I found the recent information that Okta released about their latest breach to be interesting. According to the report, the employee accidentally saved a service account password to his personal email, and then his personal email my have been compromised which gave the attackers access inside Okta.
First, don’t we think that is a stroke of luck that the attack managed to find the one user that saved a password incorrectly, and then managed to compromise that account? Food for thought.
In my CISO experience, we do need controls around personal email and other SaaS services. It’s a data exfiltration method that we need to be concerned about. It doesn’t mean that they have to be blocked per se, but there should be a process in place to monitor for services used on a device and data that leaves. Blocking strictly can cause problems: 1- users get really, really mad and tend to find workarounds and 2 - It gets tough considering so many companies use services like Google that have both an enterprise and personal brand,
Secondly, this is where I think more zero-trust solutions can help. Even if an attacker manages to steal credentials, if that attackers laptop isn’t authenticated with the zero-trust platform, it doesn’t get into the service. I think this is where the industry will eventually go. Micro network segmentation doesn’t work. But device-based zero-trust scenarios can. Thoughts?