The Privileged Identity Crisis

December 23, 2024

Brandon Salem

The practice of employing multiple accounts for privileged identities has long been an Information Security standard for account and access.

Introduction

Various bodies and their standards, such as the Australian Signals Directorate’s (ASD) Information Security Manual and Center for Internet Security (CIS) Critical Security Controls explicitly recommend multiple accounts, to separate standard (i.e. web browsing) and privileged (i.e. system configuration) activities, as a preventative measure to limit the potential impact of unauthorized privileged access. However, as digital estates continue to modernize and technologies continue to align with the Zero Trust model and its principles, the efficacy of this traditional approach is continuing to be challenged, as deficiencies are presented when comparing the standard against modern digital estates.

This article examines the inherent limitations of the multi-account model, particularly in the context of emerging Zero Trust architectures and explores a new approach for safeguarding privileged access in today’s dynamic digital landscape. Prior to continuing, it is important to acknowledge and highlight that all security practices will have their trade-offs, and that this article’s purpose is to highlight and further explore what is an already seemingly travelled path, on the journey of Zero Trust.

Unveiling the Fault Lines: Limitations of the Multi-Account Model in the Zero Trust Era

The recommendations for the multi-account model stem from two key principles which are applied to the Identity and Access management security domain, namely Segmentation of Duties and Least-Privilege. With these principles in mind, if a privileged account were to ever be compromised or used in an unauthorized manner, it could entail unfettered access to in-scope systems/services and potentially, the entire digital estate. When factoring online services (i.e. web browsing or email) and this level of privileged access, the likelihood of this posed risk is drastically increased due to the introduction of external-based threats, such as account compromise for an online system. To counter this risk, recommendations are generally made to create multiple accounts for privileged identities. In this way, the risk can be reduced by allowing privileged identities to conduct standard activities (i.e. email communications which are prone to phishing attacks) using a separate standard account, with separate privileged accounts being created and to be used solely when performing a privileged activity (i.e. a service configuration change).

While the use of multiple accounts for privileged identities is ultimately designed to mitigate the potential scope of an account compromise, there are many deficiencies with this approach, particularly in modern digital estates.

Identity Detection and Response Gaps

As a more recent but crucial security technology, Identity Detection and Response solutions are greatly hampered in the context of segmented accounts. This is due to most current technologies being unable to correlate cross-account activity, within the context of a single Identity. This can lead to missed opportunities to detect anomalous activity spread across multiple privileged and/or standard accounts. For instance, unusual travel patterns or atypical access requests might not raise alarms if they are distributed across different accounts, making it difficult to identify suspicious behavior. In the context of Zero Trust, the inability to correlate such activity across multiple accounts can hinder access decisions based on risk detections, as well as create gaps in detection, investigation and response activities. Further to this, due to privileged accounts being used in infrequent and/or unpredictable fashion, particularly within decentralized identity models, increased false positives become more likely because of this irregular usage, in turn increasing the likelihood of alert fatigue pertaining to privileged access, which is especially dangerous in this context.

Segmentation Gaps & Cross-Contamination

With true segmentation, the multi-account model does indeed align with the goal of minimizing the blast radius of a potential incident. However, if the segmentation does not factor all points of cross-contamination, the efficacy of this segmentation can be greatly reduced. In contrast to true segmentation, the recommended approach to segmentation is generally at the account level or, up to the endpoint level, at a maximum, not accounting for further areas of cross-contamination that are applicable in modern digital estates. Segmentation at these points alone fail to account for real-world areas of cross-contamination incl. but not limited to:

  • Shared Endpoints – Where estates are choosing to segment at the account-level solely, if the accounts are all used/accessed from the same device, they fall victim to the same risks regardless of the privilege. In modern digital estates, the scope of the endpoint is also now expanding beyond computers, to mobile phones, tablets and cloud applications (i.e. via API integration) which in this context, serves as a new and often overlooked endpoint.
  • Authentication Methods – As is common in most estates, secret vaults (whether shared or otherwise) are often used to store secrets for privileged accounts, with no direct visibility or control over the privilege-level of the accounts which these secrets relate to. This often leads to identities storing secrets for both privileged and non-privileged access in a single vault, which can render the multi-account segmentation moot, in the event of unauthorized access to the vault. This also applies to other authentication methods, which are centrally stored using the same software and/or hardware, such as Multi-Factor Authentication and Passwordless methods.
  • Recovery Methods – Whether email, SMS or otherwise, unless true segmentation is applied for the accounts’ recovery methods, the recovery is yet another area of cross-contamination between the privileged and standard accounts for the identity.
  • Applications and Services – Many applications and services grant online capabilities such as synchronisation, which, when combined with multi-account usage in particular, can often result in intentional or inadvertent cross-contamination between privileged and standard environments. For example, web browsers that offer synchronization capabilities and multiple profiles can lead to sensitive information, such as synced passwords, being shared between differing environments, incl. endpoints outside of the purview of the digital estate.
  • Supply Chain – Supply chain security has become a more relevant topic in modern times and its relevance is not lost when discussing privileged identities with multiple accounts. In the same vein of the above example, a single compromise of a software which directly or indirectly has access to privileged and standard accounts can render the segmentation moot. An example is a Device Management software (3rd party or native) which is installed on both privileged and standard operating systems, with remote shell capabilities.

The proliferation of cloud services, digital transformation initiatives, and the delegation of access

These factors have further blurred the lines between standard and privileged users, making it increasingly difficult to maintain clear segmentation at such scale. As a brief example, if a designated user of an application, which is critical to an organization, is assigned privileges which allow elevated control of the application, they effectively become a privileged identity within the estate. Despite not having permission to the overall environment, the critical nature of the application alone, warrants the implementation of enhanced controls to protect such an account, further contributing to the previous and following deficiencies which are being highlighted.

The Cost and Complexity of Comprehensive Segmentation

Achieving true segmentation at every layer, incl. the examples provided in this article, requires significant investment in technology, processes, and personnel. The true cost of procuring and maintaining specialized privileged environments, incl. accounts, endpoints, infrastructure and networks, can be prohibitive for many organizations when just factoring hardware and software licensing alone. Further to this, once and even if an organization has committed the required resources for such an undertaking, they are now presented with the overwhelming management effort and increased potential for deviations/gaps, which accompanies such complexity.

Authentication Challenges

Despite the growing momentum towards Passwordless authentication, password-based systems are still a reality in current times. With this being acknowledged, segmentation of accounts fails to adequately address the risks associated with password reuse across multiple accounts.

Insider Risk

While segmenting the accounts provide assurances against unauthorized privileged access by threat actors, it fails to address the very real risks posed by the privileged identity themselves, whether intentional or inadvertent. This deficiency is furthered when factoring insider risk management solutions, which are dependent on user behavior analytics, that can be greatly skewed when distributed across multiple accounts.

Social Engineering

While multiple accounts, privileged access workstations (PAWs) and anti-phishing measures (i.e. web filtering) are recommended to assist with the risk of a privileged account being compromised by social engineering, the practice of this segmentation as a prevention measure fails to address the true target of such attacks: the Identity. Attackers aim to exploit human trust and manipulate individuals into divulging sensitive information or granting unauthorized access, regardless of the number of accounts in use or the communication method.

Advanced Persistent Threats (APTs)

Traditional models often assume a “smash and grab” approach from attackers, focusing on preventing immediate, high-impact breaches. This neglects the reality of APTs, where adversaries prioritize stealth, patience, and gradual lateral movement or privilege escalation within an estate, often over extended periods. In such sophisticated attacks and when combined with the many deficiencies that are being highlighted in this article, the effectiveness of account segmentation in the context of APTs, will continue to become more questionable as attack vectors continue to emerge.

Forging a New Path: Embracing a Unified Identity Model

The Zero Trust philosophy challenges the traditional notion of perimeter-based security and advocates for a more granular, identity-centric approach. In this context, a single, unified identity coupled with robust, in-depth and adaptive security controls emerges as the new standard for managing privileged access.

Technologies which are developed with Zero Trust principles, have introduced various new features/controls which, when used in conjunction and applied in a risk-informed fashion, enables a defense-in-depth approach that becomes a secure foundation for the unified-identity model. This includes controls such as the following:

  • Just-in-Time/Just-Enough Access (JIT/JEA): Granting privileged access only when necessary and for the minimum duration required, thereby significantly reducing the potential attack surface and limiting the impact of a compromised account.
  • Multi-User Authorization: Requiring multiple approvals for critical actions, introducing an additional layer of checks and balances to prevent unauthorized access and mitigate the risk of external and insider threats.
  • Adaptive Access Control: Implementing dynamic, continuous and risk-based access decisions that take into account factors such as user location, device posture, and historical behavior.
  • Step-up/Re-authentication: Triggering additional verification steps for sensitive operations or after periods of inactivity to ensure continued legitimacy of access.
  • Phishing-resistant Authentication: Utilizing strong authentication methods like hardware-based keys combined with biometrics to protect against phishing attacks and credential theft.
  • Single Sign-On/System for Cross-domain Identity Management (SSO/SCIM): Simplifying identity management and centralizing control, enhancing security posture while reducing complexity and the management overhead and potential accompanying gaps.
  • Token Binding: Cryptographically linking authentication tokens to specific devices to mitigate token theft and replay attacks, adding an additional layer of security to authentication mechanisms.
  • Identity-based Policies: Leveraging modern technologies to implement dynamic, context-aware policies tailored to the user’s identity, enforcing the required security controls regardless of the endpoint being used.
  • User and Entity Behavior Analytics (UEBA): Technologies which use baselines of normal user and entity behavior to identify deviations that may indicate compromise or malicious activity, enabling proactive threat detection and response.
  • Temporary Accounts – Privileged Identities can continue to reduce their footprint on transient operating environments, by using technologies that enable temporary administrator accounts (i.e. Local Administrator Password Solution), within standard environments.

These key controls, in conjunction, are available to address one of the most prominent concerns regarding the unified-identity model, which is the compromise of one single account could allow unfettered compromise within the scope of the privileged access. It is equally as important to highlight some of the other major concerns:

  • Availability – Due to the unified identity model requiring a single point-of-authority, an Identity Provider, the unavailability of said provider could majorly disrupt the operations within the digital estate in the control, management and data planes. For this reason, it is very important for digital estates to delineate, implement and effectively manage emergency access methods, as part of an overall business continuity plan.
  • Compatibility – There are many systems and services which may not support the controls which are required to enable the unified identity-model. However, like most other information technology initiatives, organizations and businesses should meet this challenge using a staged, risk-informed, strategic approach. With this strategy, systems and services which do support the required controls should be prioritized and incorporated into the unified identity model, with legacy systems/services using traditional controls where viable, including pre-existing segmentation. Using this strategic approach allows organizations and businesses to incrementally move to securing privileged access via the unified model, while also enabling the planning and undertaking of digital transformation, to further adopt new technologies which can support modern security architectures.

Conclusion

With information security continuing to climb to the forefront of risks for organizations and businesses in modern times, it is important to consider where threat actors will pivot to when more common entry points become less available. In this consideration, high-value targets such as privileged identities will begin to become more attractive to even the less advanced threat actors and for this reason, proactive revision of current standards are important to assess existing deficiencies.

The industry’s ongoing adoption of advanced security measures underscores the limitations of traditional defenses and the need for a more dynamic and context-aware approach to privileged access management. While security risks still remain within a unified-identity model, the unified-identity model demonstrates a more simplified, adaptable and resilient approach to security in the Zero Trust era. Embracing this paradigm shift, coupled with the implementation of robust, in-depth and adaptive security controls, allows for organizations and businesses to reallocate security efforts and resources to address the remaining risks, as well as further risks outside the Identity and Access Management domain.

contact-us-contact-call-us-message-send

Talk to Exigence about Identity and Access Management!

As with all security controls, organisations and businesses should initially and continuously assess the effectiveness of a control, within the context of their environment and always ensure to factor the considerations and limitations. Talk with our team to find out more.