When User Identity Loses Its Meaning, Hackers Win
When it comes to cybersecurity, businesses typically want to assume that every user is a special snowflake.
The premise that each user has a unique identity, and that cybersecurity teams can manage access permissions and identify anomalous activity based on that identity, is a cornerstone of modern security operations.
Unfortunately, it’s also often a flawed assumption, as Zenity CTO and co-founder Michael Bargury explains in his latest Dark Reading column: “Watch Out for User Impersonation in Low-Code/No-Code Apps”.
The reason why is that low-code/no-code apps may create scenarios where users share their identities with other users via a process that Michael calls credential-sharing-as-a-service. Usually, the sharing results from the best of intentions. Employees want to help each other access the systems and data that they need to do their jobs, and creating low-code/no-code integrations that allow one user to impersonate another is often the path of least resistance toward achieving this goal.
As Michael notes, employees may go so far as to perform MFA validations on behalf of their colleagues in order to help each other do their jobs.
The problem with practices like these, of course, is that they’re a nightmare from a security perspective, because credential sharing “strips away the basic meaning of an online identity,” Michael says. When IT and security teams can no longer safely assume that each user identity actually maps onto a single, unique human being, they can’t establish effective networking and access control policies to protect sensitive resources. Nor can they perform behavioral analytics to identify suspicious activity that could reflect the breach of a user’s account, because it’s much harder to establish a baseline of normal user behavior when there are multiple users sharing an account.
In the column, Michael details how these risks arise. And, lest readers assume that these are purely theoretical scenarios, he goes on to narrate how credential sharing created a major security risk at an actual business.
For the full story, click through to the article on Dark Reading.