Identity security is the tools, technology and processes used to make sure that users attempting to access SaaS systems, platforms or assets are who they say they are - and do in fact have the access rights they claim.
Why is identity security so important?
Identity security is critical to SaaS security, because to a SaaS system, all you are is your access credentials. If someone else has your access credentials, then the SaaS system will identify them as you and give them unrestricted access to all the sensitive systems and information to which your user identity has access.
The power of user credentials to confer identity and access is the reason why credentials play a part in so many SaaS security incidents. Over the past 10 years, credentials were involved in about a third of all data breaches analyzed in this Verizon report.
To gain access credentials and take over user identities, cyber attackers use:
- phishing, smishing, vishing (and other *ishing) attacks
- brute forcing passwords
- credential stuffing
- social engineering tactics
In order to prevent credential-related data breaches and security incidents, you must take concrete steps to secure your SaaS identities.
Components of identity security
A strong identity security process consists of the following stages:
- Identity discovery/mapping
- Identity behavior tracking
- Creation of identity risk profiles
- Continual updates of identity risk profiles based on analysis of identity behavior data
- Remediation of identity risks
Let’s go into those stages one by one.
Identity discovery/mapping
If you don’t know about it, you can’t keep track of it.
The first step in securing identities is to gain knowledge of all the identities that exist in your SaaS ecosystem. The next step is to collect as much data as possible about each identity. Only with comprehensive data will you be able to build an identity profile thorough enough to be able to accurately assess and prioritize risk.
DoControl’s platform, for example, conducts extensive data collection for each identity based on user definitions, roles, attributes, permissions and relevant business context from HRIS, IdP and IAM systems. (See below for more on the role of IdP and IAM in identity security.)
Identity behavior tracking
Now that you have gathered extensive information about who and what a given identity IS, it’s time to gather information about what this identity DOES within your SaaS environment.
Pertinent identity behavior data includes:
- What SaaS assets does this identity access?
- What kind of interactions with SaaS assets are typical for this identity (e.g. viewing, editing, sharing)?
- Who does this identity typically share SaaS assets with?
DoControl’s platform, for example, conducts comprehensive data collection for each identity, covering its SaaS data access and interaction patterns.
Identity risk profiles
Once you have all the above information, it’s time to put it all together and create an identity risk profile.
This identity risk profile should show you at a glance:
- User name
- HR status
- Role
- Department
- Assets they have access to
- SaaS app and asset interactions
- Risky actions (number, type and severity)
An identity risk profile should also have an overall risk score assigned based on analysis of all the above factors. The risk score can help guide information security teams as to how to relate to this user and their subsequent actions.
Continually update based on ongoing discovery and analysis of identity + behavior information
A SaaS environment is dynamic (understatement). The only thing that is constant is CONSTANT change.
Maintaining a high level of identity security requires ongoing monitoring of an identity’s behavioral data (what assets did they interact with, the nature of the interactions, etc.) and updating of the identity risk profile to reflect the new data.
The new behavioral data can be analyzed and compared to benchmarks for that user, role and department. If behavioral anomalies are detected (e.g. a finance employee shares an unusual number of files - relative to what’s normal for the finance department - with an external account), that should trigger identity security alerts or remediation workflows.
Remediation of identity risks
The goal of identity security is to stop identity risks from turning into security incidents. The last and final step in the identity security process, therefore, is remediation of detected identity risks through security team intervention or automated workflows.
To be both effective at stopping threats without disrupting productivity for the rest of the users in the SaaS environment, identity security remediation demands a user-level response. Specific remediations that should be available in a SaaS identity security solution include:
- SaaS asset exposure changes per user
- SaaS application access changes per user
- Internal and third-party user suspension or deactivation
Role of identity management solutions in identity security
Identity management solutions such as IAM, SSO and IdP play an important supporting role in identity security, although they are not enough to ensure an effective identity security posture on their own.
Let’s define each type of identity management solution and their place in the SaaS identity security process.
Identity management solution types and definitions
Identity Access Management (IAM): a system that manages digital identities and controls user access to resources within an organization. An IAM’s function encompasses the complete lifecycle management of identities, including provisioning, governance and compliance.
Single Sign-On (SSO): a system that enables users to access multiple applications with a single set of credentials. SSO may be a part of an IAM solution or it may be a standalone solution.
IdP (identity Provider): a system that creates, maintains, and manages identity information with the purpose of providing authentication services to other applications and systems. An IdP is usually integrated into IAM and SSO solutions to handle the authentication component.
How identity management solutions contribute to identity security
Identity management solutions can help strengthen an organization’s identity security posture in the following ways:
When SSO is used, it allows users to access multiple applications or services by logging in just once. This reduces the need for multiple usernames and passwords, decreasing the likelihood of weak password creation and reuse, which are common security vulnerabilities.
SSO and IAM enable central management of authentication, making it easier to enforce strong authentication policies, such as regular password updates or multi-factor authentication (MFA). Central control also simplifies the monitoring of login activities, detection of abnormal access patterns, and management of session timeouts and access rights from a single interface.
While SSO systems only deal with authentication, IAM systems enable central management of identities in areas beyond authentication, including identity modification, deletion or enforcement of conditional access to resources based on user roles or locations.
Potential risks of identity management solutions in the identity security process
While centralization of identity management is usually beneficial to an organization’s identity security, it also presents a risk: a single point of failure. If an attacker compromises a user’s SSO credentials or session token, for example, or if they leverage a vulnerability in the SSO or IAM system, they don’t gain access to only one SaaS system, but rather to all linked applications and services. This can lead to extensive data breaches and unauthorized access across multiple systems.
It is because of the centralized identity management of IAM systems that they also make a tempting attack surface for threat actors. As a telling example, the massive 2023 data breach of IAM provider Okta was followed by a series of attacks directed at Okta customers whose data had been compromised in the breach.
How can organizations counter this single point of failure (that also happens to be attractive to hackers) issue? Maintaining strong identity security here depends on effective Identity Threat Detection & Response (ITDR).
ITDR leverages behavioral analysis and anomaly detection to pinpoint suspicious actions on the part of a given identity. This is critical, because if an identity has been compromised through stolen credentials or any other means, all you have to rely on for detection is how that user identity is acting. So a strong ITDR solution is a necessary part of your identity security.
