In the world of identity management and security, fraudsters are constantly evolving their tactics, exploiting weaknesses in outdated device identification methods. For fraud, identity and digital experience teams, securing...
It’s Time for IAM to Lead the Cyber-Resiliency Charge
by David Mahdi
I’m sick of headlines about leaked data, leaving me to wonder if my username, password or private information is listed for sale on the dark web (of course it is!). But who’s truly at fault? While bad actors are the obvious culprits, the responsibility doesn’t solely lie with the service providers. Surprisingly, it often falls on their vendors, which is precisely why attackers have been targeting IAM vendors.
Identity and access management (IAM) technology providers deliver the “keys to the kingdom,” and with that great power, comes great responsibility (Thank you Uncle Ben! And yes, I went to the Toby Maguire Spider-Man; hey, the Spider-Verse right?).
Shifting security priorities
Many of us are familiar with the saying, “Identity is the new perimeter,” but it’s so much more than that. Identity is a critical (and targeted) infrastructure for your business. The elements of IAM– spanning people, processes and technology– are designed to serve your employees, partners, customers and, in the case of governments, citizens.
When these systems experience downtime, for any reason, the consequences can be far-reaching: from diminished productivity and revenue to the loss of customers. Even worse, in the case of critical services such as hospitals or energy utilities, personal safety can be negatively affected. The significance of IAM extends beyond merely boosting productivity and enhancing user experience, as in avoiding the “blue screen of death” or the “spinning rainbow wheel.”
As we’ve further digitized systems, our data, digital identities and IAM infrastructure have graduated to a very critical place. And if you haven’t recognized it, attackers have. It’s a full scale cyberwar on our digital systems, data and identities, and attacks are increasingly focused on identity infrastructure itself.
Rising threats to identity infrastructure
Gartner predicted that attacks on “identity-fabrics” will increase. More specifically, analysts said, “Fragile identity infrastructure is caused by incomplete, misconfigured or vulnerable elements in the identity fabric.”
If you don’t believe them, or me, consider the example of a significant breach at a large identity management firm, which– among various others in recent years– affected millions. Attacking identity infrastructure by way of vendor vulnerabilities, combined with other ATO and social engineering methods, attackers have leveled up the game. And there is no turning back.
What makes attacking IAM infrastructure so dubious is its critical position in the enterprise security stack. By gaining access to your IAM infrastructure, bad actors can simply “walk” into many of your systems and conduct a variety of attacks, such as data exfiltration, ransomware or a combination thereof.
Digital identity is now a vital part of your business infrastructure. When that is compromised, how do you know who is behind any or all of your digital transactions? Will you have to halt business and stop the flow of revenue? How will a breach impact your brand and stock price? All of these are now at stake by vulnerabile IAM infrastructure, including the IAM vendors themselves.
I don’t mean to be a curmudgeon (well I was a former Gartner analyst), but these issues with Okta and other IAM providers have only just begun.
Legacy IAM’s shortfalls
IAM vendors were born to improve workforce productivity. Most, if not all, started with an ITSM mindset, with efficiency prioritized over security. This is not to say they had the wrong focus; it was a different time, when cyber attacks were far less sophisticated. But IAM vendors traditionally focused their mission inspired by the definition of IAM which enables the right people to have the right access to the right resources at the right times to achieve the right business outcomes.
While this mission remains relevant, it does not account for modern day attacks that require adversarial thinking and overall cyber-resiliency. IAM is now identity-security.
Having spent years as an analyst covering many of the small and large IAM vendors, and even working for several as an employee–as mentioned above–I have observed a consistent focus on productivity. Their views on security were centered around access and authentication, but cybersecurity is much more. Yes, some are making the transition, but it is not an easy one. They must adjust their people, process and technology to be more security centric
Balancing productivity with protection
With the recognition of identity as a new attack surface, the risk landscape has significantly evolved. IAM vulnerabilities are now more likely to be weaponized, impacting everything from user and machine identities to IAM infrastructure and their vendors. This broader vulnerability extends to protocols, cloud infrastructure, and specific vendor technologies, which are all crucial parts of the security supply chain. As these threats proliferate, companies must scrutinize the security posture and incident response plans of their IAM providers.
Ironically, the pressure on IAM vendors to deliver products that meet rapidly changing market demands often conflicts with the need to maintain robust security frameworks. This tension is exacerbated by executive focus on financial metrics like EBITDA, which can be negatively impacted by cyber breaches. Anyone would rather focus on the shiny new features or M&A to sell more, but if the keys to the kingdom aren’t protected, nothing else matters.
While working closely with analysts from Forrester, Gartner, KuppingerCole and others, I’ve noticed these experts are now pushing IAM vendors to provide evidence and data on their IAM security posture, urging them to prioritize cyber-resilience over quick feature rollouts.
The drive for better IAM security isn’t just a business necessity; it’s critical for the broader digital community, where much identity information is vulnerable or already exposed on the dark web. It’s time for IAM vendors to heed the call for increased investment in cyber-resilience and to recognize their pivotal role in protecting digital identities. A lot of our identity information is already available on the dark web. IAM vendors must listen to Uncle Ben and recognize their critical position in the digital world, time to invest more in cyber-resiliency and transition to identity-security.
How Transmit Security is protected
With cybersecurity in our DNA, the Transmit Security Platform is purpose-built with AI-powered security, including embedded API and mobile app security, anti-tampering measures, automated anomaly detection and trend analyses. In addition when creating or editing customer identity journeys, you can simply click a button to run automated static application security testing (SAST), which analyzes the journey code to flag and address vulnerabilities before launch.
In the unlikely event of a security breach similar to ones that have targeted other IAM vendors, Transmit Security’s services remain online and uncompromised thanks to our resilient enterprise-class architecture with an active-active multi-cloud global presence running simultaneously in GCP, AWS and Azure. This ensures business continuity for organizations serving over 100M customers, avoiding a single point of failure and ensuring complete backup capabilities in a failover scenario.
Explore Transmit Security’s platform, which redefines how companies safeguard digital identities and assets, merging customer identity management, identity verification, and fraud prevention into a cohesive strategy.
As a former Gartner research VP and identity, cryptography and cybersecurity visionary, David Mahdi is an industry recognized pioneer and co-founder of the emerging machine identity management market. A top performing analyst, his depth and breadth of coverage made him one of the most demanded industry analysts for clients around the globe.