Most security professionals have long recognized the importance of thinking about cyber defense against the backdrop of the enterprise attack surface – namely, all of the potential entry points, including applications, hardware, and employee laptops that a hacker could leverage to gain access to company systems and corporate data. As cyber threats have magnified in recent years, new flavors of attack surfaces have emerged, including the Identity Attack Surface. As identity-based attacks continue to grow and dominate headline news, it’s important to understand what the identity attack surface is and what tools and approaches security leaders are using to implement effective management. This blog dives into the fundamentals of Identity Attack Surface Management (IASM).
What the heck is the “Identity” Attack Surface?
The Identity Attack Surface includes all systems of a corporate network, on-premises and/or cloud, that authenticates user or automated interactions and grants access to corporate system based on that authentication. The goal is for organizations to proactively take steps to understand and limit all potential points of exposure through which unauthorized actors can compromise, steal, or misuse user identities to gain access to systems, data, and services. It encompasses the configuration and management of identity systems like directories, user accounts, authentication mechanisms, and privileged access & permissions management. The broader and more complex the IT environment, the larger this surface becomes, creating more opportunities for attackers to infiltrate systems.
A reality that organizations are often forced to deal with is a fragmented identity landscape where they must maintain consistency across on-premises Active Directory, Entra ID, and various other cloud identity providers. Managing and securing credentials across these hybrid systems and services often leads to credential sprawl. This can happen in several ways, but it will often occur when unauthorized cloud services are deployed by regular employees, bypassing central identity management policies (a concept known as shadow IT). Another common example is administrators creating backdoor service accounts, with or without malicious intent, that bypass governance policy workflows and can later be utilized by attackers.
Keep in that mind the ultimate goal of Identity Attack Surface Management is to help organizations understand how an attacker would perceive their attack surface and which areas to prioritize based on their level of criticality so they can then transition to a proactive approach to cybersecurity and risk management. We’ve compiled a lit of strategic approaches to implement Identity Attack Surface Management principles that will proactively limit identity-related risks when managing hybrid IT environments:
- Implement a unified governance framework or implement a platform for Identity Governance & Administration (IGA) policies
- Establish a centralized policy for identity lifecycle management by deploying consistent access controls across all on-premises and cloud environments. Because of the time and effort required to implement IGA platforms, your organization may not choose to implement these products, which introduce a lot of red tape.
- Connecting to all data sources, normalizing data, creating workflow rules, and performing ongoing manual access reviews is time-consuming. Because IGA products take years to implement, successful deployment prioritizes the most business-critical and riskiest identities.
- Enforce 100% of all human and non-human accounts implement modern authentication methods. This proactive step will help maintain a strong security posture and protect against potential threats.
- Implement multi-factor authentication (MFA) across all systems and strategically roll out passwordless authentication options. Enforce password policies that require complexity and frequent rotation. Utilize adaptive risk-based authentication factors to detect anomalous behavior that triggers step-up authentication.
- On average, non-human accounts outnumber human accounts 50 to 1. Non-human accounts tend to have privileged access rights. That’s why it’s critical that every single non-human account is inventoried and a strong identity security posture is enforced. Many organizations will map non-human accounts to a human owner to ensure they are appropriately governed and monitored.
- Enhance visibility and monitoring into include all on-premises infrastructure and applications
- If identities are stored in multiple locations across on-premises and cloud directories, deploy identity-specific security solutions for identifying, managing, and remediating risks. These solutions must guarantee continued support for your critical on-prem and cloud identity infrastructure.
- Create security strategies that address both on-premises and cloud user directories and business applications. Proactively understand our identity-related risks with hygiene and posture management policies, monitor configuration changes on an ongoing basis, and conduct regular identity audits and access review.
- Secure identity federation & implement least-privilege access principles
- Properly configure and secure identity federation between on-premises and cloud services. Accounts should only have enough access rights to do their job, so ensure that accounts with privileged access rights are properly managed or vaulted.
- Continuous validation of user identity and endpoint/device health. This practice is a key component in maintaining a secure environment and should be consistently implemented across all endpoint and device type.
- Focus on Privileged Access Management (PAM) credentials and their passwords
- Implement just-in-time (JIT) privileged access. Utilize credential vaults to secure ALL accounts, both human and non-human. Complexity and rotation schedules will make a big impact, especially for those credentials that are already breached.
- Monitor and audit all privileged account usage in automated ways to uncover anomalies. Privileged accounts are the keys that attackers want to take over, so automation is paramount.
- Conduct regular security assessments
- Perform penetration testing focused on identity-related attack vectors. Simulate common identity-based attacks (e.g., password spraying, credential stuffing).
- Use red team exercises to test your identity defense capabilities. Invest in employee training and awareness to educate users on identity security best practices.
- Plan for incident response
- Develop and regularly test incident response plans for identity-related breaches. Ensure proper logging and forensic capabilities for identity-related events.
- Establish clear procedures for account lockouts, password resets, and privilege revocation.
Managing the identity attack surface in hybrid IT environments requires a holistic approach. A crucial part of this approach is a unified governance framework that ensures all security teams are working off of the most up to date identity data. This strategy is instrumental in breaking down silos across teams and ensures all teams are easily sharing information, creating integrated policies and acting upon the same data.
We at Hydden believe the reality of on-premises systems will remain for the foreseeable future. Many tools that claim to be “next-gen”focus only on cloud solutions. But security practitioners should demand the solutions they deploy to protect 100% of both their on-premises and SaaS infrastructure and services.
