Security was always Identity-First: we just didn’t know to call it that
by Paul Lanzi, on Jul 12, 2022
The Internet Service Provider, Northcoast Internet, where I got my start working in technology had a number of public-use internet terminals (remember those?!) in the front area of our small office’s storefront. It provided a way for folks without computers — or without their own home internet connection — to be able to check email or do other online activities. Located in Humboldt County, California — a very rural part of the state but along the scenic Redwood Highway — we had a fair number of travelers stop by to use these computers for an hour or two. We didn’t have any kind of sophisticated automation to clean up the computers after each person used them, so it was the duty of whomever was working the storefront (usually: me) to remove any weird software that was installed and reboot them after each user’s session.
One time, I went to reboot the computer and I noticed that the person who had last used it had left themselves logged into everything — email, financial account, even their AAA account. It occurred to me — not for the first time — that being logged in as a user means you ARE that user. Even without knowing the user’s password, the computer — and all of the connected systems — considered me (or anyone else sitting in front of it) completely authenticated and authorized to transact as that user. The primary security — in fact, the ONLY security — protecting that user was their identity information.
Being a responsible person, I logged out of their accounts, cleared the browser’s cookies and rebooted the computer. And while this particular episode happened in 1998, it just as easily could have happened in 2008, 2018, and sadly, likely in 2028 too. We often hear talk about “identity is the new perimeter” — and, identity is filling an increasingly important role in corporate/enterprise information security systems that used to be overly reliant on network security protections. However, it’s important to understand that identity has been THE security control for online access to SaaS systems, even long before we had named them that. The number of solutions — both internet-facing and internal to corporate networks — secured with nothing more than a username and password is stunning, and provides a trivial vector that attackers exploit every moment of every day.
That ease of exploitation is one reason why those in the information security industry welcome Microsoft’s decision to disable basic authentication for Outlook / Exchange online. Starting October 1 2022, every single Microsoft 365 tenant will be significantly more secure, through the enforced use of multi-factor authentication and “modern authentication”. No doubt this is a disruptive change to enterprises that have scripted solutions to send/receive email, or use old apps that can’t or won’t be updated to accommodate the security change. But at the end of the day, the number of compromised O365 accounts should diminish significantly as the identity security for these accounts is improved significantly.
While the improvement to O365 account security can’t be understated, there remains another important class of accounts that are still largely authenticated only with a username and password today: privileged computer / domain accounts. We still find that, on average, more than 400 accounts have 24/7 privileged access to the average laptop/desktop/virtual server in the corporate settings where we run a SecureONE Health Check. Every one of those 400+ accounts is authenticated with only a username and password — and the usernames are often already known to the potential attackers. Bringing multi-factor authentication security to those accounts is exactly why we created Remediant. Identity is at the forefront of securing access — always has been — and we can make securing those identities further yet easier with our Just in Time Access approach.
Walking the halls of Identiverse 2022 a few weeks ago, it struck me that security has always been Identity First — from the very first computer accounts to the O365 accounts now being secured with modern authentication — we just didn’t know to call it that!