惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CERT Recently Published Vulnerability Notes
U
Unit 42
T
The Blog of Author Tim Ferriss
H
Hackread – Cybersecurity News, Data Breaches, AI and More
B
Blog RSS Feed
Microsoft Azure Blog
Microsoft Azure Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Securelist
L
Lohrmann on Cybersecurity
Blog — PlanetScale
Blog — PlanetScale
Recorded Future
Recorded Future
D
DataBreaches.Net
Spread Privacy
Spread Privacy
T
Threat Research - Cisco Blogs
I
Intezer
P
Palo Alto Networks Blog
Simon Willison's Weblog
Simon Willison's Weblog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
I
InfoQ
宝玉的分享
宝玉的分享
Security Latest
Security Latest
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
T
Threatpost
Cisco Talos Blog
Cisco Talos Blog
P
Proofpoint News Feed
博客园 - 司徒正美
H
Hacker News: Front Page
Y
Y Combinator Blog
爱范儿
爱范儿
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
NISL@THU
NISL@THU
月光博客
月光博客
有赞技术团队
有赞技术团队
Cloudbric
Cloudbric
酷 壳 – CoolShell
酷 壳 – CoolShell
G
Google Developers Blog
A
Arctic Wolf
博客园 - 【当耐特】
W
WeLiveSecurity
V
Visual Studio Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
V
V2EX
C
Cyber Attacks, Cyber Crime and Cyber Security
S
SegmentFault 最新的问题
The GitHub Blog
The GitHub Blog
The Cloudflare Blog
Stack Overflow Blog
Stack Overflow Blog

Okta Security RSS Feed

OpenSSL HollowByte: A DoS Hiding in 11 Bytes Datadog and Okta Combine for New Customer Detections Detecting OpenClaw at Sign-In Okta Hardening Guide Updated to Secure Non-Human Identities Okta Pooled Security Audits: a One-Year Retrospective Account Recovery, without Password Resets Okta’s Response to React2Shell Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign Using Auth0 Logs for Proactive Threat Detection Controlling Cross-App Data Sprawl in Google Workspace How this ClickFix campaign leads to Redline Stealer Paving the Path: Pooled Audits with Okta Security Building Confidence in Support Comms with Caller Verify at Okta Enabling ISO/IEC 27001:2022 Compliance with Okta Okta’s Secure by Design Pledge - One Year On Leveraging Okta System Logs for Proactive Threat Detection Enhancing Customer Trust Through a Comprehensive Audit Program Okta's new Security Technical Implementation Guide (STIG) A Guide to DORA Compliance with Okta How AI services power the DPRK’s IT contracting scams Detect and Prevent Cross Device Authentication How Responsible Disclosures are Shaping a Safer Cyberspace Cybersecurity’s Next Gen Next.js CVE-2025-29927 CSO Conversations: Matthew Hansen, Regional CSO of Americas West Empowering Security with Customer Trust Solutions Putting Security First with Secure Development One trick finds the root of any Okta troubles CSO Conversations: Stephen McDermid, Regional CSO of EMEA Content-Security-Policy in a Complex Environment CSO Conversations: Keiko Itakura, Regional CSO of Japan How Okta Embraces Identity Verification Using Persona CSO Conversations: Matt Immler, Regional CSO of Americas East Raising the Bar for our Industry with IPSIE Cyber-Safety over the Holidays Okta Social Engineering Impersonation Report - Response and Recommendation Five Reasons to Upgrade your Org to Okta Identity Engine Okta’s Ongoing Commitment to Secure By Design Unveiling the Essence of the Security Customer Trust Function Security Education Through the Art of Storytelling Seven Ways to Reduce Super Admins in Okta FastPass: The battle-hardened authenticator Detecting Cross-Origin Authentication Credential Stuffing Attacks How to Block Anonymizing Services using Okta Why Cyber-heroes need a Zero Trust CAEP! Okta Verify Vulnerability Disclosure Report - Response and Remediation Defensive Domain Registration is a Mug’s Game Protecting Administrative Sessions in Okta How to Secure the SaaS Apps of the Future Okta October 2023 Security Incident Investigation Closure October Customer Support Security Incident - Update and Recommended Actions Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation Tracking Unauthorized Access to Okta's Support System Go “Secure by Default” With Custom Admin Roles for IT support staff Cross-Tenant Impersonation: Prevention and Detection BYO Telephony and the future of SMS at Okta Saying “No Thanks” to nOAuth Telling More Okta Detection Stories with Google Chronicle An Unexpected Endorsement for WebAuthn Social Engineering is Getting More Extreme, but the Fixes Can Be Simple Study up on Okta Logs for Splunk’s Boss of the SOC! Keeping Phishing Adversaries Out of the Middle Using Workflows to Respond to Anomalous Push Requests Okta and Splunk Combine to Detect Common Attacks Setting the Right Levels of Assurance for Zero Trust Catch-All's and Canary Rules User Sign-in and Recovery Events in the Okta System Log Okta Code Repositories Detecting Real-Time Phishing Attacks Detecting Real-Time Phishing Attacks Okta’s Response to OpenSSL Security Update Monitoring for Abuse of Administrative Privileges System Log: a Window into Supporting the Okta Cloud The Human Factor in Phishing Resistance Auth0 Code Repository Archives From 2020 and Earlier Phishing Resistance and Why it Matters Detecting Scatter Swine: Insights into a Relentless Phishing Campaign Defending against Session Hijacking Unlocking the Mystery of 700+ Okta System Log Events Official Okta Statement on LAPSUS$ Claims Protection, without perimeters We (still) need to talk about RDP Just How Risky is Legacy Authentication?
The Case for Zero Standing Privileges
David Bradbury · 2024-08-19 · via Okta Security RSS Feed

The principle of least privilege is one of the best known laws of information security: and it’s often the most difficult to put into practice. The principle demands that a user should only be given access to the resources and permissions they require to complete their tasks, and no more.

When I speak with peer CISOs they routinely state that they don’t have much trouble applying this principle to regular users, but they are still challenged when privileged access comes under scrutiny. Privileged Access Management (PAM) provides the seatbelt that makes it safe to grant privileged roles. Specifically, PAM addresses the risk posed by adversary access to administrator credentials by vaulting the passwords used for access to privileged resources. 

PAM has come a long way: in a former life we actually stored passwords on pieces of paper inside a physical vault! Vaulting software and services allows us to gate access to the credentials used for privileged access, and to require controls like step-up authentication and/or dual authorization before an administrator can “check out” the password. PAM can and should also offer an ability to automatically rotate a password after use by a human administrator.

Today’s PAM solutions have served us well when it comes to securing access to privileged on-prem resources like databases and servers. However, they tend to fall short when a privileged resource, such as a non-federated, privileged account in a B2B SaaS app, is accessible via the public internet. The vaulting capability can ensure that only an authenticated and authorized user can check out the credential for that privileged account, but if that password is entered into a SaaS app via an interactive browser session, the PAM solution can do little to protect the password from being saved (inadvertently) in the user browser or intercepted by malware. 

Over the past 12 months, we have observed a number of attacks where the vaulting of a password wasn’t sufficient to prevent adversary access to administrative resources.

These risks arise because:

  • We are dealing with an Infostealer epidemic: The sheer size of the “combo lists” of stolen credential pairs and session tokens distributed on the internet today is staggering.  Most of the enterprise credentials caught up in these dumps were extracted by the personally-owned devices or the devices of temporary contractors - devices that were not subject to endpoint protection controls. Any password submitted via the browser of a malware-compromised device is vulnerable to interception. (You could say that the security teams of today are paying the price for the surge in the use of personally-owned devices that arose during the pandemic).

  • Attackers are targeting native/non-federated/local accounts: Attackers are wise to the challenge posed by user accounts protected by single sign-on (SSO) and multifactor authentication (MFA). We have observed an increase in the targeting of non-federated accounts that allow direct access to the SaaS application. Authentication policies for non-federated accounts are typically weaker than those federated with an SSO provider. Numerous high-profile attacks involve the same pattern over again: the password or long-lived session token for a privileged account is extracted from an unmanaged device using infostealer malware, and is often sold on or distributed to other attackers.

These risks can be mitigated if:

  • Security teams have tools to discover unexpected local/non-federated paths of access into SaaS applications, and

  • Security teams can protect credentials with a cloud-native PAM that can auto-rotate credentials for SaaS applications after they are accessed by a human user.

Okta has made it our mission to build the tools that mitigate these risks (see Okta Privileged Access and Identity Security Posture Management). But as with any adversarial contest, “the enemy gets a vote” too: we should not expect their capabilities to stand still. 

So every organization also needs to be thinking about how to reduce or limit the blast radius when attackers successfully take over a highly privileged account. 

Enter (near) zero standing privileges

Zero standing privileges takes the principle of least privileged access to the nth degree. As the words suggest, the idealized state is that a grand total of zero accounts have standing administrative permissions in applications. 

I say “idealized” state because most systems are designed to have at least one interactive account with a level of administrative privilege. Resiliency demands the use of a break glass account - a shared account that can be relied on if the accounts assigned to individual human administrators are inaccessible. So if we’re being pragmatic, our North Star should be to reduce standing privileges to “near zero”. The minimum goal should be to have fewer numbers of user and machine accounts with highly privileged roles.

You won’t need to look very hard to find opportunities to downscope access. Large-scale studies have demonstrated the extent of the problem of over-privileged access: almost every user and machine account in the cloud is granted permissions that lie unused [pdf]. Microsoft’s research shows that less than 10% of permissions granted to Azure apps are ever used.  

There is a role for everyone in the identity ecosystem to play in whittling those permissions down:

  • Cloud service providers have a role to play in helping their most security-conscious customers pare back the privileges that come with standard/out-of-the-box roles. Okta has made progress on the number of granular permissions available to create custom admin roles, and more are on the way.

  • Customers of these services need to use custom admin roles to reduce the number of user and machine accounts with excessive permissions. Customers should also consider the myriad open source tools available for identifying excessive permissions in cloud infrastructure and applications, if not licensed Cloud Infrastructure Entitlement Management (CIEM) solutions.

Supporting zero standing privileges in the workforce

As part of the Okta Secure Identity Commitment, Okta recently shipped Govern Okta Admin Roles, a license-free add-on for every customer of the Okta platform. 

Govern Okta Admin Roles allows for the most privileged administrative roles and permissions in Okta to be granted on a just-in-time basis. It’s built using some of the same tools our customers use to govern roles in third party applications (Okta Identity Governance). 

Access to Okta administrative roles can be configured to require dual authorisation, trigger customizable workflows, and be scheduled to expire after a specified time interval. My team recently recorded a live demo of this capability for the Risky Business podcast if you'd like to learn more.

I suggest taking a three-step approach to embracing this new capability:

  1. Study what features your most privileged administrators use frequently. You are more than likely to find that the majority of permissions assigned to any given role are excessive. Work collectively to map out what baseline permissions are required for the roles in your organization.

  2. Substitute standard roles for Okta Custom Admin Roles that only include the permissions your administrators require most frequently.  

  3. Configure access request and approval flows for the more privileged and less frequently used permissions, such that they are available on a JIT basis and protected by dual authorization. 

In Part II of this blog series, we’ll unpack which permissions in Okta best meet the criteria for JIT access. 

David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping Okta’s customers continue to adopt and accelerate Zero Trust security strategies.

Prior to joining Okta, Bradbury was Senior Vice President and Chief Security Officer at Symantec where he led and had global oversight of all cyber security and physical security programs.

Bradbury has built an international reputation for leading and delivering cybersecurity at scale. He has worked across his native Australia, as well as in the United Kingdom and the United States, leading highly-regarded security teams at some of the world’s largest banks, including ABN AMRO, Barclays, Morgan Stanley and the Commonwealth Bank of Australia. He holds a B.S. in Computer Science from the University of Sydney.