By Jason Macy | Date posted: November 14, 2017
Oracle recently released a Security Alert Advisory regarding a newly identified – and soon thereafter patched – vulnerability within Oracle’s Identity Manager, a user identity validation tool for granting access to enterprise systems.
The bug referred to by Threatpost’s Michael Mimoso as one that’s “as bad as it gets,” scored a 10 on the CVSS score – the highest severity possible. As explained via NIST’s National Vulnerability Database, the vulnerability is “easily exploitable” and “can result in a takeover of Oracle Identity Manager.”
The major concern with a vulnerability such as this one is that the process for authentication is completely bypassed, requiring no valid/authorized user credentials in order to access sensitive company data. Imagine a bank manager opening the vaults, waving people in and saying, “Come in and take whatever you want, we’re open!” That’s essentially what we’re seeing here.
Earlier this year, we witnessed the OneLogin breach, and now Oracle. With events such as these, the industry is beginning to see the obvious differentiation between identity and security.
IAM Not Secure
Identity and Access Management (IAM) tools, while a critical component of any successful defence, aren’t equipped to thwart attacks. The solutions aren’t secure, despite their adoption being increasingly designated as security-focused.
IAM and cybersecurity have diverged as different industries and unfortunately, there’s often a misunderstanding in the differentiation. What businesses don’t realize is that adopting an IAM platform actually creates more vulnerability since the IAM platforms and products themselves are not cyber hardened, allowing for centralized attack points for malicious actors. IAM platforms are proficient at lifecycle management and consolidating user repositories, but not reliable as enforcement points for runtime access control. The enforcement component of the IAM solution should rely on API Security Gateway technologies or other hardened cybersecurity capabilities that integrate with the IAM platform. Otherwise, the very reliance on insecure IAM solutions makes the architecture less secure.
Unfortunately, bad actors have made note of identity’s susceptibility to compromise, identifying IAM technologies as an effective new vector for cyber attack. With an obligation to protect our customers, partners and employees, it’s time for industry leaders to address the looming dangers. The emergence of best-of-breed solutions such as API Security Gateway technology provides hardened enforcement points for identity access control, allowing the full realization of modern IAM platforms to both unify and simplify identity as well as secure the runtime processing of identity decisions.