On April Fools' Day, it’s interesting to look back at one of the earliest known pranks. In 1698, crowds gathered at the Tower of London after hearing about the "washing of the lions." Of course, no lions were actually washed.
Today, some prevalent myths in our industry create a similar sense of false security. Here are three that I encounter frequently:
Myth 1: "We deployed MFA, so we're secure." Threat groups like Scattered Spider have become highly skilled at bypassing traditional MFA methods, especially those relying on SMS or basic push notifications through real-time phishing and MFA fatigue attacks. It’s important to recognise that not all MFA factors offer the same level of protection.
Adopting phishing-resistant authenticators such as FIDO2 and passkeys is key. These provide hardware-backed security that effectively blocks advanced attacks. 🔒
Myth 2: "We bought a Zero Trust tool, so we have Zero Trust." Zero Trust is a framework and approach, not something that happens by simply acquiring a product. Implementing real Zero Trust requires building an architecture based on continuous verification and "never trust, always verify" principles.
At the heart of this is identity as the control plane. This involves setting adaptive policies that evaluate user context and device health, alongside Identity Security Posture Management to continually monitor and mitigate risks.
Myth 3: "Cloud security is the provider's problem." This overlooks the shared responsibility model. While cloud providers like Google Cloud safeguard the underlying infrastructure, your organisation retains responsibility for securing identity, access, data, and applications.
Mastering IAM setups is essential. Federating Okta with GCP via Workload Identity Federation centralises access governance and enforces strong MFA and device trust, helping to eliminate the risks tied to long-lived credentials.
With attackers constantly evolving, establishing a strategic, phishing-resistant identity posture is foundational to a resilient security stance.
If you’d like to discuss how these ideas can be applied in real environments, feel free to reach out.
#IdentitySecurity #ZeroTrust #CloudSecurity #PhishingResistant #IAM #Okta #GoogleCloud