This article was published in Computerworld on May 24, 2024 (in Norwegian).
Many companies invest large sums in advanced security products and expensive services to enhance their security, but often forget the basics.
Do companies know all the identities and applications that have access to their systems, and are these adequately secured?
This is critical, as about 80 percent of data breaches start with a hacker gaining access and control over an identity. More and more companies are moving to the cloud, and with company data available on the internet, this issue becomes even more relevant.
The consequences of such breaches can be devastating for an organization. Not only can it lead to significant financial losses and loss of confidential information and privacy, but it can also result in a loss of trust from customers and partners. Additionally, the organization may face hefty fines from regulatory bodies, and its reputation can suffer significantly. On average, a data breach costs a company close to $5m USD. Therefore, it is crucial that companies take cybersecurity seriously and implement robust identity and access management strategies to protect themselves from such attacks.
The Importance of Controlling Identities
As companies move identities and applications to the cloud, the opportunities increase, but so does the complexity. Many believe that Identity Access Management (IAM) solutions and control in the HR system are sufficient, but Microsoft’s user directory, Entra ID, usually contains many more identities. The National Security Authority (NSM) guidelines state that you should know who all your users are. And you should know what rights they have. IT departments we speak with often understand what we mean when we ask these control questions in our customer meetings:
- Which guest users have access to your environment?
- Which administrator users do you have?
- How many service accounts exist in your environment?
- How many test users are there in your tenant?
- Do you know what rights your applications have, and where they log in from?
With many users and turnover in a company, it is challenging to achieve satisfactory control over an issue that is becoming increasingly important.
A real-life example was when Microsoft was recently subjected to a data attack themselves. A group associated with the Russian intelligence service managed to exploit a vulnerability in a test tenant Microsoft had created for development purposes. In it, they had created an application that was installed in the production tenant like any other SaaS application. The application was given excessively high rights, and in the test tenant itself, the user accounts were not adequately secured, resulting in the attackers taking control of it. Using the test application’s access to the production tenant, they gained access to all email accounts and could monitor emails sent both internally and externally for several months. This shows how small weaknesses in identity and access management can be exploited to carry out extensive security breaches.
Other examples from last year include municipalities in Northern Norway where they tried to gain access via compromised external accounts, and there are several documented cases in both Sweden and Denmark.
The Future and New Requirements
With more and more companies adopting a wide range of SaaS applications, especially those integrated with platforms like Microsoft, the need for comprehensive access control becomes even more crucial. IAM tools play a critical role in managing these accesses, but they alone are not always sufficient. While IAM tools provide rules and policies to automate access management for employees and contractors, additional tools and processes are needed to ensure a comprehensive overview of who all the identities actually are, including guests, applications, and other accounts that the IAM solution does not “own.” By implementing such solutions, companies can better protect themselves against internal and external threats, maintain data security, and comply with regulatory requirements.
Going forward, good control over these challenges will become a requirement from the EU and authorities through various directives like NIS1, NIS2, and CER. These directives will increase the responsibility of company management, and if not followed, companies can face strict sanctions in the form of fines up to several million kroner. This places significant responsibility on IT departments, which may be held accountable if companies incur large costs, either in the form of fines or if a data breach occurs.
In Conclusion
As we see, control over user identities is a critical but often overlooked part of cybersecurity. With increasingly sophisticated threats and growing pressure from regulatory bodies, it is crucial that companies take steps to ensure a solid identity and access management strategy. At Bsure, we see that more and more also consider this extremely important, but we also meet many who choose not to prioritize it and rely on historical processes for managing user identities, a strategy we do not believe will pay off in the long run.