The Take-Home Lessons from Black Hat 2024
While AI headlined the event, identity security emerged as a major theme driving risks and concerns expressed by attendees.
Well, another Black Hat is in the books. Vegas sizzled. The swag was flowing. An abundance of sessions on AI/ML to sate even the most demanding of architects, practitioners, and decision makers to help shape their security strategies.
But, if AI and ML were the headlining themes, identity was a major theme driving the risks and concerns expressed by attendees — in the questions asked at the end of sessions, the questions we heard in our booth, and the discussions we had in the hallways. As cloud technologies continue to proliferate and resources have become decentralized, report after report shows that identity is the new battleground for attackers, and identity security is emerging as the key ingredient in enabling tomorrow’s exciting technologies while protecting customer data and enabling business agility.
Traditional identity providers pivot to modern “identity security” messaging
At Black Hat this year, even the traditional identity and access management (IAM) providers — such as the identity governance and administration (IGA) and privileged access management (PAM) players — were increasingly pivoting towards more modern “identity security” messaging. However, talking the talk on “identity security” is not the same as walking the walk on actually delivering features that truly secure customer data in today’s complex IT ecosystems.
The fundamental problem is that many of the incumbents’ offerings are rooted in legacy solutions that weren’t natively designed to support a modern stack that includes decentralized resources, ephemeral computing, and distributed workforces. The result is a patchwork approach to identity security that attempts to bolt “identity security”-type features on top of their core [insert SSO/IGA/PAM] features. What’s lacking is a truly cohesive approach to identity security — that’s built for decentralized, SaaS-driven IT estates — right from the outset.
AI cranks up identity security risk several notches
Things really start to get interesting when you bring AI into the picture. One particularly compelling session at Black Hat, “Practical LLM Security: Takeaways From a Year in the Trenches,” highlighted the importance of access controls on large language models (LLMs) that form the backbone of AI.
The speaker, Rich Harang of NVIDIA, stressed that setting and maintaining permissions is a critical first step in mitigating the risk of LLM attacks. There are no fine-grained access controls on LLMs, so tagging and assigning permissions on sensitive content is of paramount importance. All of the major enterprise LLM providers recognize existing user permissions (i.e., their models won’t allow users to access resources they don’t have permission to).
But, the challenge is that nearly all users have access to loads of information that they don't need - and in some cases shouldn't have access to. And LLMs make it really easy for them to find. This "unintended access" is something that our CEO and former Salesforce Chief Trust Officer Jim Alkove covered in his recent Forbes article.
Visibility gap: Over-provisioning in the cloud
The LLM example speaks to more general concerns around over-provisioning and the challenge of right-sizing permissions to strengthen security postures. In another session, “Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities for Initial Access,” the speaker noted that customers tended to over-privilege their accounts with respect to AWS services such as S3 buckets and EC2 instances.
The root of this over-provisioning problem is that most organizations struggle to gain the visibility they need to answer questions around who has access to what, and what they’re doing with it.
Building a modern identity security program that includes posture management and identity threat detection and response (ITDR) requires being able to see the specific resources a person has access to, what they’re doing with that resource, and how they got access to it. For instance, if you can identify over-permissioned users, you can take the appropriate steps to, say, revoke access to a particular resource and thereby strengthen your secure posture. Similarly, if you can pinpoint SaaS misconfigurations or dormant accounts, these could also help mitigate risk.
“What about non-human identities?”
One of the top questions we got in our Black Hat booth — both spontaneously and in response to demos of Oleria Adaptive Security — was, “What about non-human identities?”
Non-human identities (NHIs) are getting more headlines as a source of identity security risk. NHIs are how your various apps have permission to interact within other apps (the keys to driving integration and automation). The concern is that NHIs often exist outside of conventional IAM platforms and outnumber human identities by as much as 45 to 1, representing a huge blind spot in many organizations.
How does Oleria answer that common NHI question? Our fundamental aim is to provide a composite view of all identities and all access, across the decentralized enterprise IT estate. That includes human and non-human identities — and gives the same level of fine-grained detail on NHIs. In other words, we don’t need to treat NHIs as a completely unique problem, because unlike conventional IAM that’s trying to bolt on NHI capabilities, we built Oleria from the ground up for a world filled with NHIs.
How will identity security evolve before Black Hat 2025?
Coming home from Black Hat this year, I spent a lot of time thinking about what we’ll be talking about next year. Identity security is squarely in the spotlight and it’s clear that the wave of AI and ML are going to change things quickly over the coming months. More and more organizations are recognizing that identity security needs to evolve in impactful ways, too, if they want to realize the potential of all of these exciting technologies. And it’s promising to see how other vendors are joining Oleria in moving toward a more agile approach to identity security that’s ready for tomorrow’s IT landscape.
Want to hear my take on where identity security is headed and what we'll be talking about at Black Hat 2025? Reach out — let’s chat.