Identity security is front and center in all of the recent breaches, including Microsoft, Okta, Cloudflare, and Snowflake, to name a few. Organizations are beginning to realize that changes are needed in how we approach identity security from both a strategic and technological perspective.
Identity security is about more than just providing access
The traditional view that identity security is primarily concerned with granting and denying access for applications and services, often piecemeal, is no longer sufficient. This view was reflected as a broad theme in Permiso Security Identity Status Report (2024)which finds that despite growing confidence in the ability to identify security risks, nearly half of organizations (45%) are still “concerned” or “very concerned” that their current tools are capable of detecting and protecting against identity security attacks data.
The survey, commissioned this summer by Permiso, surveyed more than 500 IT security and risk professionals who directly oversee or influence security and risk decision-making. The findings show that despite increased investment, maturity and confidence in controls to mitigate cyber risks, organizations remain concerned in the face of growing identity threats.
Key ideas include:
- SaaS is seen as the riskiest environment.
- 93% of organizations said they can inventory credentials across all environments and track keys, tokens, certificates, and any modifications made to any environment.
- 85% can determine “who does what” through fragmented authentication boundaries.
- 45% are still “concerned” or “very concerned” that their current tools are capable of detecting and protecting against identity security attacks.
- 45% suffered an identity security incident in the past year, with phishing attacks the top threat vector.
Can you spot the crooks?
While 86% of organizations said they can identify their most risky identity (human and non-human), nearly half (45%) suffered an identity security incident in the past year, with phishing attacks the top threat vector – showing that social engineering-based attacks continue to be a pervasive threat to organizations.
When it came to the consequences for those who were breached, sensitive data, which included personally identifiable information (PII) and intellectual property (IP), topped the list for 54% of those who were breached. 46% of organizations said threat actors have also escalated privileges and harassed their supply chains (45%) from both their suppliers and customers.
Human identities remain an easy target
Another interesting finding is that human identities are seen as the most risky, with employees at the top of the list. Contrary to much of the hype in the market, non-human entities (API keys, OAuth tokens, service accounts) are considered less risky than their human counterparts.
Identity security is closed
It is unclear whether organizations understand the responsibility of identity security in a hybrid and multi-cloud reality. While most organizations use an average of 2.5 public clouds, the IT team (56%) was identified as primarily responsible for ensuring identity security for the organization across multiple environments. This may reflect an identity that is still considered limited to granting and revoking access. According to Jason Martin, co-CEO and co-founder of Permiso, this finding can be explained by the fact that “Identity security has traditionally been the domain of shared responsibility of IT custodians, which includes access provisioning and identity security. Only a minority organizations, we view the security department as the primary stakeholder for ensuring the security of personal data.”
Security budgets also appear fragmented, with SaaS (87%) and IaaS (81%) environments accounting for the bulk of security spending compared to all environments (46%). In terms of tools, it appears that the IaaS tier (66 %) has focused on a combination of proprietary cloud-based security tools such as AWS GuardDuty and CNAPP solutions.
While most organizations appear to be “risk aware” of the cyber threats they face, it is clear that we have some way to go to be able to detect and respond to identity threats as they occur. In fact, the ability to detect and prevent credential breaches, account hijacking, and insider threats were cited as top concerns for organizations.
Towards Universal Identity Security
It is up to all of us, vendors, organizations and the wider security community to do what is needed in terms of people, processes and technology to ensure the new reality of human and non-human identity as the leading threat vector. In this regard, we need to reframe identity security from simply granting or denying access to applications and services to seeing it as a strategic business enabler.
Permiso Security was created to solve this problem, making unified identity security for all identities in all environments a reality.
You can access the full report here: https://hero.permiso.io/state-of-identity-security-survey-report-2024
Learn more about how Permiso can help bring this strategy to your organization.