When Security Providers are Breached: Cloud Identity and Cybersecurity
It’s no shock to most organizations that identity provides the keys to the kingdom when it comes to data systems, sensitive information, and everything else that needs proper defenses in place.
Recent news stories have brought the question of monitoring and control of cloud-based identity and access management platforms (CIAM) into sharp relief. With the news that both LastPass and Okta had recent security incidents, many customers of not only those products but many other CIAM platforms have been asking how they can continue to keep the organization safe – while still allowing for the flexibility that users need. Okta’s case was a very near-miss situation. While some source code was stolen, Okta has disclosed that the materials taken from them will not give an attacker the ability to directly impact any customers. This is good news for the current situation but highlights why control over CIAM systems and their operations is definitely critical for any business. The issue is that, when these systems are operating correctly, they can become nearly invisible. Users with appropriate credentials, MFA tokens, and no anomalous behavior are allowed in – while anyone without one or more of those objects is denied access. However, what about the keys to those keys to the kingdom? When an administrator makes changes to users, MFA requirements, groups, access, etc., knowing if that operation was authentic and authorized or not can pose a significant challenge to cybersecurity staff. After all, if the user successfully authenticates as an administrator, the CIAM will allow them to make sweeping and broad changes to the organization’s users and policies. Had the recent events at Okta been more significant and allowed an attacker to access the system as an administrator, this very situation may have been the result. Because of this, administrative action within CIAM platforms must be closely monitored, and all activity – anomalous or not – must be audited regularly. This solves some problems with the security of CIAM operations, but not all of them. Auditing may only happen weekly, monthly, or more infrequently. Critical changes, such as the removal of MFA from privileged accounts, may not be discovered until well after any damage has been done. Therefore, it becomes critical to ensure that any administrative activity in these platforms generates alerts for proper checks and balances. Was MFA removed from an account unexpectedly? Alerting can allow operations to confirm that the change was warranted and valid. Did someone create a new user or group within the CIAM? Alerting should trigger a review of why that user or group was created without going through the appropriate process so that the organization was expecting the change to be made.