The threat of lateral movement combined with an extended attack surface
“Hackers don’t hack anymore, they log in,” says Thomas Lejars, CEO of Zygon. “The risk doesn’t really lie within the 30 to 50 well-secured apps behind the company’s SSO. Our clients report breaches and infiltration attempts through less-secured dependencies.
“Recent public cases, such as Oktapus, highlight the effectiveness of hackers employing lateral movement techniques.”
Employees testing new tools isn’t the only factor increasing the attack surface for companies. Service accounts, API keys and even roles used to access cloud resources are other accesses requiring proper control. These are referred to as machine or Non-Human Identities (NHIs), and carry the same risk of compromise as “real” identities.
Technical challenges and legacy IAM are hindering the implementation of robust identity governance
Mapping all identities and uncovering shadow IT is merely a starting point if it doesn’t lead to concrete actions. However, numerous challenges hinder effective identity governance.
While authentication standards like SSO OpenID or SSO SAML are generally mature, they are not universally adopted by software vendors. Furthermore, although provisioning standards like SCIM exist, their implementation is often incomplete. Most applications lack these features, and those that do offer provisioning APIs rarely support deprovisioning.
Additionally, vendors frequently charge for SSO/SCIM options, which can deter organisations from enabling these functionalities for more than the approximately 30 applications considered critical in most medium-sized organisations.
For example, a company with 200 employees might incur a US$22,700 cost just to enable SSO via SAML and automatic user provisioning for the Slack application.
From another perspective, the time IT and security practitioners dedicate to managing the identity lifecycle is substantial. Legacy Identity and Access Management (IAM) systems, which rely on ticketing and manual actions, are proving inadequate.
Consider an organisation with 1,000 employees and an average of 30 applications per employee, a turnover and hire rate of 15%, and internal mobility of 10%.
This results in more than 10,000 tasks related to identity provisioning, reassignment or deprovisioning over the year.
Even if each Access Control action only takes a few minutes, this equates to the workload of two full-time employees dedicated solely to this non-technical yet critical and tedious task.
Fascinated by rocket science? Dive into our advanced calculation below.
