Ransomware isn’t just a malware problem

June 27, 2022
It’s an identity and data problem that will require organizations to consider cybersecurity in a more holistic way

Ransomware. The term that strikes fear into the hearts of organizations around the world. Today’s security experts hardly need to be told that ransomware is a serious issue, but widespread recognition of the problem has apparently not helped to slow its growth. Just the opposite, in fact—the European Union Agency for Cybersecurity (ENISA) reported a startling 150% rise in ransomware attacks between April 2020 and July 2021, declaring the current era the “golden age of ransomware.” To underscore the severity of the problem, ENISA further stated that many believe ransomware has “not yet reached the peak of its impact.”

There is no simple answer to the problem of ransomware but addressing the issue will require a shift in the way organizations think about it. Too many enterprise IT teams make the mistake of thinking about ransomware as a malware problem. While ransomware is, technically, malware, thinking of it in those terms amounts to missing the forest for the trees. At its heart, ransomware is an identity and data access problem, and solving that problem will require organizations to consider cybersecurity in a more holistic way—with identity-first security at its core.

The Old Ways of Thinking Aren’t Good Enough

Not long ago, the primary way for an enterprise to secure its data was to create a fortress protected by perimeter tools like firewalls and endpoint security tools, such as antivirus. While perimeter tools still have value, they are no longer enough. Employees today work from a wide range of locations, using remote access tools to interact with servers, applications, and cloud services no matter where they are. The COVID-19 pandemic further accelerated this shift, with many organizations forced to expedite their digital transformation plans. In today’s globally connected world, employees, customers, vendors, and partners all expect seamless access to a company’s services.

Unfortunately, the “fortress mentality” has remained stubbornly persistent. Too many business leaders feel safe behind their moats, walls, and other perimeter protections when the reality is that today’s attackers are arming themselves with tools and weapons specifically designed to overcome those defenses. Social engineering, password, and credential theft, along with other modern attack tactics, aim to evade traditional perimeter defenses—which means organizations need to adjust. Simply put, modern enterprises need to move on from the mistaken belief that they can stop attackers from entering their networks. If ransomware is an identity and data access problem, then solving that problem means improving the ways in which organizations approach identity security and data access. Think of the corporate IT environment like a house—any good house starts with a solid foundation. That foundation is digital identity and identity-first security.

 Digital Identity Provides the Foundation

Today, “identity is the new perimeter” is a common refrain, or as another perspective, identity is the foundation of today’s digital environment. If you were building an IT, network or digital environment from scratch today, identity should be the solid foundation upon which to build. Digital identities have been around for a long time, but recent developments like widespread remote working, the proliferation of connected devices, the rise of DevOps, and others have caused the number of identities in use to explode.

Furthermore, digital identities are most often tied to user or human identities, causing the bulk of the projected $25 Billion Identity Access Management (IAM) market to be focused on humans. But we cannot forget that devices and software, or machines, are our critical conduit into the digital world. They need identities too! In addition, there are a growing number of unsupervised intelligent software or bots that aim to automate several digital tasks, under Robotic Process Automation (RPA) strategies, which will require identities as well. As such, today for many organizations there are far more machines that require identities in use. So overall, identity-first security needs to encompass both human and machine identities, which can include devices, software, cloud services, applications, and countless other network and digital entities.

At the heart of identity-first security is the need to establish that a given entity is what it claims to be—in other words, establishing digital trust. For decades, digital certificates based on public key infrastructure (PKI) technology have provided the basis for that authentication. As the number of identities in use skyrockets, the number of certificates needed to authenticate those identities has risen accordingly, but the principle is the same: put a certificate on any digital entity and use it to continuously prove its identity. Some organizations might go a step further by introducing multi-factor authentication (MFA), requiring a second means of authentication such as a keycard or fingerprint scan. This adds a further layer of security that any would-be attacker would need to penetrate. In the context of ransomware, it’s easy to see why this is a good idea. An attacker might gain access to a set of valid credentials, but if they are attempting to access the network from an unfamiliar device or through an unfamiliar application, their activity might still be flagged as suspicious.

Access Security Forms the Second Level

After the baseline of identity-first security comes the need to assess and align access security, or data security. In short, once an identity has been verified and authenticated, the next step is to determine what it should have access to within the organization. Just because a user or a machine can prove that they belong to an organization, it does not mean that they should have access to everything in the network/environment. For example, an IT helpdesk employee does not need to have access to human resources data. Likewise, a human resources employee should not have access to DevOps containers.

Identities, for both humans and machines, should only have access to the areas of the environment that they need to perform their job functions, which is sometimes referred to as the “principle of least privilege,” (i.e., an identity should have as few privileges as possible without interfering with their job). Unfortunately, this can have a negative connotation. The term “right size privilege” is more accurate and gets to the core of the issue: identities should have the privileges they need. No more, but also no less.

Unfortunately, many of today’s identity management tools have limited data access capabilities. IAM tools, for example, are traditionally focused on application access over other types of access. This means that if an employee or partner is given access to a file via a filesharing service, that person may wind up with access to all files on that service. IT will generally provision access with the goal of simply not getting in the way. This is understandable—after all, IT doesn’t want to be accused of preventing people from doing their jobs. Modern enterprises need identity and data security tools that don’t just determine who a person is, but what they should have access to.

Data Classification Puts a Lid on Things

Another piece of the puzzle is data classification. This goes a step beyond by providing more context when determining whether an identity should have access to a particular piece of data or area of the environment.

Enterprises have diverse ways of classifying data, but the combination of data access and data classification adds important context to identity security. A user with access to an application can still be blocked from accessing certain files within the application, or prevented from accessing them from certain locations, devices, or applications. This requires the ability to look at the file/data itself to see what it is, what level of classification it has, and how it should be used by identities within the environment. This additional context, or data classification, can add a beneficial dynamic element to the more static right-size privilege approach.

Mitigating Ransomware Attacks with Identity-first Security

Organizations can begin by determining whether their existing IAM solutions have data security control capabilities, either natively or via integrations. Many may already have access to data security tools that can be connected to identity solutions, and/or have beneficial features that have not been activated. Inquiring with new and incumbent vendors about their identity-first and data security capabilities is now critical. Seek overall value - the last thing any CISO or security team needs today, is yet another siloed or limited security solution.

“Ransomware is not a malware problem” might seem like a statement designed to shock or scandalize readers—but hopefully this piece has made it clear that the best way to deal with ransomware is not to focus just on anti-malware approaches, but to establish strong identity-first security and data access policies. By ensuring that all identities in the environment have right-size access to the resources and data they need to do their jobs, organizations can limit the potential damage of any ransomware attack.

 It is a ridiculous and unachievable goal to stop 100% of attacks, but by leveraging identity-first security, IT leaders will best position their organizations to mitigate cyber security incidents. All while balancing the need to securely enable business outcomes.

About the author:David Mahdi is the Chief Strategy Officer and CISO Advisor of Sectigo. A former Gartner research VP, identity, cryptography and cybersecurity visionary, Mahdi is an industry-recognized pioneer and co-Founder of the emerging Machine Identity Management market. David has helped large organizations tackle digital transformation projects that included digital identity, IoT security, and early-stage blockchain efforts; guided organizations to build internal cryptography teams, such as the cryptography center of excellence; and consulted through IPOs, raising capital, and M&A, among many other contributions. A top-performing analyst, his depth and breadth of coverage made him one of the most demanded industry analysts for clients around the globe. As a market maker, he was instrumental in creating markets and definitions for areas such as Decentralized identity, Bring Your own identity (BYOI), passwordless authentication, Machine Identity management, and privacy-enhanced computation. In his current role of chief strategy officer (CSO) and CISO advisor at Sectigo, David leads the company’s overall strategy, direction, and M&A efforts to expand its leadership in the digital trust space. David holds several board advisory positions for non-profits and established technology providers in the areas of digital and decentralized Identity, post-quantum cryptography, cybersecurity awareness, and blockchain/NFTs.