Think you have identity security covered? Think again…

Image of padlock against circuit board/cybersecurity background
(Image credit: Future)

The protection of user’s identities and their credentials has never been more important, with phishing, weak passwords and stolen identities being some of the most common attack vectors involved in data breaches. According to IBM’s Cost of a Data Breach Report 2022, compromised credentials are responsible for almost a fifth (19%) of data breaches alone, the average cost of which was estimated to be $4.5 million. Further, Verizon’s 2022 Data Breach Investigations Report also reveals that the top types of data compromised in a phishing attack are credentials and personal data.

Historically, identity protection has been an afterthought to traditional priorities centring around fortifying the network perimeter in a ‘castle and moat’ style approach.

This was suitable when enterprise resources only existed within the corporate networks. However, in a world driven by transformed, cloud-forward IT environments, identity management has become a much more serious consideration. Indeed, many resources are now located in the cloud, with firms leveraging web-based applications, cloud servers, digital file storage systems, and more. And unfortunately, in this new, connected world, castle and moat strategies simply don’t work.

Identity security strategies and the ‘identity triangle’

Thankfully, enterprises are starting to wake up to identity security, recognizing the need to adapt and evolve and modernize cybersecurity practices in the new normal.

Come 2025, for example, Gartner estimates that over 40% of organizations will be using identity governance and administration (IGA) analytics and insights to reduce security risks across their identity and access management estate. Further, the consultant also forecasts that seven in ten new access management, governance, administration, and privileged access deployments will be converged identity and access management platforms.

This is particularly interesting, with identity security strategies typically centering around a triangle of governance, privileged access management and single sign-on and/or multi-factor authentication solutions:

Identity governance and administration (IGA): A policy framework that enables enterprises to reduce identity-related risks by automating the creation, management and certification of network users and accounts, and their specific roles and access rights. This in turn allows firms to streamline user provisioning, password management and access governance, bolstering convenience and improving security.

Privileged access management (PAM): Solutions designed to protect firms from attacks by monitoring, detecting and preventing unauthorized privileged access to business-critical resources. By combining individual expertise with dedicated processes and technology, enterprises can unlock greater insight, revealing exactly what each user is doing while they are logged in, while also limiting the number of users who have access to administrative functions.

Single sign-on (SSO) and multi-factor authentication (MFA): MFA and SSO fall within authentication, mechanisms used to ensure a specific identity and access management setup is secure. SSO typically prioritises convenience for user logins, while MFA focuses on user security.

Daniel Lattimer


One small hole can sink a ship

Typically, organizations that have covered these three key bases believe that they have developed a sound, secure and robust identity security strategy. However, this is not always the case.

In truth, nearly all identity security links back to Microsoft Active Directory (AD) – the primary identity store used by most enterprises worldwide. Sitting right in the middle of that triangle, it provides the foundation for identity trust. But, if AD isn’t secure, then the other three components of the triangle aren’t either.

Critically, AD is an old tool, built 20 years ago to prioritize convenience and operational ease efficiency – and it isn't equipped to combat the sophisticated cyberattacks of today. It was designed to provide a straightforward way of allowing vast amounts of users to be managed and monitored, enabling them to access those resources that they need at the time they need it. This legacy makes AD an incredibly attractive target for attackers. Indeed, AD is all too often overlooked in security programs, leaving a massive vulnerability lying dormant, ready for threat actors to manipulate.

The biggest issue here is a simple lack of awareness, particularly in more recent years. Even if you move to the cloud, you’re not exempt. Nine times out of ten, Azure Active Directory is pulling permissions from your on-prem AD that most organizations continue to use as their core source of truth, meaning all the risks and issues are just carried over.

Four steps to better protecting AD

In this sense, AD is often a blind spot in organizations' security strategies.

They understand the identity threat, but not how it is linked to AD. Consequently, many end up thinking they have identity security covered when, in fact, there is a wide-open gap. Implementing solutions to uphold key security strategies such as zero trust becomes almost useless if a threat actor can log straight into the device that they want to compromise by leveraging Active Directory. With all identity linking back to AD, it is imperative to improve cyber resilience and visibility. Here are four simple steps that firms should follow to better protect their AD:

1. Analysis

First, organizations should work to understand the security posture of AD and if there is any indicators of exposure or compromise. Fortunately, there are community tools on the market such as Purple Knight from Semperis that can help to achieve this, offering an understanding of AD security maturity through key insights such as configurations that are causing exposures, and indicators of compromise.

2. Backups 

Next, firms need to establish testable backup processes. Often, AD is backed up daily or weekly – a strategy that has two key problems. First, potentially tens of thousands of changes happen on a network every day which could be lost in case of a security compromise. And second, companies rarely test their backup processes, and therefore are unable to initiate them in critical moments. To make matters worse, recovery from system-state or bare-metal backups can re-introduce the malware infection all over again. To address these issues, firms need to establish real-time backups that allow clean restores, so recovery can be achieved quickly and seamlessly and can actually be tested.

3. Monitoring 

Once analysis and backups have been established, organizations can begin to action AD health checks to drive improvements. This includes monitoring configurations over time to understand how exposures and risk levels are changing. Are key changes allowing an organization's security posture to remain in a sound and known state, or are these resulting backwards steps that need to be rectified? Continual monitoring and reviews can help to answer these questions and maintain a strong security posture.

4. Testing 

Finally, it is important not to conduct any security tests against your live production AD. In the same way that you wouldn’t carry out tests against a live production application at launch, organisations need to establish separate mirrored AD copies to carry out their tests against to prevent unwarranted downtime. Making these changes is more vital than ever. AD security is a critical aspect of identity protection strategies. In modernising your IT estate, you must always start with AD. It’s not new, nor cool, nor sexy, but it’s a fundamental, core application. If it doesn’t work, nothing will.

We've listed the best access control systems

Daniel Lattimer, Vice President of UK & Ireland, Semperis.