IDSA Report Reveals Continued Over-Confidence in Securing Privileged Identities

June 2, 2020

The Identity Defined Security Alliance (IDSA) recently published a new report titled, "Identity Security: A Work in Progress," about the exponentially-growing number of workforce identities, and the challenges this growth brings to organizations who may not be ready to address the risk that comes with it. Even worse, the report – based on a survey of IT Security and Identity Professionals and conducted by Dimensional Research – reveals significant over-confidence when it comes to securing privileged identities.

The report offers key findings that validate much of what we already know. For example, identity-related breaches are both ubiquitous (94% have had an identity-related attack) and highly preventable (99%) (TWEET THIS). The reason is because the integration of identity with security is a work in progress, with less than half of respondents having fully implemented the key identity-related security outcomes outlined in the report. However, there is reason to be positive, as forward-thinking companies are showing they are less likely to have identity-related breaches in the past year than organizations with “reactive” security cultures. That is significant and should be used to justify your identity-related controls with your CISO or your Board.

As an IDSA member company, Centrify was pleased to be involved in the publishing of this report. We also felt there were some areas where we could draw some more attention to the Privileged Access Management (PAM)-related sections, and drill into those a bit more.

OVER-CONFIDENCE

One of the first graphics highlights the respondents’ level of confidence in their company’s ability to effectively secure and manage various identity types. Top of the list is privileged users, with 50% stating they are very confident and 47% claiming they are somewhat confident.

IDSA Report Figure 2
Source: Identity-Defined Security Alliance

In general, because privileged accounts carry much more risk, it’s natural that a company would want to have much more confidence to protect those accounts. It should be the highest by far, and at 97% overall confidence it’s very high, but there is not a huge gap separating privileged users from regular employees (95%) or service accounts (91%).

But while it’s encouraging to see the confidence in the ability to secure these privileged identities, it also flies in the face of reality. We know that 74% of data breaches involve access to a privileged account from our own 2019 survey report, “PAM in the Modern Threatscape.” If three-quarters of respondents’ companies have been breached using privileged user credentials, survey respondents are showing way too much confidence, with 97% in the IDSA survey saying they can secure privileged users.

NOT JUST PEOPLE WHO ARE PRIVILEGED

The survey also asks, “Continuing to think about identity-related breaches, what kinds of identities were compromised?” Employees are by far the most-selected response at 75%, followed by privileged users at 34%. The report states, “On the opposite end, non-human identities — machines/IoT (12%), service accounts (25%), and applications (28%) are less likely to be compromised in a breach.”

IDSA Report Figure 5
Source: Identity-Defined Security Alliance

This is both surprising and problematic because this could present a blind spot with digital transformation happening in modern organizations around DevOps, cloud transformation, Internet of Things (IOT), etc. Throughout the IDSA report, service accounts and machine identities are listed as separate kinds of identities. Many times these are also privileged accounts, and play a far bigger role than traditional user-based privileged accounts when considering the modern IT estate.

PRIVILEGED IDENTITY SECURITY OUTCOMES

The report concludes that forward-thinking companies are better equipped to prevent identity-related breaches by looking at several identity-related security outcomes and the current level of implementation for each at respondents’ organizations.

Here we see three privilege-related outcomes fall into the top five:

IDSA Report Figure 8
Source: Identity-Defined Security Alliance

First, we immediately notice some discrepancy here tied to the 97% of respondents who are confident they are protecting privileged users. Only 87% have currently fully or partially implemented solutions to ensure that privileged access rights are granted according to the Principle of Least Privilege, and only 79% are continuously discovering privileged access rights. 50% or more of respondents have not fully implemented solutions for any of the three privilege-related outcomes, all of which reinforces the respondents’ over-confidence in securing privileged access.

Second, the term “Principle of Least Privilege” is not defined in the report, so the 87% of respondents who claim they have either fully implemented or are in progress of implementing this concept is questionable. More than likely, they have a password vault solution, but have not gotten further down the road with PAM maturity to adopt a “just enough, just-in-time, enforce least privilege” approach.

Finally, only 38% are currently using MFA for privileged access.  When Centrify thinks about MFA we think “MFA Everywhere” such as at login, at vault, at privilege elevation, and credential checkout. In general, all of the numbers for the three outcomes clearly marked as PAM related should be higher, as these are proactive measures that can have a measurable impact on an organization’s ability to stop identity-related breaches.

The IDSA’s survey report is an insightful look at identity security, and generally finds that it’s a work in progress. I encourage you to download it and read the data and conclusions yourself. Hopefully this blog offered a bit more analysis of the PAM-specific findings, and highlighted the increasing importance and scope of privileged identities in the modern enterprise.