An Identity First Approach to Infrastructure Security

Posted on by Vijay Pitchumani

As enterprises continue their digital transformation journey, cloud infrastructure spending across the top three hyperscalers, AWS, Google Cloud Platform, and Azure, soared to $193 billion in 2023, with total spend on cloud infrastructure growing 18% year-over-year, with spending projected to almost double in the next five years. Artificial Intelligence (AI), particularly generative AI, has emerged as a powerful tailwind, fueling demand for cloud resources to train and deploy these data-hungry and compute-intensive models.

As more workloads move to the cloud, it becomes increasingly critical for enterprises to prioritize the security of the infrastructure they deploy. Recent studies have shed light on the alarming reality that compromised identities are a critical threat vector, enabling attackers to gain unauthorized access to corporate infrastructure. The 2024 Verizon Data Breach Report highlights a concerning statistic: a staggering 68% of the breaches involved a human element, underscoring the vulnerability of identities that are not secure. Furthermore, a separate study conducted by the Cybersecurity and Infrastructure Security Agency (CISA) found that a significant 54% of security incidents involved valid credentials from compromised accounts, like stale accounts of former employees. Securing any human or machine identity that has access to this critical infrastructure should be the foundational step of a comprehensive security strategy. To emphasize the importance of securing identities that have access to corporate infrastructure, the United States Government issued an executive order requiring federal agencies to develop plans to implement zero-trust architecture within 60 days, incorporating proper identity management and access control.

Failure to prioritize identity security leaves organizations vulnerable to devastating breaches, data loss, and potential regulatory fines. Therefore, it is imperative for enterprises to address this critical aspect of cloud security proactively.

Before we understand what steps an enterprise can take to secure identity access to critical infrastructure, let’s consider what challenges an organization has in securing these identities.

Shadow IT Across the Organization

Organizations often lack centralized processes for granting access to critical systems, leading to siloed and inconsistent practices. Without proper policies and oversight, employees may accumulate elevated privileges beyond their actual roles as they work on different projects throughout the employee lifecycle. This lack of visibility makes it extremely difficult for IT teams to understand who can access which systems across the organization.

Lack of Automation

Access remediation and fulfillment processes are frequently manual, increasing the risk of errors and oversights. Identities may retain elevated access even after their roles or employment status changes, posing a significant security risk. As highlighted by the CISA report, the credentials of former employees who were once legitimate can become a potential attack vector if not properly deprovisioned.

Lack of Governance for Machine Identities

Service accounts, shared credentials, and Application Programming Interface (API) tokens used for machine-to-machine communication are often highly privileged identities that lack proper governance and oversight. These credentials are sometimes stored insecurely in spreadsheets or password managers, increasing the risk of exposure and misuse by unauthorized parties.

Addressing these challenges, necessitates organizations adopting an identity-centric security strategy aligned with zero-trust principles. This approach requires implementing robust identity and access management solutions that can centralize and automate the governance of all human and machine identities across the enterprise.

Scan Your Infrastructure Deployment for Vulnerabilities

Organizations can leverage effective posture management solutions to scan and discover all machine identities across the environment. This provides detailed visibility into potential areas of risk inside your enterprise, including which accounts have elevated access but rarely use them and which identities are not protected by multi-factor authentication (MFA). This level of visibility enables organizations to quickly lock down identities with access to critical infrastructure in case of a breach.

Enforce Least Privileged Access

After gaining visibility, organizations should implement governance and automation to enforce least privileged access across their entire corporate infrastructure. The ultimate goal for any organization should be to ensure only the right identities have access to the right systems for the right amount of time. Many identity governance and privileged access management solutions offer out-of-the-box automation capabilities to implement and maintain least privileged access across the environment.

Automated Fulfillment and Remediation

Newer identity standards, such as the OpenID Foundation Shared Signals Framework, will unlock capabilities to share signals and data across trusted parties securely. Once this data is available, machine learning and artificial intelligence can enable enterprises to detect phishing or malicious login attempts in near real-time. However, detection alone is insufficient. Automated remediation is crucial to prevent stale accounts and ensure identities with access to critical systems only have the necessary entitlements. This helps avoid manual errors and maintains appropriate access levels as roles and trust levels change.

By embracing an identity-centric security strategy, organizations can take a zero-trust approach towards least privileged access, ensuring that only the right identities have the appropriate level of access to critical infrastructure, minimizing the risk of unauthorized or excessive access that could lead to security breaches or compliance violations.

Vijay Pitchumani

Director, Product Management, Okta

Technology Infrastructure & Operations

infrastructure security Cloud Infrastructure Artificial Intelligence / Machine Learning cloud security exploit of vulnerability hackers & threats Consumer Identity zero trust governance risk & compliance PKI standards & frameworks

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs