SAN FRANCISCO -- Identity may be the new perimeter in a cloud-centric world, but too many enterprises see their cloud identities stolen.
A Cloud Security Alliance Summit panel discussion, dubbed "Surviving the Identity Apocalypse," during RSA Conference 2018 on Monday tackled identity and access management (IAM) issues in the cloud, including how the theft and compromise of cloud credentials can lead to large-scale breaches. The panel, moderated by Phil Dunkelberger, president and CEO of Nok Nok Labs, based in Palo Alto, Calif., discussed the problem and offered approaches on how to better protect and manage credentials in order to limit attack surfaces in corporate cloud environments.
"It's a telltale sign for the industry at the moment that the biggest problem we've got is around compromised credentials, and identity management still isn't working for us," said Bill Mann, senior vice president of products and chief product officer at Centrify, based in Santa Clara, Calif.
Sami Laine, director of technical marketing at San Francisco-based Okta, said "identity used to be a boring IT problem," but that's no longer the case. "You're still going to have all those [security] investments that you made, your moats and sharks with lasers," he said. "But, now, everything outside of that really comes down identity and authorization events."
The problem, Laine said, is companies had many "identity siloes" in their on-premises networks, and those siloes need to be consolidated so there is one control point for all accounts. That consolidation, he said, will make it much easier to onboard and deprovision people and give them the right amount of access.
The panelists largely agreed that current IAM approaches can be problematic for cloud environments. Ash Devata, vice president of products at Duo Security, based in Ann Arbor, Mich., said there's "more working than not working" with identity and access management today, but many companies are still transitioning from "the old school to the new school."
Mann said there are several reasons why identity management doesn't currently work for enterprises. First, he said, the industry hasn't really solved the problems of IAM in the on-premises world, and those problems are even more complicated in the cloud. In addition, too many applications don't have proper IAM controls built in from the start.
"The depressing thing for me about identity management is that we all know it needs to be done," Mann said. "But the legacy solutions out there are not going to resolve it. And there are modern solutions, but there's a slowness in the market to understand that this is so much more important than everything else we're doing."
Sol Cates, vice president of technology strategy at Thales eSecurity, based in San Jose, Calif., said the problems he sees are enterprises often are not technical in nature; instead, it's the management aspect of IAM, such as handling privileged accounts, provisioning third-party access and governing different identity groups across an enterprise. "They struggle not so much with technical implementation -- it's the organization," he said.
Root accounts and other problems
The panelists said, often, the compromised cloud credentials being abused by threat actors aren't even tied to a specific employee.
Mann said he typically finds root accounts with weak passwords lingering within enterprises. Those accounts are usually provisioned for limited-time use for superusers within an organization, but they aren't always deprovisioned. Therefore, when an attacker gains entry to a specific system, there may be old root accounts tied to that system that have been forgotten, but are still active.
"That root account can do everything," Mann said. "What we find is really working is going into organizations and getting rid of those root accounts and getting people to log in as themselves."
Forcing users to consistently log in as themselves instead of using anonymous root or superuser accounts is better for security, Mann said, because enterprise security teams can better track each individual user's activity and pinpoint problems.
"We're been living with this for 40-plus years. Root accounts are not new. DBA [database administrator] accounts are not new," Cates said. "How we look at them as identity pieces -- as service accounts instead of a human that acquires them -- is where we struggle with the whole concept of identity management."
In addition to tying all accounts to actual human users, Cates recommended strict segregation of duties for privileged accounts. That way, if someone's cloud credentials are compromised in a malware or phishing attack, the threat actor will have a very limited scope of capabilities, and it will be harder to move laterally and gain high privileges.
Devata said one positive in the IAM space is the push toward standards such as SAML and FIDO. The technology to better manage cloud credentials and prevent compromises is available, he said, but customers have to have the right IAM strategies.
Laine agreed and said IAM standards make it easier for enterprises to quickly provision and deprovision access and manage privileges for those accounts.
"That's attack-surface reduction. As security practitioners, that's gold," he said.
But the panelists also warned of falling victim to too much technology hype in the IAM space. Devata joked that too many C-level executives "probably read a magazine on an airline and saw something on blockchain identity," which won't solve underlying IAM issues unless the company has the right strategy in place. "Don't start a project saying, 'I want blockchain identity management.' Please don't," he said.
Mann agreed and encouraged audience members to focus on developing the right strategies, processes and approaches for cloud IAM before investing in products or services to solve their problems. "We're spending money on the wrong things," he said. "We're spending $18 billion a year on security, and it's not working."