Three years after COVID-19 forced federal agencies to crank their modernization dials to warp speed, the proliferation and adoption of new technologies, applications, and network solutions are still continuing to spread throughout the federal government.
Though these technologies have completely transformed federal agencies’ internal and constituent-facing services for the greater good, with each new solution, IoT device, or API that connects to a federal network, a new, potential attack path is created in the agency’s identity supply chain. Malicious cyber actors are consistently and tirelessly seeking out these new additions to federal agencies’ identity supply chains, in hopes of finding network vulnerabilities to attack and exploit.
Quest Software recently held the webinar, “Identity Beyond Borders – Protecting Your Identity Supply Chain,” where Microsoft Principal Product Manager, Shinesa Cambric, explored the topic of identity protection and threat detection in depth. During the event, she explored the evolution of identity supply chains, why federal agencies should care about their third-party partners’ cybersecurity postures, as well as the solutions that can assist the government in automating identity security.
Evolution of identity supply chains
When most people think about identity security, they usually envision the human identities that are behind each connection on a federal network. Cambric explained that through the massive wave of digital transformation that organizations have undergone during the pandemic, identity protection has completely evolved over the last few years, along with new, emerging concepts popping up in the cybersecurity world.
“When I say emerging identity concepts, I mean things like non-human identity, decentralized identity, and even external identities,” said Cambric. “I’ve been around long enough to have seen the transition of identity from being something that’s an afterthought to now being a primary thought.” She explained that the next step in identity cybersecurity is for organizations to transition from reactive security to proactive.
Cambric pointed to a 2022 Identity Defined Security Alliance whitepaper that demonstrated why organizations should begin taking a proactive approach. According to the whitepaper, 98 percent of organizations reported that they experienced a significant increase of identities on their networks. She explained that the substantial rise of identities stemmed from an increase in the number of cloud applications organizations are adopting, an increase in APIs that are connecting to the networks, and an increase in third-party providers that connect to an organization’s network.
“Think about things like managed service providers, cloud solution providers, and also a spike in machine identities, such as bots and IoT devices,” said Cambric. “These things highlight the importance and the impact of how digital identity is evolving. It’s no longer just about human identities.”
Through the explosion of IoT devices and API bots connecting and working on a federal agency’s network, the idea of identity has now evolved. “With these changes and evolution, attacks are also evolving,” explained Cambric. “Salt Security Research found that there had been a 200 percent increase in attacks against APIs in 2020.”
Who is on the other side of the connection?
“We have to start thinking about this as ‘who’ or ‘what’ is on the other side of a connection, versus a human identity,” explained Cambric. “And then we start thinking about the concept of an identity supply chain.”
But what is an identity supply chain, exactly? Cambric detailed how an organization’s identity supply chain is comprised of the organization’s infrastructure, which encompasses its identity providers, whether that be a SaaS solution or something on-premises. The next ingredient in the identity supply chain recipe is an agency’s integration with APIs. “So, who are you connected to,” said Cambric. “Who’s connected to you?”
The last ingredient pertains to the outside identities that have access to a government agency’s network. “This includes devices, partners, suppliers and employees,” said Cambric. “And then think beyond that. We need to consider third-, fourth-, and fifth-party vendors and suppliers. What are those indirect connections to your environment?”
Cambric reported that at Microsoft, they have found that malicious cyber actors are exploiting these “trusted relationships” between an organization and outside parties. She explained that sometimes hackers can exploit vulnerabilities in an organization’s network, but with the intention of gaining access to other organizations, businesses, and vendors farther down your identity supply chain.
“Think about six degrees of separation,” said Cambric. “They’ll start at one end in order to get to somebody else that’s towards another end. So, attacks may be through you. They could be to you. That’s why it’s important to understand what are the components within that identity supply chain.”
Cambric then cautioned organizations about putting blind trust in their outside vendors. “History shows that we can’t afford to assume that the people that you’re connected to, and the entities that you’re connected to, have a strong security posture,” warned Cambric. “We need to abide by the tenants of ‘never trust, always verify.’”
Azure AD Identity Protection
When looking at the scope of identity security and the plethora of potential attack vectors that cyber criminals can exploit, identity cybersecurity can seem like a near-impossible task. Thankfully, Cambric explained that there are solutions that government agencies can employ that can automate much of the legwork for identity supply chain protection and threat detection.
Solutions, like Azure AD Identity Protection, can provide federal agencies with a complete overview of their identity risk posture that enable agencies to take the appropriate steps to remediate potential risks. “Identity Protection has the ability to assess sign-in and behavioral risk, using AI/ML detections,” said Cambric. “From there, you can take those insights and apply those to policies, so that you can take action to protect your environment. This allows you to assess risk. But along with assessing risk, building those policies for both internal and external identities.”
To watch this Quest Software webinar in its entirety, click HERE.
