How much does cloud-based identity expand your attack surface?

We all know using a cloud-based identity provider (IdP) expands your attack surface, but just how big does that attack surface get? And can we even know for sure?

As Michael Jordan once said, “Get the fundamentals down, and the level of everything you do will rise.” It’s time to return to the basics and acknowledge the risks of cloud-based identity management before we can define a secure way forward.

Cloud-based IdPs and your attack surface

IdPs store your users’ network access credentials on cloud servers. Shifting to cloud-based identity management means that there are more ways for threat actors to get the “keys” to your system.

For one, your credentials are no longer completely in your control.

Also, your network is more vulnerable to different types of attacks, like ransomware. You must worry about not only your users, but any of the tens of thousands of the platform’s users clicking a phishing link.

How big can the attack surface get?

In October 2023, Okta Security identified adversarial activity using stolen credentials to access the company’s support case management system. Once inside the system, the hacker accessed files uploaded by Okta customers using valid session tokens from recent support cases.

Vulnerabilities increase as session tokens come into play because this distributed access point may issue great amounts of access when leveraged by an unauthorized user.

Here are just a few examples:

  • The session token itself: Attackers compromised an admin’s session token in this breach. With this, attackers not only could easily hijack network account access, but they could also access broader business applications integrated via SAML SSO.
  • Extended access: Attackers accessed scores of IdP clients’ networks and data using a session token stolen from one client.
  • Lateral movement: One token allowed attackers to move from application to application within platforms and easily extend their attack into other areas of the cloud.

A single compromised user account, with various compromised mechanisms such as the session tokens’ security and admin-session binding, can open a pandora’s box of network infiltration possibilities.

What’s the solution?

The first step towards mitigating the expanded attack surface in the cloud is recognizing the risks and potential vulnerabilities of cloud identity providers.

If you use a cloud-based IdP, apply multi-factor authentication (MFA) with admin-session binding transparency, enhancing the session tokens’ security.

Robust, role-based access management controls can also help you block unauthorized access, even if the attacker has valid credentials.

If you don’t already use an IdP, but your organization is moving in that direction, plan to mitigate risks before you make the shift. For example, you can select an identity provider that doesn’t store your users’ network access credentials in the cloud.

For some organizations, the right answer might be to offer secure cloud access to users while keeping identity management on-premises.

Is it time to rethink how we manage the risks of cloud-based identity?

IT leaders should prepare for the reality that we probably don’t and won’t be able to qualify just how much your attack surface grows with cloud-based identity. And that’s important for one very big reason: risk management. It’s hard to manage a risk if you don’t know it’s there.

With CISOs under more pressure than ever to demonstrate security at all access points, it may be time to reassess how much risk your organization can tolerate. Cloud IdPs, while offering scalable access management, can exponentially enlarge organizational attack surfaces, particularly with distributed access points like session tokens.

Could these breaches be a wake-up call, signaling that we’ve perhaps leaped too hastily into cloud identity adoption, without fully understanding the risks?


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss