Last year, Facebook made headlines the worst way possible, admitting that up to 50 million of its accounts were hacked. Unlike the Equifax and British Airways breaches, no credit card numbers or similar information was lost, and the story soon faded from memory. Which is too bad, because the hacking method wasn’t some exotic zero-day vulnerability or injection of a malicious script. It was a simple assault on an Identity and Asset Management (IAM) solution.
As Thomas Brewster explains in great detail, the hack involved stealing OAuth bearer tokens by manipulating Facebook’s “View As” feature and then raiding not only Facebook’s data, but also the data of any application that could be accessed by a Facebook account. While Facebook has survived the bad publicity, this case reveals a simple fact: Cybersecurity is an IAM issue.
Turning our attention back to the Enterprise, security depends on user identities being checked and users being provisioned and deprovisioned correctly. If a network allows any unseen user to access it with just an email address/password pair, then a flood of fake accounts will follow.
If provisioning and deprovisioning are not automated in sync with Authorization, then hackers can exploit the permissions granted by the provisioning aspect of IAM. These issues can be overcome - but they point to some of the cybersecurity aspects of IAM.
Today’s IAM cybersecurity challenge has two main causes:
IAM has always had to balance between security and user convenience. Jokes about the complexity of passwords are as old as the Internet and even in 2016, with the cloud being a clear market force, 23% of IT personnel reported that user convenience overrode security concerns in their IAM system. That tension is still there, with numerous companies attempting to make IAM as painless as possible for legitimate users.
These issues have grown more acute with businesses operating on the cloud and users accessing both the cloud and physical networks via a wide variety of devices. These changes have altered the entire concept of “inside/outside” a network, meaning that a key concept in IAM theory must be rethought. Additionally, the rapid growth in cloud-based B2B companies has created new IAM needs, such as Access Delegation. All in all, as Ben Canner notes, identity remains a serious security parameter.
Although the Facebook case may not have caused direct financial damage, some figures about breaches and IAM put the issue into perspective. During the 15 months between January 1, 2018 and March 31, 2019:
This, during those 15 months alone. IAM security issues resulted in approximately 18 billion records being exposed at a staggering cost of $200 billion.
There is, however, a solution. Canner argues that granular Authorization which “activates only when users request access to sensitive databases or assets” achieves the golden mean between security and user experience. This type of Authorization can be supplied by both Attribute-Based Access Control (ABAC) and Policy-Based Access Control (PBAC). Both access management solutions can base access on environmental factors such as time of day or location. For example, having one Authorization policy for a user working on-campus during regular work hours and another for the same user working off-campus at 2 AM. .
PBAC, however, has a number of major advantages over ABAC. PBAC supports creating policy statements in natural language, while ABAC requires computer languages such as eXtensible Access Control Markup Language (XACML). This makes it harder for ABAC rules to be created or changed, limiting flexibility and increasing response time. It also tends to keep decisions about Authorization policy in IT’s hands instead of management’s, when the opposite should be true.
It should be noted that when implemented correctly, PBAC solutions can make existing IAM simpler by reducing roles and writing simpler but more inclusive policy statements.
PlainID specializes in implementing PBAC systems to harden your company’s cybersecurity without placing too great a burden on users. The PlainID SmartAuthorization platform is a complete IAM solution. It enables you to quickly implement fine-grained Authorization policies that are fully integrated with provisioning and deprovisioning, reducing the risk of any identity-based attack. PlainID’s solution can incorporate existing IAM solutions, but also can greatly simplify them, as we did recently, when we reduced a customer’s set of roles from over 1,000 to approximately 50, saving them a great deal of time, effort, and money.
Ready to find out more? Click here to schedule a demo with a member of the PlainID team.