Why Identity Management is Critical for Effective IT Security
Posted: Friday, Mar 22

i 3 Table of Contents

Why Identity Management is Critical for Effective IT Security

Like every facet of information technology, security has been a constantly evolving factor within organisations for decades.

In its earliest phase, IT security efforts were focused on protecting the network perimeter, leveraging the classic castle and moat model. The logic was that, if you could keep the bad guys out, all resources within the perimeter would remain safe.

This approach evolved with the arrival of remote workers, mobile devices and cloud platforms. With resources no longer held within the perimeter, one focus became securing the endpoints used to interact with those resources.

The evolution has continued. Attention is now centred on the role that identity can play in achieving secure environments, including augmenting existing endpoint security strategies. When both users and devices are required to constantly prove who or what they are, security can be achieved even in the most dispersed of technical infrastructures.

A Change of Focus

This shift in security strategy has led to a change in the tactics used by cybercriminals. Rather than launching brute-force attacks in an attempt to gain access to systems, they are now focused on obtaining valid identity credentials.

Concerningly, there are increasing numbers of examples of attackers targeting the identity provider infrastructure being used by organisations. If they successfully gain access to these, the extent of unauthorised activities they can undertake increases significantly.

Cybercriminals with such access could change the credentials of other authorised users or create fake identities that can later be used to gain additional access to resources. The consequences for an attacked organisation can be widespread disruption and losses.

The Okta Support Desk Attack

A recent example of an identity-based attack was experienced by corporate authentication company, Okta. In late 2023, attackers gained access to Okta’s customer support systems.

In their public announcement on 20 October 2023, Okta stated that an attacker had gained unauthorised access to the customer support system by leveraging stolen login credentials, obtained through an employee’s compromised personal Google account.

By leveraging those stolen credentials, the attacker was able to hijack an Okta service account that had customer support system access, giving them access to files belonging to 134 customers who had used the Okta customer support system.  Among these files were the browser recording (HAR) file that was then used in an attempt to gain access to several customer environments.

BeyondTrust, along with a couple of other Okta customers, identified abnormal behaviour that ultimately led to the discovery of the Okta breach.

The concerning thing about this attack is that it directly involved the identity fabric of the company. It did not require any sort of brute-force attack or the installation of malware on devices.

Security Best Practices In An Identity-focused World

In light of attacks such as the one conducted against Okta, it is vital that organisations carefully review the security measures they have in place.

Key steps should be followed to ensure that identity credentials are secure and user authorisations are appropriate. The steps include:

  • Deploy 2FA:
    Two-factor authentication is a powerful tool that can significantly improve the overall digital security within an organisation. While it’s not infallible – as the Okta exploit demonstrated – it creates a significant barrier for cybercriminals keen to gain access.It’s also important that 2FA be rolled out for all users, not just those who have higher levels of access. In many cases, cybercriminals who gain access via a standard user’s credentials are then able to move laterally through an infrastructure and gain access to significant resources.
  • Review admin access rights:
    The credentials of users with admin rights are highly prized by cybercriminals as they can deliver unfettered access to an IT infrastructure. For this reason, it is important to limit admin rights to only those users who actually require it.
  • Monitor for over-privileged users:
    While monitoring admin rights is vital, it’s also important to ensure that all users only have access to the resources they require to undertake their assigned roles. People change positions regularly and so checking that their credentials are still aligned with their responsibilities is important.
  • Monitor your identity fabric:
    It’s also important to monitor and manage your organisation’s identity fabric. This includes closing dormant accounts and ensuring all users are actually legitimate.

By taking these steps, organisations can ensure their digital identity security is as robust as possible. Attacks like that suffered by Okta will still occur, however well-prepared organisations will be best placed to counter them.

Scott Hesford
Scott Hesford is Director of Solutions Engineering for Asia Pacific and Japan at BeyondTrust. He has over a decade of experience in IT security. Before joining BeyondTrust in 2019, he worked as Principal Consultant across APJ for CA Technologies where he specialised on technologies within Identity Governance and Administration, Advanced Authentication, Privileged Access Management, Web Access Management and API management. A trusted cyber security advisor to enterprise and mid-market customers alike, his experience spans across several industries including finance, utilities and manufacturing in addition to state and federal governments.
Share This