Data breaches are rapidly surging – access control and authentication safety demand to be tightened due to the associated risks.
With the increasing data breaches worldwide, it has been observed that compromised
credentials are the primary source of attack for new-age cyber adversaries. According to a
recent report by the Identity Defined Security Alliance, credential-based data breaches are
omnipresent – nearly 94% of the organizations have encountered an identity-related attack. Besides, they are highly preventable, up to 99%.
Many enterprises are still lacking in primary identity-related security controls. However,
some of the bigger organizations have started implementing proper access controls – that
are typically focusing on human users. With the widespread digital transformation initiatives across DevOps, Internet of Things, cloud transformation, etc. the steep amount of non- human identities highly exceeds the human users.
Now the question arises – how organizations are aiming to control accesses of their sensitive resources?
The use of static passwords for accessing different accounts and services has been there for ages, and in most cases, the passwords remain unchanged throughout. It makes the
credentials deeply susceptible to the threat actors – a static password offers a low
probability for confirming the authenticity of a user, and it could easily be a compromised
one, purchased on the Dark Net. A stolen password can allow unrestricted access to a
compromised account, once it is with the cybercriminals. In its essence, even if a company
has toughened its security position by using multi-factor authentication (MFA), the added
protection layer does not actually address risks linked with the non-human identities.
Organizations need to proceed beyond the static passwords
Non-human identities include services, workloads, and machines – representing a majority
of ‘users’ in various organizations. Machine identities have a significant footprint than the
traditional human privileged accounts – in today’s IT infrastructures. This is valid for DevOps and cloud environments – where the task automation has a dominant role. Such factors generally pose a blind spot – as IoT, machines, application, service accounts identities are not considered when setting up security controls.
Clearly, many organizations are underrating the significance of these non-human identities
in case of a data breach. They understand that a traditional static password approach that
demands manual and time-consuming configurations – is not relevant in a fast-moving multi-cloud as well as hybrid environments. However, the incorporation of identity, along with security, is still a work in progress for many organizations. Static passwords are not suitable for a machine identity-related IT ecosystem that is designed for agility and fast-paced modification. This calls for an advanced approach – to execute a dynamic password model that can lower the risk of identity breaches.