The identity threat
- By Teri Takai
- Mar 21, 2017
Image credit: bygermina / Shutterstock.com
Identity has always played in a central role in IT. Yet it is not often associated with security. That's probably because identity is typically managed by the office of the CIO, and not the chief security officer. This is changing.
With the advent of cloud computing and SaaS applications, identity has become a security perimeter for all intents and purposes. I would go one step further, and consider it a security threat plane that government CIOs, CSOs, and CISOs must address to reduce risks, protect resources and prevent breaches.
That's because the identity plane intersects with virtually every data source within IT infrastructures.
The big problem for many government agencies is that most of them still rely on declarative legacy roles, rubber-stamping certifications and manual processes to manage identities and roles -- all of which expose them to continual and multiple access risks. External threat actors compromise identities to evade detection from existing defenses, while insiders work under the radar to access data for exfiltration.
To provide a robust defense and protect the identity-based perimeter, government agencies must consider new thinking and approaches.
The core issue is security leaders are not attacking the evolving security landscape through proactive planning and change management. Instead, they are stuck in a reactive mode. It is not hard to understand why: the user profile is 24-7, global, instantaneous, and rich in consumer-driven IT.
In the old days (as far back as 2014!), security chiefs at government agencies focused on protecting data at the perimeter of their networks. Today, many continue to do so, in different ways. They have implemented new technologies such as next-generation firewalls, and other solutions designed to protect the perimeter, all of which remain a necessary part of the IT infrastructure.
However, the pace of change means that most organizations simply cannot keep up with the evolving threat vector. CIOs, CSOs, and CISOs must alter their thinking and their practices to deal with the powerful and stealthy threats posed by identity-based attacks.
While most government agencies are migrating some of their resources to the cloud, they usually do not migrate their entire infrastructures. Instead, they keep certain services and applications on-premise, and use cloud providers with expertise in a certain area or areas, such as storage and applications -- while linking those cloud services to their on-premise environment.
This trend raises three crucial questions: What is the perimeter? What's protecting the perimeter? Is the current protection effective?
Risks Posed by Partners
Clearly, partnering is nothing new to government agencies, but going forward agencies will need to greatly improve their scrutiny of existing partners, and to implement more stringent vetting.
To illustrate the risks of partnering, consider the notorious Target data breach of 2013. While the breach received a great deal of media attention because it exposed the credit card and personal data of about 100 million consumers, the partner angle was secondary news.
The breach began with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer. The takeaway here: the vulnerabilities of partners will become the vulnerabilities of government agencies.
The Insider Risk Time Bomb
To implement superior security, agencies must possess a clear understanding of what constitutes insider risks. This subject has been of paramount concern in government circles, especially the Department of Defense, since WikiLeaks published classified documents provided by Bradley (now Chelsea) Manning in 2010. This concern was exacerbated by Edward Snowden's leaks in 2013.
There has been considerable speculation on the motivation of these two individuals but it points out that many government agencies struggle to assess such actors and the risks they present. When does insider risk become insider threat?
While compromises and breaches are not always driven by malicious motivations, they still represent an access risk and threat plane of serious risk for any government agency. Security leaders should keep this in mind when planning their next generation of advanced security systems.
The Way Forward
Government agencies need new, powerful tools that provide complete visibility into access and actions of actors 24/7. Additionally, reliance on people to manually monitor this access is no longer feasible due to data volume and variety.
The increasingly complex world of IT is putting a massive strain on existing security capabilities. Environments now consist of cloud and mobile applications wedded to a slew of legacy applications -- all of which must be controlled across numerous platforms, users, and identity sources.
The future of security is clear: government agencies need robust analytical support from machine learning and the context of big data, which provides comprehensive visibility, monitoring, and analytics based on observed behavior.
Teri Takai is a senior advisor with the Center for Digital Government. She has served as CIO and EVP of Meridian Health Plan, was the Department of Defense CIO from 2010 to 2014. Prior to her federal appointment, Ms. Takai served as CIO for the State of California.