The Voice of the Identity Practitioners is Clear: Identity Protection is Broken

As an identity security practitioner, it is not news to you that the identity attack surface is exposed. You already know that despite all your MFA and PAM efforts adversaries can still access your resources, confronting small to zero resistance. And there’s no one more qualified to know that better than yourself – after all you’re the one that’s accountable for the deployment and operation of these solutions. But have these insights really made their way into the minds of the decision-makers in your organization?

This new report by Osterman, ‘The State of the Identity Attack Surface: Insights into Critical Security Gaps’ brings for the first time your voice to the forefront. You now have the numbers to back up your concerns.

To gain insights into the actual security posture of the identity attack surface, Osterman research surveyed close to 650 security practitioners such as Identity Architects, Identity Infrastructure Managers, and Identity Management Managers.

Here are some highlights that emerged from the survey that should not be surprising to you.

• Only 10.7% of organizations manage to get their PAM solutions fully onboarded and working.
• Only 6.7% of organizations manage to implement MFA on all their critical resources.
• Only 5.7% of organizations have full visibility into their service accounts.

This report focused on the three aspects that build up the resilience of your environment to the malicious use of compromised credentials: MFA, PAM, and service accounts. Let’s understand why these were chosen

MFA: The Tested and Proven Method to Prevent Malicious Access

It is well known that MFA significantly decreases the likelihood of a credential compromise being a successful attack. In spite of this, it is important to consider how and where MFA is used.

By failing to protect the full scope of users and resources under attack, MFA’s promise of enhanced security is diminished, since attackers can still access resources without having to be authenticated. Based on this approach, it is assumed that partial MFA deployment is not sufficient to protect the entire identity attack surface.

PAM: Purpose-Built Protection for Admin Accounts

Implementing PAM solutions is an ongoing challenge where you can’t see the light at the end of the tunnel. It is mainly due to its long and complex deployment process that PAM programs often extend over months and even years, and in many cases, they do not reach their full potential. There are a number of reasons for this such as complexity, including the low to partial visibility identity teams have into privileged accounts in their environment, especially machine-to-machine service accounts.

While most organizations are investing in PAM, few are fully deployed with all privileged accounts onboarded and protected.

Service Accounts: Adversaries’ Target of Choice

The ability to identify what service accounts exist is fundamental to the implementation of security controls. In order to avoid misuse of service accounts, visibility allows subsequent security controls to be implemented, and it is the responsibility of the organization to ensure they are achieving the desired protections. Only 32.1% of our survey respondents believed they have a high level of visibility but not close to full visibility into their service account.

Service accounts can be compromised just like any other user account within the environment. Unmonitored, high-privileged, and unprotected by MFA and PAM , they are the ideal compromise target for lateral movement and ransomware spread

Assess your Environment’s Resilience and Take Action Accordingly

Read this report, not only to learn what your peers are struggling with but to benchmark your environment against the standard.

Until now it was only you and your team who knew the harsh truth. We hope this report will be the first step in making it common knowledge  – the first step towards fixing it.

Read the full report