De-Value Authentication; De-Value the Attack Vector

SOC teams should worry about identity compromise. Not your CEO.

Atul Tulshibagwale, CTO, SGNL
August 28, 2024
Follow us on

In cybersecurity, the most valuable target for attackers remains the credential. Whether it’s a password, a token from Multi-Factor Authentication (MFA), or even a biometric scan, credentials provide that initial, essential access to data and services. Traditional security methods like password protection, MFA, and even the latest passwordless technologies focus on protecting these credentials. However, the true revolution in security comes from devaluing authentication itself.

The Limits of Authentication Methods

Passwords: Quite a bit has been written about the weaknesses of passwords. Passwords are, arguably, the weakest link in the security chain, easily phished, guessed, or stolen. Even complex passwords are frequently compromised through data breaches or sophisticated attacks.

Multi-Factor Authentication (MFA): MFA adds another layer, but it’s not a silver bullet. Attackers can bypass MFA through techniques like phishing or man-in-the-middle attacks. Even the best FIDO-based MFA tools are phishing resistant, not phishing proof. And for non-human identities (NHIs) like service accounts and APIs, MFA isn’t always feasible, leaving significant gaps in security.

Passwordless Solutions: Technologies such as biometrics or hardware tokens aim to remove passwords from the equation. However, they still rely on authenticating the identity, and once these methods are compromised, the credential remains valuable. For instance, raw biometric data, like fingerprints or facial recognition, is inherently immutable—once stolen, it cannot be changed.

Session Theft: Beyond initial authentication, session theft poses a significant threat. After successfully authenticating, attackers may target active sessions by stealing cookies or tokens. Cookie theft allows attackers to hijack a user’s web session, gaining unauthorized access without needing to re-authenticate. Similarly, token theft enables attackers to use stolen tokens to access APIs or services as if they were the legitimate user. These methods bypass authentication entirely by exploiting the trust established during the session, highlighting the need for continuous access evaluation and dynamic permission controls to mitigate the risks associated with compromised sessions.

Shifting the Focus: Devaluing Authentication

Instead of piling more defenses around authentication, we should ensure that even if an identity / credential / authentication is compromised, it is something that can be handled at the SOC level, and does not require the leadership team, legal, PR and finance to have to worry about. In order to achieve this, we must make sure that permissions users have after they log in are provided and taken away automatically as the tasks that the users are working on change. Here’s how this can be achieved:

  1. Zero-Standing Privilege (ZSP): ZSP is an access model that ensures that no user—whether human or non-human—retains privileged access to systems and data when it’s not actively needed. In this model, access privileges are dynamically granted only for the duration of a specific task and are immediately revoked once the task is completed. This approach drastically reduces the potential impact of compromised credentials because even if an attacker gains access, there are no standing privileges to exploit.
  2. Continuous Access Evaluation Profile (CAEP): Cloud systems are distributed, and changes to conditions happening in one location are not always communicated to other systems. CAEP is a standard that enables such communication. The net result is that access can be modulated or entirely removed from live sessions as the conditions, which led to that access being provided, change.
  3. Contextual and Adaptive Controls: Implementing contextual controls that adjust permissions based on the behavior and risk profile of the user or NHI adds another layer of security. If the system detects unusual activity, it can automatically reduce or revoke permissions, devaluing any compromised credential.
  4. Eliminating Shared Authentication: By moving towards a model where shared credentials (that are often vaulted with check-out and check-in processes) are eliminated, organizations can reduce the attack surface. Temporary, context-based privileges that expire automatically based on specific tasks minimize the value of credentials to attackers.

The Non-Human Identity (NHI) Angle

The rise of automation and AI-driven processes has significantly increased the presence and importance of non-human identities (NHIs), which include bots, APIs, and service accounts, within organizations. Unlike human identities, which can be secured with multi-factor authentication (MFA) and passwordless technologies, NHIs are secured using secrets, such as API keys, tokens, and certificates. These secrets are often long-lived and automatically unlocked, making them prime targets for attackers. As NHIs continue to proliferate with the growth of AI and automation, the risk associated with their misuse will only escalate.

Managing NHIs is challenging because they require access to vast amounts of data and often operate without the same environmental bindings that secure human access, such as specific devices or locations. Traditional security measures are less effective here, as NHIs may need continuous access across various systems and environments. This means that simply applying human-centric security strategies, such as MFA, is insufficient. Organizations must adopt specialized strategies for NHIs, focusing on controlling the issuance, storage, and access of secrets that authenticate these identities.

Conclusion

The future of cybersecurity requires that we rethink how access is managed by devaluing authentication itself. By focusing on strategies like ZSP and CAEP, and eliminating shared credentials, organizations can significantly reduce the risks associated with credential compromise. These strategies ensure that even if a credential is stolen, the damage it can cause is minimized through dynamic, real-time adjustments to access permissions.

As attackers evolve their methods, the security industry must evolve its strategies. Shifting focus from solely protecting authentication to rendering it less critical transforms access management from a reactive defense into a proactive security measure. This shift allows organizations to stay ahead of threats, ensuring that access remains secure and manageable regardless of how authentication methods evolve. By devaluing authentication and embracing dynamic, policy-driven access controls, businesses can enhance their security posture while maintaining operational efficiency and resilience.

Best practices and the latest security trends delivered to your inbox