Rapidly growing employee identities, third-party partners, and machine nodes have companies scrambling to secure credential information, software secrets, and cloud identities, according to researchers.
In a survey of IT and identity professionals released Wednesday from Dimensional Research, almost every organization — 98% — experiences rapid growth in the number of identities that have to be managed, with that growth driven by expanding cloud usage, more third-party partners, and machine identities. Furthermore, businesses are also seeing an increase in breaches because of this, with 84% of firms suffering an identity-related breach in the past 12 months, compared with 79% in a previous study covering two years.
The rising incidence of breaches is unsurprising, says Julie Smith, executive director of the Identity Defined Security Alliance (IDSA), which sponsored the survey,
"The number and complexity of identities organizations are having to manage and secure is increasing," she says. "Whenever there is an increase in identities, there is a corresponding heightened risk of identity-related breaches due to them not being properly managed and secured, and with the attack surfaces also growing exponentially, these breaches can occur on multiple fronts."
For the most part, organizations focus on employee identities, which 70% consider to be the most likely to be breached and 58% believe to have the greatest impact, according to the 2022 "Trends in Securing Digital Identities" report based on the survey. Yet third-party partners and business customers are significant sources of risk as well, with 35% and 25% of respondents considering those to be a major source of breaches, respectively.
The IDSA recommends that companies focus on identity-related security outcomes that reduce the risk and impact of data breaches. Almost every respondent (96%) believes that implementing security controls focused on identities, such as multifactor authentication (MFA), could have prevented or minimized a breach.
"Centered on enabling effective identity governance, access, and behavioral detection, the security outcomes add a layer of protection around IT environments," the report states. "It is here that multifactor authentication as a mitigation strategy jumped to the top of the list in preventing breaches."
MFA Reduces Identity-Related Breaches
The top three countermeasures identified by respondents as potentially blunting the impact of breaches included MFA, more timely review of privileged access, and continuous discovery and monitoring of privileged access rights, according to the survey. Those three security controls also are likely to get the most investment in the coming year, says IDSA's Smith.
"We wouldn’t necessarily expect the countermeasures and planning to match up 100% as that would indicate organizations are chasing their tails and focusing only on the last breach when forward-thinking strategy and vision about the next potential breach is needed," she says.
Machine identities — such as system credentials, software secretes, and Internet of Things (IoT) passwords — are the main factors driving increased identities at 43% of organizations, according to the report. Despite that, only 18% of companies consider machine identities to be a significant source of breaches.
"Both human and machine identities are vulnerable without the proper mitigation and security tactics in place," Smith says. "Given that machine identities have the potential to expand much quicker than human identities, if a machine identity isn’t properly secured, managing the network of machine identities can quickly pose a major risk."
Meanwhile, the growing number of cloud workloads means that the credentials that allow software to talk use APIs and communicate with other software is an expanding surface of attack, Alex Simons, corporate vice president of program management for Microsoft's Identity division, said in March.
Companies that have executives focused on identity security are more likely to reduce the risk of breaches, according to the IDSA report. While only 30% of respondents consider training in securing passwords to be a very effective strategy, companies that have top-level business executives espousing support for password security are much more likely to be more careful with work-related credentials compared with companies that rely on security teams as the primary evangelist.
"If we’re talking about implementing and deploying meaningful security outcomes, we have to increase engagement beyond IT or security teams," IDSA's Smith says. "This simply demonstrates that when management embraces security as a part of messaging, the general trend implies that security becomes a strategic part of the company’s culture."