Youattest Logo

Palo Alto’s “Why IAM is a Target” Report and Identity Governance

Organizations of all sizes are increasingly moving their operations to the cloud, prioritizing identity and access management (IAM). As a result, IAM systems are becoming attractive targets for cybercriminals. Palo Alto Networks’ recently released “Why IAM is a Target” report outlines the most common attacks targeting IAM systems and offers recommendations for protecting your organization.

IAM and Organizational Security

Identity and access management (IAM) is more important than ever in today’s world. IAM controls have access to resources within an organization. Because of this access, IAM controls play a vital role in protecting against unauthorized access to sensitive data. Palo Alto Networks explained in their recent report how weak IAM policies could leave organizations vulnerable to attack. It also provides step-by-step instructions on how to harden IAM permissions to help prevent unauthorized access to sensitive data.

Traditionally, an IAM system consists of a central database of users and their associated permissions. This system then  controls access to various resources within an organization. However, the report states that “the cloud has changed the game.” Cloud-based IAM systems are often more complex, and as such, they can be more challenging to configure correctly. Unfortunately, this complexity leaves organizations open to cyber threats when not managed properly. 

IAM Solutions

The Palo Alto report recommends that organizations take steps to harden their IAM permissions to help prevent unauthorized access to sensitive data. 

One of the report’s key findings is that “credential theft is the number one attack vector in the cloud.” This is primarily due to the passwords chosen by system users. On average, 44% of organizations allow IAM password reuse, 53% of cloud accounts allow weak passwords, and cloud service provider policies grant 2.5 more permissions than policies managed by the organization themselves.

The Hacks Often Come from Over-Privileging Accounts

Overly permissive resources have caused numerous breaches, notably the now infamous Capital One breach. Capital One was breached by a hacker who took advantage of an EC2 instance with an overly permissive IAM role. The hacker then extracted all the data from S3 buckets.

Report Recommends Security Automation

Palo Alto Networks also recommends increasing security automation. Security automation can help organizations keep track of changes to their IAM system and quickly respond to any potential attacks.   The key recommendation is to remove the manual process which often brings in errors and invites irregularities in identity and enforcement.

Where Identity Governance Comes In 

As the Palo Alto report says and the Capital One breach shows – over permissive accounts can lead to serious breaches on identity and other resources. The advised mechanism from multiple guidances is recertification of user entitlements.   The Cloud Security Alliance (CSA) spells out the need and best practices, in their Cloud Controls Matrix (CCM), specifically under the control titled “User Access Reviews” (IAM-10: User Access Reviews).   The CCM guidance draws upon best practices spelled out by the NIST CyberSecurity FrameWork (SP 800-53 v5) for Identity Policy and Procedures (PR.AC-1) and enforcing the Principle of Least Privilege (PR.AC-6).

IAM-10 states:

User access shall be authorized and revalidated for entitlement appropriateness, at planned intervals, by the organization’s business leadership or other accountable business role or function…

English translation:  User privileges have to be reviewed!   On a regular basis.

Where YouAttest Comes in:

YouAttest is the automated tool that conducts the identity and identity privileges in from multiple identity sources – especially cloud identity providers like Azure AD, JumpCloud and Okta.   No more painful spreadsheets, nag emails and screenshots – the entire process is automated through a GUI that can easily be managed by a single risk manager.

YouAttest also can intake identities from any other resource and conduct a GUI based user access review w/ the identity and access certification as spelled out in CCM IAM-10.

Image #1:  Youttest is a GUI-drive cloud-tool that enforces cloud security via identity access reviews (CSA CCM IAM-10)


YouAttest is an automated identity audit tool for your identity and access controls. Cloud-based and simple to use – YouAttest provides a unified risk platform for your identity audits with the quickest time-to-value and no implementation cost. Contact us and we will start your identity auditing journey.