Image Credit: Created using Bing Image Creator with DALL-E.
Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More
Last week, a U.S. federal government employee and Air National Guardsman named Jack Texeira was alleged to have exploited his Top Secret clearance and leaked dozens of internal Pentagon documents to a Discord server, including sensitive information related to the Russia-Ukraine war.
The breach is a classic example of a malicious insider attack, where a privileged user decides to exfiltrate valuable information. It also highlights that organizations need to act under the assumption that any employee or contractor can decide to leak data assets at any time.
In fact, research shows that insider threats are incredibly common. Cyberhaven found that nearly one in 10 employees (9.4%) will exfiltrate data over a six-month period, with customer data (44.6% of incidents) and source code (13.8%) being the most common assets leaked.
“Privileged users often maintain an overabundance of standing access to critical systems and sensitive data, which, if excessive or unnecessary, can expose organizations to data leaks,” said Geoff Cairns, Forrester principal analyst. For this reason, “identity management is critical to preventing identity sprawl and enforcing the principle of least privilege.”
Event
Transform 2023
Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.
However, for Accel-backed data security startup Veza, security teams need to go well beyond identity management to mitigate the risks caused by malicious insiders; they need granular visibility into human and machine identities throughout the enterprise and what data these identities have access to.
Unveiling the identity-to-data relationship
Traditional identity management is about establishing a process for authenticating users before they can access assets. While this approach is essential to enterprise security, it’s not always clear what data an individual has access to, particularly when the average user has over 30 digital identities.
“We call it the identity iceberg,” said Tarun Thakur, CEO of Veza, in an exclusive interview with VentureBeat. “This observation that we have had since we founded the company is really the problem statement of who has access to what and what can they do? Organizations don’t have an answer to that question.”
With modern enterprises maintaining an average of 254 applications, it’s difficult to achieve granular visibility into the actual data assets a given identity or account can access.
“Using Nike as an example,” Thakur began, “we can see [for example a user named] Gillian belongs to Nike, and our username Gillian or Gillian@nike.com. But what can Gillian do? What can she read? What can she delete? What can she update?”
Veza’s answer to the challenge of data visibility was to create an AI/ML model engine to ingest role-based access control (RBAC) metadata from hundreds of apps to build an identity threat graph.
The graph highlights the identity-to-data relationship, showing human users each identity, what assets they can access and what actions they can perform (e.g. whether they have read or write permissions). Once this information is discovered, security teams can control authorization and app permissions from a single location and reduce their organizations’ exposure to malicious insiders.
This approach is different from traditional identity management tools like Sailpoint and Okta because it’s based on highlighting the relationship between identities and data access and defining controls, rather than hardening the identity perimeter against threat actors with single sign-on (SSO) or adaptive, risk-based authentication.
The role of privileged access management
Mapping human and machine identities is just one step on the road toward enforcing zero-trust access at the data level, as organizations also need to implement access controls to minimize the risk of data leakage. This starts by implementing what Michael Kelley, senior director analyst at Gartner, calls “the principle of least privilege.”
The principle of least privilege means that “only the right person has the right level of access, for the right reason, to the right resource, at the right time,” Kelley said. Each employee only has access to the files and resources necessary to perform their function, nothing more.
Both Veza and identity-data mapping provide organizations with the ability to highlight privileges at the data level so there’s no ambiguity or risk of granting users over-privileged access.
That being said, Kelley argues that organizations who want to mitigate account takeover need to go beyond implementing the principle of least privilege, arguing that “companies must then mitigate the risk of privileged accounts through PAM [privileged access management] practices,” Kelley said.
In practice, that means discovering accounts with privilege, identifying persons or machines with access to the accounts, and then discovering the extent of access held by that account.
Once these high-value privileged accounts are identified, they can be locked inside a single vault with a PAM solution. This enables authorized users to log in to the account to access data assets, while the security team audits and monitors their activity to make sure no harmful activity, such as data exfiltration, takes place.
The decision whether to incorporate identity management, PAM, or identity-data mapping should be based on an organization’s specific needs.
For cloud-native organizations or those operating in a hybrid cloud environment, automated mapping is critical for getting visibility over human and machine identities that exist in a decentralized environment, as is implementing authorization controls at the data level.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.