GRC Viewpoint

Securing Identity & Access Management Vulnerabilities in the Midst of Cloud Migration and IT Digitization Initiatives

In virtually every sector across the economic value chain, cloud computing has become ubiquitous. During the Covid-19 pandemic, centralized on-premise workforces moved to distributed and remote environments, a major factor leading to the now-essential nature of cloud services as a core component of IT systems. According to Microsoft, over 95% of Fortune 500 companies are using cloud services. However, this trend is not solely present in the private marketplace, as government, defense, and regulated critical infrastructure groups are also migrating IT operations to the cloud. In the nascent days of cloud infrastructure development and deployment, the benefits of using these services to enhance workforce productivity and bring new business capabilities and solutions to market far outweighed the potential security risks. However, this threat matrix has significantly changed in recent years as malicious actors and nation state threats have exposed vulnerabilities spanning the gamut of cloud security architecture. 

One of the largest attack surfaces presented by an organization leveraging cloud services is related to user identity and access management. According to Verizon’s 2020 Data Breach Investigations Report, over 80% of hacking events involve the use of lost or stolen credentials. Using valid credentials enables a malicious actor to penetrate beyond corporate firewalls, providing a cover of trust for lateral movement and escalation into more secure systems. To help solve this issue, IT administrators have traditionally implemented 2-Factor Authentication (2FA) via services such as an SMS (text message) or One Time Password (OTP). 

Today’s sophisticated class of hacking enthusiasts have found ways of compromising these systems, and a result, most companies seeking to secure their cloud operations and data now use Multi-Factor Authentication (MFA). These MFA systems require more than two verification methods from users. Companies decide, oftentimes via their identity and access management vendor, which combination of MFA Factors are used within specific departments or user groups. Industry standard MFA utilizes three factors: Knowledge (password or security 

question); Possession (PIN or physical key); and Inherence (biometric). More advanced MFA systems also incorporate location (IP address and device physical location), behavior (typing cadence, mouse movement, etc.), and other factors proprietary to specific vendors.

However, the successful use of a company’s MFA is only as strong as the users who are willing to engage in the process. When MFA systems are too cumbersome, time consuming, or complex, many users revert to shadow IT practices. The security burden typically falls on IT administrators, of which 80% experienced pushback from users after updating security policies to account for work from home arrangements. The same HP Wolf Security Rebellions & Rejections report also highlighted that “31% of office workers surveyed aged 18-24 had tried to circumvent security.”  When users are unwilling to prioritize security as a result of friction and process inefficiencies, vulnerabilities are left wide open for malicious actors to exploit. 

In order to be effective, cybersecurity controls must be both convenient and highly secure. This dichotomy has produced a range of security solutions ranging from identity proofing, user authentication, and post-login flow stages of access management. However, as the user is normally the first point of compromise in a cyberattack, emphasizing advanced multi-factor authentication methods with limited to no user friction should be a priority for companies seeking the most bang-for-your-security-buck. With this in mind, organizational leadership should think of cybersecurity in the ‘being chased by a bear scenario’. You don’t have to be the fastest to get away, you just can’t be the slowest.

Focusing on the low hanging fruit of security solution implementation, such as mandating advanced multi-factor authentication, nudges hackers to seek easier targets elsewhere. Highly secure authentication platforms can be user-friendly, and are often Public Key Infrastructure (PKI)-based with WebAuthn and other FIDO2 enabled-Passwordless MFA. Users engage in a Passkey QR code flow or present a Hardware Authentication Device alongside a PIN. When deployed in addition to some of the advanced MFA factors previously mentioned, this authentication methodology offers some of the most secure identity and access management framework available today.  

In regulated industries where specific operations like energy generation, waste and water management, telecommunications, etc. are deemed critical infrastructure, as well as in the government and defense sectors, compliance requirements and standards ensure that Zero Trust Architecture and some form of identity proofing and multi-factor authentication protocols are being implemented, in addition to a varying degree of other cybersecurity tools depending on the nature of the business. The US Department of Homeland Security states that “Cybersecurity threats to critical infrastructure are one of the most significant strategic risks for the United States.” 

Emerging threats related to Artificial Intelligence and the advent of a Cryptographically Relevant Quantum Computer come to mind as especially threatening, even more so when considering the loss-of-life level consequences of a successful attack in critical infrastructure. Store Now, Decrypt Later campaigns by foreign adversaries have been underway for years, capturing valuable encrypted information while awaiting advent of a Cryptographically Relevant Quantum Computer (CRQC), eventually used to decrypt the troves of data collected in the meantime.

Leonard Kleinman, CTO, Palo Alto Networks was quoted in a February 2023 issue of Forbes stating “[quantum computing]…creates new risks and exposures, particularly around its ability to break most modern encryption, which underpins the internet, communications and e-commerce—the very fabric of our society.” Current identity and access management principles rely on modern symmetric and asymmetric encryption. Most, if not all, of which is irrelevant and ineffective when a CRQC is actively being used by adversaries. 

When deploying any cybersecurity solution, it’s important to keep focus on the next evolution of the threat matrix. Just as the initial use of cloud services led to cloud computing becoming an essential component of IT operations over the course of just a few years, many believe that quantum-resilient identity and access management platforms relying on non-exfiltratable credentials will be the next evolution of advanced multi-factor authentication. An attacker’s offensive position is naturally advantageous, and highly secure defensive postures are essential to ensuring the protection of data, operations, and essential services. Users are the first line of defense, and arming them with quantum resilient, non-exfiltratable credentials brings a major leap forward in defensive posture. As Robert Mueller, FBI Director, put it during a speech back in 2012, “There are only two types of companies: those that have been hacked, and those that will be.” Companies should be doing everything they can to protect themselves from breaches. It all starts with gating access to secure systems by deploying a highly secure identity and access management platform built to protect against the next wave emerging and disruptive threats.

By Shawn Moorhead, Vice President of Market & Business Development, Lastwall

Lastwall provides a Public Key Infrastructure-based identity platform hardened with post-quantum cryptographic resilience to protect cloud data and prevent unauthorized access to cloud services (Identity as a Service). Lastwall authenticates users during login by analyzing hundreds of contextual data points in conjunction with the use of passwordless, non-exfiltratable credentials (Webauthn or other FIDO-2 enabled passwordless MFA). Secured using the NIST SP 800-53 and 800-63 control sets, the Lastwall solution protects third party cloud services and IT networks from credential-based and Multi-Factor Authentication attacks, post-breach lateral movement, and ‘Steal Now – Decrypt Later’ threats in a post quantum environment.

Related Articles

Latest Articles