What Happens When Your Identity Provider is Compromised?
In the recent Snowflake breach, attackers apparently used malware to compromise a third-party support organization’s endpoint and obtained legitimate credentials to access multiple Snowflake customer accounts. The resulting breach and data exfiltration is causing headaches for many Snowflake customers who are facing increasingly emphatic extortion demands.
The Snowflake breach is just one in a long line of identity-related attacks. And like most of the other attacks, this breach could have been thwarted with simple, effective, and inexpensive multifactor authentication (MFA).
Because most organizations rely on an identity provider (IdP) for authentication and authorization, enabling MFA is as simple and easy as flipping a switch. Given the rampant identity threats, there really is no justification for avoiding MFA.
IdP Compromise
If your IdP is compromised, even with mandatory MFA, malicious actors can impersonate any identity in your organization. This is critical for modern infrastructure, where the IdP is authenticating DevOps identities. If the attacker impersonates one of your DevOps identities, they can access all the data that your applications access. Even more dangerously, the attacker can create, control, or delete any instance of critical services in your environment — your applications, your storage, your databases, your Kubernetes clusters, your AI engines, and more.
Defense in Depth
Defense in depth is probably the most common and important cybersecurity strategy: employ multiple layers of security to ensure that if one line of defense is compromised, additional layers exist to prevent the attack. Unfortunately, if you rely solely on your IdP for authentication, you’ve made the IdP your first, last, and only layer of defense.
Infrastructure Defense in Depth
Recognizing the inherent risks of this approach, Teleport developed infrastructure defense in depth as a new capability of its infrastructure access solution. Teleport is a provider of secure infrastructure access that hardens infrastructure security with on-demand, least privileged access based on cryptographic identity and zero trust, coupled with identity security and policy governance. Teleport eliminates secrets and standing privileges, reducing the broad identity attack surface leveraged by malicious actors.
With Teleport and infrastructure defense in depth, you can deploy additional defense layers to thwart identity attacks against modern infrastructure including:
- Mandatory phishing-resistant MFA enrollment (in addition to your IdP’s MFA)
- Per-session phishing resistant MFA (in addition to your IdP’s MFA)
- Access requests
- Dual authorization
- Web Authentication (WebAuthn)
- MFA for administrative actions
- Device trust
Teleport has also developed guidelines and best practices to harden your modern infrastructure environment against identity-related attacks such as attackers hijacking access reviewer privileges, roles mapping matching attacks, exploitation of auto-provisioning of new users, and more.
You can read Teleport’s announcement and learn more about infrastructure defense in depth here: https://goteleport.com/about/newsroom/press-releases/sso-false-sense-of-security/
[Originally published on LinkedIn]