10 things every CISO needs to know about identity and access management (IAM)

Attackers today are weaponizing generative AI to steal identities and extort millions of dollars from victims via deepfakes and pretext-based cyberattacks. Well-orchestrated attacks that exploit victims’ trust are growing, with the latest Verizon 2023 Data Breach Investigations Report (DBIR) finding that pretexting has doubled in just a year. The risks of compromised identities have never been higher, making identity and access management (IAM) a board-level topic across many companies today.

Generative AI is the new weapon attackers are using to create and launch identity-based attacks. Michael Sentonas, president of CrowdStrike, told VentureBeat in a recent interview that attackers are constantly fine-tuning their tradecraft, looking to exploit gaps at the intersection of endpoints and identities:

“It’s one of the biggest challenges that people want to grapple with today. I mean, the hacking [demo] session that [CrowdStrike CEO] George and I did at RSA [2023] was to show some of the challenges with identity and the complexity. The reason why we connected the endpoint with identity and the data that the user is accessing is because it’s a critical problem. And if you can solve that, you can solve a big part of the cyber problem that an organization has.” 

Deepfakes and pretexting today; automated, resilient attacks tomorrow 

Some deepfake attacks are targeting CEOs and corporate leaders. Zscaler CEO Jay Chaudhry told the audience at Zenith Live 2023 about one recent incident, in which an attacker used a deepfake of Chaudhry’s voice to extort funds from the company’s India-based operations. In a recent interview, he observed that “this was an example of where they [the attackers] actually simulated my voice, my sound … More and more impersonation of sound is happening, but you will [also] see more and more impersonation of looks and feels.” Deepfakes have become so commonplace that the Department of Homeland Security has issued a guide, Increasing Threats of Deepfake Identities. 

Preying on people’s trust is how attackers plan on making generative AI pay today. Sentonas, Chaudhry and the CEOs of many other leading cybersecurity companies agree that stolen identities and privileged access credentials are the most at-risk threat vector that they are helping their customers battle. Attackers are betting identity security stays weak, continuing to offer an easy-to-defeat front door to any enterprise. A study commissioned by the Finnish Transport and Communications Agency, National Cyber Security Centre with WithSecure, predicts the future of AI-enabled cyberattacks, with some of the results summarized in the following chart:

Maximize IAM’s effectiveness by building on a foundation of zero trust

Zero trust is table stakes for getting IAM right, and identity is core to zero trust. CISOs must assume a breach has already happened and go all-in on a zero-trust framework. (However, they should be aware that cybersecurity vendors tend to overstate their zero-trust capabilities.)

“Identity-first security is critical for zero trust because it enables organizations to implement strong and effective access controls based on their users’ needs. By continuously verifying the identity of users and devices, organizations can reduce the risk of unauthorized access and protect against potential threats,” said CrowdStrike’s George Kurtz. He told the audience at his keynote at Fal.Con 2022 that “80% of the attacks, or the compromises that we see, use some form of identity and credential theft.”

Zero trust creator John Kindervag’s advice during an interview with VentureBeat earlier this year sums up how any business can get started with zero trust. He said, “You don’t start at a technology, and that’s the misunderstanding of this. Of course, the vendors want to sell the technology, so [they say] you need to start with our technology. None of that is true. You start with a protect surface, and then you figure out [the technology].” Kindervag advises that zero trust doesn’t have to be expensive to be effective. 

What every CISO needs to know about IAM in 2023

CISOs tell VentureBeat their most significant challenge with staying current on IAM technologies is the pressure to consolidate their cybersecurity tech stacks and get more done with less budget and staff. Ninety-six percent of CISOs plan to consolidate their security platforms, with 63% preferring extended detection and response (XDR). Cynet’s 2022 CISO survey found that nearly all have consolidation on their roadmaps, up from 61% in 2021. 

CrowdStrike, Palo Alto Networks, Zscaler and other cybersecurity vendors see new sales opportunities in helping customers consolidate their tech stacks. Gartner predicts worldwide spending on IAM will reach $20.7 billion in 2023 and grow to $32.4 billion in 2027, attaining a compound annual growth rate of 11.8%. Leading IAM providers include AWS Identity and Access Management, CrowdStrike, Delinea, Ericom, ForgeRock, Ivanti, Google Cloud Identity, IBM, Microsoft Azure Active Directory, Palo Alto Networks and Zscaler.

VentureBeat has curated 10 aspects of IAM that CISOs and CIOs need to know in 2023, based on a series of interviews with their peers over the first six months of this year: 

1. First, audit all access credentials and rights to shut down the growing credential epidemic

Insider attacks are a nightmare for CISOs. It’s one of the worries of their jobs, and one that keeps them up at night. CISOs have confided in VentureBeat that a devastating insider attack that isn’t caught could cost them and their teams their jobs, especially in financial services. And 92% of security leaders say internal attacks are as complex or more challenging to identify than external attacks. 

Importing legacy credentials into a new identity management system is a common mistake. Spend time reviewing and deleting credentials. Three-quarters (74%) of enterprises say insider attacks have increased, and over half have experienced an insider threat in the past year. Eight percent have had 20 or more internal attacks.

Ivanti’s recently published Press Reset: A 2023 Cybersecurity Status Report found that 45% of enterprises suspect that former employees and contractors still have active access to company systems and files. “Large organizations often fail to account for the huge ecosystem of apps, platforms and third-party services that grant access well past an employee’s termination,” said Dr. Srinivas Mukkamala, chief product officer at Ivanti.

“We call these zombie credentials, and a shockingly large number of security professionals — and even leadership-level executives — still have access to former employers’ systems and data,” he added.

2. Multifactor authentication (MFA) can be a quick zero-trust win

CISOs, CIOs and members of SecOps teams interviewed by VentureBeat for this article reinforced how critical multifactor authentication (MFA) is as a first line of zero-trust defense. CISOs have long told VentureBeat that MFA is a quick win they rely on to show positive results from their zero-trust initiatives. 

They advise that MFA must be launched with minimal disruption to workers’ productivity. MFA implementations that work best combine what-you-know (password or PIN code) authentication with what-you-are (biometric), what-you-do (behavioral biometric) or what-you-have (token) factors.

3. Passwordless is the future, so start planning for it now

CISOs must consider how to move away from passwords and adopt a zero-trust approach to identity security. Gartner predicts that by 2025, 50% of the workforce and 20% of customer authentication transactions will be passwordless.

Leading passwordless authentication providers include Microsoft Azure Active Directory (Azure AD), OneLogin Workforce Identity, Thales SafeNet Trusted Access and Windows Hello for Business. But CISOs favor Ivanti’s Zero Sign-On (ZSO) solution, because its UEM platform combines passwordless authentication, zero trust and a simplified user experience.

Ivanti’s use of FIDO2 protocols eliminates passwords and support biometrics including Apple’s Face ID as secondary authentication factors. ZSO gets high marks from IT teams because they can configure it on any mobile device without an agent — a massive time-saver for ITSM desks and teams. 

4. Protect IAM infrastructure with identity threat detection and response (ITDR) tools

Identity threat detection and response (ITDR) tools reduce risks and can improve and harden security configurations continually. They can also find and fix configuration vulnerabilities in the IAM infrastructure; detect attacks; and recommend fixes. By deploying ITDR to protect IAM systems and repositories, including Active Directory (AD), enterprises are improving their security postures and reducing the risk of an IAM infrastructure breach.

Leading vendors include Authomize, CrowdStrike, Microsoft, Netwrix, Quest, Semperis, SentinelOne (Attivo Networks), Silverfort, SpecterOps and Tenable.

5. Add privileged access management (PAM) the the IAM tech stack if it’s not there already

In a recent interview with VentureBeat, Sachin Nayyar, founder, CEO and chairman of the board at Saviynt, commented, “I have always believed that privileged access management belongs in the overall identity and access management umbrella. It is a type of access that certain users have a specific need for in any company. And when it needs to flow together [with identity access management], there are specific workflows that are specific requirements around session management, particularly compliance requirements, and security requirements … it is all part of the identity management and governance umbrella in our mind [at Saviynt].”

Nayyar also noted that he sees strong momentum to the cloud from the company’s enterprise customers, with 40% of their workloads running on Azure due to joint selling with Microsoft. 

6. Verify every machine and human identity before granting access to resources

The latest IAM platforms have agility, adaptability and open API integration. This saves SecOps and IT teams time integrating them into the cybersecurity tech stack. The latest generation of IAM platforms can verify identity on every resource, endpoint and data source.

Zero-trust security requires starting with tight controls, allowing access only after verifying identities and tracking every resource transaction. Restricting access to employees, contractors and other insiders by requiring identity verification will protect from external threats.

7. Know that Active Directory (AD) is a target of nearly every intrusion

Approximately 95 million Active Directory accounts are attacked daily, as 90% of organizations use the identity platform as their primary method of authentication and user authorization.

John Tolbert, director of cybersecurity research and lead analyst at KuppingerCole, writes in the report Identity & Security: Addressing the Modern Threat Landscape: “Active Directory components are high-priority targets in campaigns, and once found, attackers can create additional Active Directory (AD) forests and domains and establish trusts between them to facilitate easier access on their part. They can also create federation trusts between entirely different domains.

“Authentication between trusted domains then appears legitimate, and subsequent actions by the malefactors may not be easily interpreted as malicious until it is too late, and data has been exfiltrated and/or sabotage committed.”

8. Prevent humans from assuming machine roles in AWS by configuring IAM for least privileged access

Avoid mixing human and machine roles for DevOps, engineering and production staff and AWS contractors. If role assignment is done incorrectly, a rogue employee or contractor could steal confidential revenue data from an AWS instance without anyone knowing. Audit transactions, and enforce least privileged access to prevent breaches. There are configurable options in AWS Identity and Access Management to ensure this level of protection.

9. Close the gaps between identities and endpoints to harden IAM-dependent threat surfaces

Attackers are using generative AI to sharpen their attacks on the gaps between IAM, PAM and endpoints. CrowdStrike’s Sentonas says his company continues to focus on this area, seeing it as central to the future of endpoint security. Ninety-eight percent of enterprises confirmed that the number of identities they manage is exponentially increasing, and 84% of enterprises have been victims of an identity-related breach.

Endpoint sprawl makes identity breaches harder to stop. Endpoints are often over-configured and vulnerable. Six in 10 (59%) endpoints have at least one identity and access management (IAM) agent, and 11% have two or more. These and other findings from Absolute Software’s 2023 Resilience Index illustrate how effective zero-trust strategies are. The Absolute report finds that ” zero-trust network access (ZTNA) helps you [enterprises] move away from the dependency on username/password and instead rely on contextual factors, like time of day, geolocation, and device security posture, before granting access to enterprise resources.”

The report explains, “What differentiates self-healing cybersecurity systems is their relative ability to prevent the … factors that they are built to protect against: human error, decay, software collision, and malicious activities.”

10. Resolve to excel at just-in-time (JIT) provisioning

JIT provisioning, another foundational element of zero trust, reduces risks and is built into many IAM platforms. Use JIT to limit user access to projects and purposes, and protect sensitive resources with policies. Restricting access improves security and protects sensitive data. JIT complements zero trust by configuring least privileged access and limiting user access by role, workload and data classification.

Your first priority: Start by assuming identities are going to be breached  

Zero trust represents a fundamental shift away from the legacy perimeter-based approaches organizations have relied on. That’s because operating systems and the cybersecurity applications supporting them assumed that if the perimeter was secure, all was well. The opposite turned out to be true. Attackers quickly learned how to fine-tune their tradecraft to penetrate perimeter-based systems, causing a digital pandemic of cyberattacks and breaches.

Generative AI takes the challenge to a new level. Attackers use the latest technologies to fine-tune social engineering, business email compromise (BEC), pretexting, and deepfakes that impersonate CEOs, all aimed at trading on victims’ trust. “AI is already being used by criminals to overcome some of the world’s cybersecurity measures,” warns Johan Gerber, executive vice president of security and cyber innovation at MasterCard. “But AI has to be part of our future, of how we attack and address cybersecurity.”

The bottom line: Zero trust stops breaches daily by enforcing least privileged access, validating identities, and denying access when identities cannot be verified.

>>Follow VentureBeat’s ongoing generative AI coverage<<