Identities: The New Enterprise Perimeter

Written by Lior Yaari, Cofounder and CEO of Grip Security.

Originally published on Forbes.

In cybersecurity, the enterprise perimeter is the point where a company’s defenses begin. In the past, this was a physical perimeter defined by the company’s network, or a managed endpoint when the employee was working remotely. Both network and endpoint cybersecurity have made tremendous advancements, which have reduced the number of breaches from successful attacks of these two attack vectors.

When the industry entered the age of SaaS, this also redefined cybersecurity by making identities the new enterprise perimeter. Employees experienced a productivity boom by leveraging thousands of apps that can help them do their jobs. With just an email address, users could create a free account and start using a tool immediately. There was no need to go through cybersecurity or a lengthy purchase justification process because most apps offered a free version or something that could be purchased on a credit card and expensed. Sometimes, these apps were used just one time, and others are used on an ongoing basis.

This explosion of SaaS adoption, however, led to unprecedented identity sprawl with some employees creating hundreds of SaaS accounts over the time. Most of these accounts are created with just an email and password, and this has now become the new perimeter for the modern enterprise.

“Hackers Don’t Break In. They Log In.”

The unfortunate side effect of this development is that, with the right password, a hacker can data or transfer money and go undetected for a longer period than previously possible. This has created huge risks for companies as employees use confidential and sensitive data on these unsanctioned SaaS apps. Securing sensitive or confidential data across thousands of apps on the internet is a near impossible task.

The primary defense for these SaaS accounts is the user’s password. The problems with passwords are well known, and nearly everybody is guilty of poor password security. Some examples of poor password practices are:

• Using the same password for personal and work accounts.
• Reusing the same password for multiple accounts.
• Using simple passwords that can be easily guessed.
• Resetting passwords that are known to have been compromised.

Companies have yet to programmatically focus on this new enterprise perimeter because current SaaS security solutions are not able to discover and secure SaaS accounts where the company does not control the endpoint, authentication method or network connection. Today’s solutions were designed to protect a perimeter that was well-defined and always known. Identities were managed by identifying the SaaS app and ensuring that access was tightly controlled and monitored. Endpoints and devices were secured through VPNs or, more recently, zero trust frameworks. This approach does not work when employees are using new SaaS apps almost daily, and the cybersecurity team is unaware that accounts are being created.

In short, hackers realized that stealing log-ins and passwords was an easier method to bypass a company’s defenses than trying to compromise a fortified endpoint or network node. Unlike other defense mechanisms, passwords are mostly set by humans, and this makes it prone to errors or insecure practices. The recent spate of high-profile SaaS breaches highlights how hackers have penetrated enterprises through credential theft, including these attacks:

• Uber: Hackers used social engineering to trick employees into providing passwords.
• LastPass: Hackers infiltrated the company’s network through a compromised developer account.
• Rockstar Games: Hacker gained access to confidential files using compromised credentials.

Simple Solution: Remove The Human Element Of Passwords

There are two primary reasons that hackers can steal passwords so easily:

1. Humans create passwords.
2. Humans are easily tricked into divulging them.

Removing the burden of creating and managing passwords from users can eliminate the problems with identities protected by human-created passwords. One way to achieve this is to use password managers that take control of the authentication process and not reveal passwords to the user. Other options include hardware-based keys or biometric signatures.

Whichever method is used, the authentication method needs to be able to control the password used. If it is set by something other than the passwordless system, it would need to be reset so that the user cannot access the account. This enforcement mechanism is what many solutions are unable to achieve.

Eliminating the human element of passwords has other benefits. Users can no longer be phished, smished or fall for any number of attacks where they inadvertently expose their credentials. Furthermore, password hygiene can be automated by rotating passwords or resetting passwords when there is a known breach, which provides another layer of security.

Conclusion

With passwords having such a big role in enterprise security, the employees have a tremendous burden to bear as the first line of defense. Unfortunately, the spate of breaches demonstrates that they are vulnerable and often succumb to the increasingly sophisticated attacks. Since passwords are the root of the problem, organizations must develop a strategy to relieve employees from the burden of managing them, otherwise the new enterprise perimeter might not have the defense it needs.