Security is clearly top of mind these days in the enterprise, and over the last few years we have seen both a lot of excitement and a lot of purchasing of “next generation firewalls” (NGFs) and solutions that address “advanced persistent threats” (APTs). So in years past, the mindshare and walletshare in security was with vendors such as Symantec, McAfee, Check Point, etc. But today in security, the mindshare and the most rapidly growing security vendors are the new kids on the block — Palo Alto Networks and FireEye — who are riding the NGF and APT trains respectively. Which is great, as the security market was in some serious need of innovation and disruption, especially in light of how attacks have evolved. But the interesting thing is that with all the talk about NGFs and APTs, I think there has been an under-appreciation for the core cause of all these nasty data breaches that have been making the headlines — compromised credentials.
The Verizon Data Breach Investigations Report of 2013 highlighted that 75% of breaches came from compromised credentials (i.e. stolen user IDs and passwords). But what about the most recent calendar year — in which, per the 2014 edition of the Verizon report, says that “the year 2014 saw the term ‘data breach’ become part of the broader public vernacular with The New York Times devoting more than 700 articles related to data breaches, versus fewer than 125 the previous year” — were compromised credentials also the biggest source of breaches? The answer was yes. Interesting quotes to back that up from the report include the following:
“As always, compromised credentials, whether they were obtained through phishing, spyware or brute-force methods, played a major role in many data breaches.”
“Pulling back from a single industry view, we find that most of the attacks make use of stolen credentials.”
“While we have tried to refrain from best practices advice this year, there’s no getting around the fact that credentials are literally the keys to the digital kingdom.”
In other words, users’ identity is what the bad guys are after, and stolen digital identities are the means by which the vast majority of data breaches occur.
I think we all, as end users, have gotten a “phishy” email that looked to come from a friend or a financial institution. As the Verizon report notes, a common sequence is “phish customer = get credentials = abuse web application = empty bank/bitcoin account.”
At the same time, the hackers are also realizing that some usernames and passwords are better than others. Namely the passwords of privileged accounts. Privileged accounts are the credentials that have “root” and/or “admin” privileges on critical infrastructure, apps and data. Why hack one user’s email account, if you can hack the account of the email admin for an organization, you now get access to all of the users’ email accounts. [I wrote about this in more detail in a recent blog on Forbes.]
So it is not surprising that when you look at the nature of most of the hacks, they are in fact going after either end and/or privileged users’ identities, as shown by these “ripped from the headlines” quotes below, with the stealing of passwords for privileged accounts — which are often generic accounts that are shared by IT personnel — having deadlier consequences.
OK, so protecting users and their identities is very very important — got it. But one complication: the world of IT is becoming more “de-perimeterized” because of cloud and mobile, which facilitates “shadow IT.” So it is actually getting harder to figure out where you have privileged accounts, and the number of privileged accounts is growing with each new cloud-based app and server. At the same time, end users are increasingly drowning in a sea of passwords for all these new SaaS apps they have now been giving access to.
This whole shift to the cloud and mobile is actually a very interesting development vis a vis traditional security approaches. In the world where users are increasingly using mobile devices off the corporate network — Gartner actually projects that in a few years over 25% of corporate traffic will be off the corporate network — that are accessing cloud-based apps, it is clear that many of the traditional ways of doing security are no longer applicable. For example, you don’t put antivirus on your iPad, and while using that iPad at Starbucks in Palo Alto, you are not utilizing a corporate firewall while accessing Salesforce.com.
So what can you (and should you) secure in this cloud and mobile world? I think the focus in this new world shifts to securing the user and their identity, e.g. is it really Tom Kemp using that iPad talking to Salesforce? Should we not require Multi-Factor Authentication (MFA) to verify it is really me? And what if five minutes later Tom Kemp is accessing Salesforce from, say, China, when five minutes before he was in Palo Alto — should we not disable that user account? And so on.
To me it is clear that the continued use of compromised identities as the attack vector in breaches, AND the increasing focus on securing the user in an increasingly cloud and mobile world, are the two main reasons that I see identity as the “new perimeter” that needs to be secured. The old perimeter in security was about securing the ingress and egress points into the corporate network. With those points dissolving, the focus must shift to the user, especially in light of the fact that more attacks are happening against users and their identities.
And this is now being reflected by market statistics. This chart below shows the most rapidly growing market segments within security. Lo and behold, identity is actually the fastest growing market segment within security — growing 10%.
And if you look at top “intend to spends” by CISOs, identity is usually a top intention. Here is a snippet from a survey by Nomura of CISOs in the middle of 2014:
Will identity be the next big wave in security after NGFs and APTs? I think if you connect the dots between the Verizon Data Breach report, the paradigm shift to cloud and mobile, the market stats regarding the fasting growing segments within security, and the top intend to spends, it is increasingly looking to be the case. The old way of securing the world has changed, and the new perimeter in security is identity.