In today's digital landscape, where enterprises are increasingly investing in digital transformation and migrating to the cloud, identity security is profoundly evolving.
With the rapid adoption of cloud technologies and the consolidation of IT and OT environments, the idea of perimeters has become obsolete. In reality, identity is no longer just a component of security. It is the very battleground where attacks take place – Identity is the attack surface.
With the sheer volume of human and machine identities being created - machine identities outnumber human identities by a staggering 45 to 1 ratio - this expanding identity landscape has created a vast attack surface, ripe with opportunities for malicious actors.
According to our recent 2023 CyberArk Identity Security Threat Landscape report, 98% of organisations anticipated suffering identity-related compromises this year, and credential access remains a critical area of risk for 39% of organisations in Australia.
The proliferation of identities, compounded by the fact machine identities have more access to sensitive data than their human counterparts (48% vs. 39%), presents a significant challenge. This combination, alongside relentless attackers’ innovation, escalates cybersecurity risks and consequently, the frequency of attacks. In the last financial year, the ACSC received more than 76,000 cyberattack reports – an increase of nearly 13 percent from the previous year.
Identifying gaps and investment priorities in identity security is therefore essential – but it must be paired with a strong cybersecurity culture fostered within the organisation.
Managing Human Identities – Employees and third-party identities
A robust cybersecurity strategy and the right technology investments are essential, but their effectiveness hinges on the understanding and commitment of both employees and third-party users to cybersecurity best practices.
Management plays a pivotal role in this equation. They are responsible for establishing a cybersecurity culture by setting the right example through secure practices. Furthermore, they must define processes that proactively identify and address risky behaviors, fostering cross-functional collaboration to fortify the organisation's security posture.
Education is, of course, one piece of the puzzle. Implementing Privilege Access Management (PAM) or a zero trust model are foundational components of a company’s cybersecurity strategy to improve its security posture and better manage the ‘human risk’ element.
Its definition is evolving, though, as different environments require different security methods. In the cloud, a strong foundation is essential to gain full end-to-end control and visibility over PAM.
One of the challenges here is that the rapid nature of digital transformation has meant security has often not kept apace. Organisations had 20 years to figure out how to protect the on-premise world - they had a standard blueprint. Since the pandemic hit, there has been widespread adoption of cloud and DevOps, and organisations have had to adapt fast, the downside being they didn’t have 20 years to figure out how to secure these identities.
Managing new attacker methods
Despite the ever-evolving tech landscape, attack paths remain remarkably consistent. The identity security attack chain is the well-trodden path malicious actors follow to compromise identities and execute their endgame. Credentials are stolen, adversaries move laterally to acquire more credentials, and then escalate and abuse the privileges they gain.
Yet, the attacker's opportunity is fueled by constant innovation. The cybersecurity landscape is grappling with an expanding attack vector, and recent research from CyberArk Lab highlights the unsettling possibility of AI tools being used to amplify cyber risks significantly. The advent and widespread accessibility of AI-based tools has led to emerging trends such as generative AI attacks, deep fakes, bypassing biometrics, polymorphic malware, and cascading supply chain attacks.
The democratisation of AI tools is expected to usher in a new era where rookie threat actors can easily leverage AI to identify vulnerabilities swiftly and potentially orchestrate ransomware attacks. These tools will assess network architecture and autonomously adapt to avoid detection, setting the stage for a looming battle between human and artificial intelligence.
Whilst these tools also enable cybersecurity experts to strategically plan their defenses against cyberattacks, the downside is that the threats from AI-based tools are multi-fold and extensive for any company, no matter their size, to tackle on their own. For example, 89% of security professionals surveyed as part of the 2023 CyberArk Identity Security Threat Landscape report expected AI-enabled threats to affect their organisation in 2023, with AI-powered malware cited as the number one concern.
If ChatGPT and other similar AI-based tools are used to weaponise vulnerabilities by creating sophisticated polymorphic malware, then the first thing any organisation must do is to protect all its resources by securing any identity – human and machine. Afterall, the first and last line of defense against malware or phishing is securing access for all identities. And these trends underscore the need for proactive cybersecurity measures.
To combat innovation with innovation, the future of identity security lies in the concept of zero trust. It revolves around continuously verifying identities and adding multiple layers of security as the environment evolves.
If not because of these new trends, a renewed urgency for organisations to improve their cybersecurity posture and core security practices are the legal and regulatory implications that may ensue should they be found non-compliant with the Australian Critical Infrastructure Risk Management Program.
No sector of the Australian economy is immune from the impacts of cyberattacks. However, critical infrastructure industries are even more under scrutiny as cyberattacks on critical infrastructure are detrimental to the public trust and have a significant impact on the social and economic well-being of the country as discussed in the recent CyberArk whitepaper: “Addressing Australia’s Security of Critical Infrastructure Act”. Among other things, compromising critical infrastructure affects the country’s ability to conduct national defence and maintain national security.
Ultimately, securing all identities is essential to achieving consistent risk reduction, a vital compliance element, in alignment with Government requirements.
In this ever-changing digital landscape, understanding the evolving nature of identity security and staying ahead of emerging trends is not just an option; it's a necessity. Only by embracing innovative approaches can organisations hope to navigate the intricate web of identity security and protect their valuable assets in an era of constant change.
To access even more insights on why it’s time to embrace the protection of Identity Security, as well as resources for organisations operating in critical infrastructure industries, visit CyberArk’s website here.