Why Active Directory protection should be brought into broader security discussions
Cyberattacks have targeted identity systems with increasing frequency in the last couple of years. The SolarWinds and Colonial Pipeline attacks are just two cases that raised awareness of Active Directory as a common attack vector for cybercriminals. Managing Active Directory, the core identity system for 90% of businesses worldwide, has traditionally been an IT operations function. It has meant that integrating Active Directory protection into broader security discussions has been a slow evolution.
At the Hybrid Identity Protection Conference in December 2021, I moderated a panel discussion with industry experts called “Uniting Identity and Security Teams Against the Adversaries.” According to the Identity Defined Security Alliance (IDSA) report “2021 Trends in Securing Digital Identities,” 64% of organizations surveyed have made changes to better align security and identity functions within the last two years.
During the HIP Conference session, our panelists dug into some of the trends highlighted by the IDSA report. It offered perspectives on how organizations can align their teams to combat attacks that target identity systems more effectively.
Following are key take-aways from the discussion. It included Jim Doggett, Semperis CISO, Asad Ali, technologist at Thales Group, Paul Lanzi, co-founder and COO of Remediant, and myself.
1. Strong identity security is the foundation for protecting other systems
A secure identity system is the starting point for protecting every other asset in the organization. The identity team needs to prove to the security team that they are competently protecting the systems they’re responsible for. Business units also need to show the security team that they’re competently protecting their line-of-business applications. Once identities are protected, organizations can use that proven identity security to protect other systems.
Organizations now need to rethink the interplay between the network, devices, and identities. “There’s a difference between the ability to secure identity entities versus using stronger identity security to protect assets such as endpoints, data stores, and SaaS platforms,” said Paul Lanzi. “The security of identities is table stakes.”
2. Identity and security teams must come together to meet modern security challenges
Both identity and security teams are overloaded in an era of proliferating applications, cloud migrations, and skyrocketing cyberattacks. The number of SaaS applications that organizations use has exploded in recent years. It has put pressure on IT ops teams to constantly provision, de-provision, and recertify applications. Consequently, the number of roles, permissions, and identities that require management has multiplied.
Cloud applications are seen as inherently more secure. Yet, the shift to the cloud expands the identity footprint. This increases the attack surface and requires more focused attention from both IT and security teams to make the whole hybrid identity system secure.
(For more information about the challenges of securing hybrid identity systems, see “Top Security Risks to Watch for in Shifting to Hybrid Identity Management.”)
Bringing the identity and security teams together better positions the organization to take a holistic view of security. It particularly addresses the natural tension between usability and security. Traditionally, more security is viewed by users as harder to use and more annoying, while less security is easier to use and less annoying.
Some of the usability problems have been addressed by smart devices and improved authentication technologies. But organizations tend to continually add security mechanisms without taking any away. It results in administrative headaches and frustrated users. By working together, identity and security teams can push the organization to decommission obsolete security mechanisms and adopt new ones that are both more secure and more usable. It will improve security posture (and user happiness).
3. Identity and security teams can help measure security posture
Organizations need effective ways to quantify security posture to cope with the endless battle against cyberattacks. As with any business KPI, what matters is results, not simply activity. Executives are becoming conversant in security technology principles. However, identity and security teams still grapple with conveying the practical impact of security improvements. Asad Ali said, “For the C suite, when you talk money, that’s when you get their attention.”
But information security is essentially a “negative product”. It is measured by incidents that were prevented from happening rather than incidents that happened. Identity and security teams can collaborate on KPIs that collectively convey overall security health. Examples include quantifying the number of days with a reportable hack or setting timelines for decommissioning old technology that could present security risks.
One of the most effective KPIs for evaluating security posture is measuring the scope of access permissions. Permissions tend to grow over time. The ability to show a downward trend is an important metric that identity and security teams can focus on. Showing that hundreds of accounts have admin access to a financial application, for example, can quickly gain the attention of the CFO and garner resources for identifying and addressing excessive permissions.
“Company boards are much more attuned now to security terms,” said Jim Doggett. “There have been enough breaches that executives understand the implications of having data exposed and the urgency of addressing particular problems.”
Identity and security teams can collectively provide decision-makers with the right context to make better decisions about setting KPIs and measuring initiatives to make the organization more secure. Elaborating and standardizing infosec KPIs is something I would love to see our industry and professional organizations take on.
Security improves with cooperation between identity and security teams
To improve security posture, organizations need to provide a structure that allows security and identity teams to identify and address security vulnerabilities that span the entire environment—from authentication through endpoint security. As cybercriminals become more adept at exploiting identity misconfigurations and moving laterally within systems, organizations that keep identity and security teams siloed run a dangerous risk of missing security gaps that could lead to a debilitating cyberattack.
For security teams charged with defending hybrid and multi-cloud environments, Semperis ensures integrity and availability of critical enterprise directory services at every step in the cyber kill chain and cuts recovery time by 90%. Purpose-built for securing Active Directory, Semperis’ patented technology protects over 40 million identities from cyberattacks, data breaches, and operational errors. The world’s leading organisations trust Semperis to spot directory vulnerabilities, intercept cyberattacks in progress, and quickly recover from ransomware and other data integrity emergencies. Semperis is headquartered in New Jersey and operates internationally, with its research and development team distributed between San Francisco and Tel Aviv.
