Unused identities: A growing security threat
In early May 2021, Colonial Pipeline, the operator of the pipeline that pumps 45% of the East Coast’s fuel, announced that they had been hacked.
In his testimony before the Senate Committee on Homeland Security and Governmental Affairs, the company’s president and CEO Joe Blount told lawmakers that the hackers had breached their network via a compromised legacy VPN account.
This incident has nearly all the elements of security gone wrong:
- Compromised credentials were found in a list of stolen data
- The account wasn’t protected by multi-factor authentication
- The attackers used a (most probably unmonitored) legacy service to break in
The compromised account was quite likely a holdover profile that was spun up by the IT team at an earlier date and they simply lost track of it, forgetting to block off its access to their network when they switched to a different system.
Their mistake highlights a common problem: access is granted to identities, but then managers lose visibility over these authorizations and they remain exposed. The risks from this mismanagement is only increasing as these user-less accounts grow in numbers, but there is hope if your organization is capable of some basic security hygiene.
Out of sight, out of mind – but still a risk
According to our internal research, 6% of user accounts within an organization are inactive. But just because they are not being used does not mean that they cannot be compromised. If an attacker gains access to one of these accounts, especially if they are unmonitored, they can use those permissions to reach the organization’s assets.
In some cases, these accounts might have belonged to former employees who have since left the organization. Others might have belonged to people who have changed roles and are no longer using those specific identities.
While these are issues that must be contended with, Identity Governance and Administration (IGA) tools do a pretty good job of addressing them under the Joiner, Mover, Leaver Lifecycle Management framework.
These tools, however, have blind spots in areas such as mismanaged empty groups and robotic identities. Both categories have permissions that can be used and abused.
Even when empty groups aren’t numerous in an organization, they often have access to thousands of files, providing a large enough window for hackers to steal data or cause disruption without detection.
The situation does not improve when it comes to the robotic identities. These are the service accounts that are used for performing all sorts of tasks, and as such, have a range of permissions –– including admin privileges in some cases. Forrester has estimated that the number of non-human identities has doubled over the last year.
How to identify, monitor, and remediate
The first step towards taking control over your identities and assets’ authorizations is to know what you have. This starts with scanning across all your XaaS environments – that’s SaaS, IaaS, and PaaS – and taking an inventory of which identities have authorization to which assets.
This involves ingesting the data from these different environments, normalizing the data into a workable model, and then correlating it with your identities from your identity provider (IDP) like Okta, Ping, Azure AD, or Google.
The goal here is to understand the relationship between the identities and assets, assessing a wide range of factors including their usage and if they are right sized to meet the policies/needs of the organization.
Are there identities with permissions to assets that have not been used in at least 60 days? This might be a good time to revoke those authorizations. But that’s just a surface-level case. Once you start analyzing your entitlements on a deeper level, you’ll begin to find that there are more permissions granted to your identities than you’re likely to want to admit. This is especially true for permissions that shouldn’t have been granted in the first place.
Once we understand what we have, we need to figure out how we are going to: a) fix all the misaligned entitlements that have accumulated over the years and b) create a plan for doing it correctly from now on.
As you monitor, remediate risky authorizations as they pop up. If you come across an empty group, then close it. Same for robotic identities that are not in regular use.
If you are automating your entitlement provisioning process, then it will be easier to revoke permissions and spin them up again in the future than deal with a crisis.
To be effective at eliminating the risks that come with unused identities, we need to transition to a state where we are ingesting data, monitoring for violations, and remediating constantly.
The current standard of periodic checks might satisfy auditors, but it’s not enough if we want to enforce sufficient security standards moving forward.