them. This throws up an immediate red flag for the organization that shows exactly what has been compromised. In addition, deception technology can detect threats other technologies like Behavior Analytics and Log Analytics are blind to, creating a more holistic view of cybersecurity.
If we return to our image of a brick wall, ITDR is the barbed trip wire on top, and deception technology is what gives it the barbs. An attacker may think they’ve “breached” the network by making it to the top of the wall, when really they’ll just find themselves trapped in barbed wire. Individually, all parts of the identity security landscape are important, and they come together to form a strong defense. ITDR is the additional piece of security a plain wall is missing..
Building our Brick Wall
On their own, each part of identity security is still a solid brick, but when combined, they form a rock-solid defense. Combine that with Zero Trust as a steadfast foundation, and ITDR as the barbed wire on top, attackers have their work cut out for them trying to breach an organization’s defenses. ITDR and ASM are the advantages that organizations have been looking for, and with deception technology, cybersecurity has a new edge that attackers aren’t prepared for. With the current chaotic and malicious cyberattack environment, any advantage could mean the difference between a breach or stopping an attacker before they can do damage.
About the Author
Raj Gopalakrishna is a Co-Founder and Chief Product Architect at Acalvio Technologies. Raj brings 30+ years of R&D experience and holds over 20 patents. Prior to joining Acalvio, Raj was SVP and Distinguished Engineer at CA Technologies (acquired by Broadcom in 2018) and the VP of R&D at Arcot Systems. Raj can be reached online on LinkedIn and at our company website https://www.acalvio.com/.