03-07-2025
5 Common Mistakes In Identity Security, And How To Fix Them
Home » Expert opinion » 5 Common Mistakes In Identity Security, And How To Fix Them
Identity security is more vital than ever. Morey J. Haber reveals key oversights companies make and offers solutions to reduce risks and prevent breaches.
A modern organization carries with it so much IT complexity that cyber-threat actors no longer favor traditional hacking; they prefer to log in. This makes identities the primary attack vector for our digital adversaries, which means we must give the protection of credentials and secrets equal priority to that of vulnerabilities and patch management.
A report from June 2024 claimed 99% of UAE-based organizations experienced 'two or more identity-related breaches' in the preceding year. Organizations can no longer ignore the need for identity security in the face of an increasingly sophisticated threat landscape. A risk-management approach to identity and access-management solutions will be critical if enterprises are to take control of the entire life-cycle of identity tools and their cross-vendor integration. This methodology can uncover flaws buried within workflows and solutions that have been in production for years. If these legacy problems persist in the current threat climate, it may only be a matter of time before a breach occurs. We now have to consider identity security as a part of our everyday operations.
In establishing stronger identity security and management, it is advisable to account for the most common errors first. Consider the top five of them:
1. Ownership
Identity in the digital realm can apply to either a human or a machine, each of which has an account through which they own that identity. Humans may have multiple accounts, but when dealing with machine identities, a human should always be assigned as the owner. Machine identities include all associated accounts that are used for integrations, service accounts, and other machine to machine communication. Any operation or session that requires authentication should be covered by identity management.
A common mistake is the failure to include the ownership of machine accounts as something to be monitored and managed. In many cases the owners of service accounts, cloud-based secrets, or integration credentials are not documented, and therefore the business is simply not aware of them. Unmanaged and unmonitored, these accounts can be associated with delays in response when events occur. This is a risk that can be mitigated by recording an owner for every machine identity, and by regularly reviewing these records for accuracy. This is especially true for dynamic environments that may have regular changes in personnel and technology.
2. Privilege
Every account associated with an identity is granted entitlements that can range from email, to storage, and Internet access all the way up to administrators, which are the custodians of the organization's most sensitive information. It is not uncommon to find the highest level privileges assigned, for convenience only, to those who do not need them, which expands the risk surface substantially. Many breaches start with the targeting of junior employees. For threat actors, lateral movement is easier if they find the privileges they need without the need to find a vehicle for privileged escalation.
The principle of least privilege calls for IT administrators to assign only the required privileges necessary for an account's owner to perform assigned functions. This eliminates overprivileged accounts and shrinks the risk surface by ensuring threat actors are less likely to be assigned high-level credentials on the first account they hijack.
3. Secrets
Any information not widely disclosed that provides authentication is known as a secret. These can be everything from a password to an API key. Their storage, reference, and retrieval must be highly secure to prevent threat actors from compromising them. Common errors in secret storage include using unencrypted spreadsheets or text files, or even browser-based password managers. All these methods have their weaknesses and should be avoided. It is recommended to use a secure password or secrets-storage solution, and strictly manage access to it. Additionally, it is recommended that the storage solution itself be periodically tested for vulnerabilities.
4. MFA
To complement secrets, extra confidence in the identity-account relationship can be provided through multifactor authentication. While it is important for organizations to remember that many MFA solutions are flawed (SMS attacks, MFA fatigue, etc.). it is also true that any multifactor authentication is better than none. All human identities should have multifactor authentication implemented for each account they own, and it should also be in place for all access requests including any escalation of privilege requests.
5. Remoting
Many UAE organizations have established flexible working practices that allow employees to access corporate systems remotely. This access commonly extends to contractors, vendors and other user types, regardless of geolocation. The range of cloud services available through remote access is expanding every day, which presents a challenge to those tasked with providing enterprise-wide identity security. This is because each of these services requires some level of access to sensitive data, which means an associated identity must be managed.
Organizations must make sure they secure all remote access channels using industry best practices. They must also avoid using remote access technologies like RDP, SSH and FTP. RDP (Remote Desktop Protocol) and SSH (Secure Shell) do not adequately guard against simple brute-force attacks or credential stuffing and FTP (File Transfer Protocol) lacks encryption, leaving it open to eavesdropping and man-in-the-middle attacks. While these solutions can be used more securely with careful configuration, a more secure approach is to implement dedicated technology that is designed around the prevention of identity-based attacks.
The right controls
Perimeter security has become almost obsolete. Firewalls and other intrusion prevention systems are being replaced by solutions that mitigate modern attack vectors – identities. We live much of our lives in and around our digital identity and each of us has several accounts tied to it. Meanwhile, machine identities need ownership to allow their usage and maintenance to be appropriately monitored. But both human and machine identities, while indispensable, represent points of weakness if the right identity security controls are not in place.
Part of the maturity of any security model should be the mitigation of the common errors discussed here. The world has become irreversibly connected and our digital identities are part of that fabric. To protect them is to protect ourselves, our businesses, and our economies.
By Morey J. Haber, Chief Security Advisor, BeyondTrust
