All news with #iam tag

CSA launches SaaS Security Capability Framework (SSCF)

🔒 The Cloud Security Alliance has published the SaaS Security Capability Framework (SSCF), a standardized set of customer-facing security controls designed to reduce long-standing gaps in third-party risk management. SSCF defines minimum technical capabilities across six domains — including identity and access, data lifecycle, logging, and incident management — that vendors should expose under the Shared Responsibility Model. The framework is intended to add transparency and consistency to SaaS security, complementing business-focused standards such as ISO 27001, and aims to evolve into practical implementation guidance, auditing criteria, and a certification scheme.

Assessing Passkey Security: Benefits and Limitations

🔐 Passkeys replace passwords with public-key cryptography, keeping the private key on the user’s device while services retain only a public key. They prevent phishing, credential stuffing, and brute-force attacks, and are unlocked by local authentication such as biometrics or a PIN. FIDO research and high-profile moves by Microsoft and Aflac highlight improved convenience and reduced support costs, but device dependency, legacy compatibility, and implementation costs remain significant challenges.

Cloudflare Brings Enterprise Features to All Plans

🔐 Cloudflare announced it will make nearly every feature available for direct purchase on any plan, removing the previous distinction of “enterprise-only” capabilities. The rollout begins today with dashboard SSO, which is now accessible to all customers and supports GitHub social login; many Zero Trust features are available at no cost for up to 50 users. Over the next year Cloudflare will extend this self-service approach to additional capabilities, simplify billing and packaging, and reduce the need to involve sales or solutions engineers, while noting a few region-specific exceptions such as its China Network.

AI Coding Assistants Elevate Deep Security Risks Now

⚠️ Research and expert interviews indicate that AI coding assistants cut trivial syntax errors but increase more costly architectural and privilege-related flaws. Apiiro found AI-generated code produced fewer shallow bugs yet more misconfigurations, exposed secrets, and larger multi-file pull requests that overwhelm reviewers. Experts urge preserving human judgment, adding integrated security tooling, strict review policies, and traceability for AI outputs to avoid automating risk at scale.

Retail at Risk: Single Alert Reveals Persistent Threat

🔍 A single Microsoft Defender alert triggered an investigation that uncovered a persistent cyberthreat against retail customers. Attackers exploited unpatched SharePoint flaws CVE-2025-49706 and CVE-2025-49704 using obfuscated ASPX web shells while also compromising identities through self-service password reset abuse and Microsoft Entra ID reconnaissance. DART swiftly contained the intrusions—removing web shells, isolating Entra ID, deprivileging accounts, and recommending Zero Trust measures, MFA enforcement, timely patching, and EDR deployment.

Agent Factory: Building the Open Agentic Web Stack

🔧This wrap-up of the Agent Factory series lays out a repeatable blueprint for designing and deploying enterprise-grade AI agents and introduces the agentic web stack. It catalogs eight essential components—communication protocols, discovery, identity and trust, tool invocation, orchestration, telemetry, memory, and governance—and positions Azure AI Foundry as an implementation. The post stresses open standards such as MCP and A2A, emphasizes interoperability across organizations, and highlights observability and governance as core operational requirements.

Extending Zero Trust to the Storage Layer: Resilience

🔒 Applying zero trust to the storage layer is no longer theoretical — it is now essential to ensure recovery. The author describes ransomware incidents, including Change Healthcare in February 2024, where attackers deliberately targeted backups and recovery points, exposing storage as a primary attack surface. He recommends three operational principles — control where data is touched, control who and when, and make critical backups immutable — and ties those measures to governance, policy-as-code, and executive outcomes.

Pandoc SSRF Exploited to Target AWS IMDS, Steal EC2 Keys

🔒 Wiz has observed in-the-wild exploitation attempts of CVE-2025-51591, an SSRF in Pandoc that renders iframe tags and can direct them at the AWS Instance Metadata Service (IMDS). Attackers submitted crafted HTML aiming to access 169.254.169.254 to exfiltrate temporary IAM metadata and EC2 credentials. Attempts seen from August and continuing for weeks were blocked where IMDSv2 was enforced. Administrators should mitigate by using Pandoc's -f html+raw_html or --sandbox options, enforce IMDSv2, and apply least-privilege roles.

Free IGA for SMBs: Streamline Access and Governance

🔒 Tenfold’s Community Edition offers a free, full-featured Identity Governance & Administration (IGA) platform for organizations of up to 150 users. Its no-code interface enables automated role-based onboarding and offboarding using configurable profiles, and supports self-service password resets and access requests with customizable approval workflows. The solution analyzes Active Directory, SharePoint and Microsoft 365 permissions, helps identify unwanted external sharing, and automates scheduled access reviews to reduce privilege creep and IT helpdesk workload.

AI Growth Fuels Surge in Hardware and API Vulnerabilities

🛡️ Bugcrowd's annual "Inside the Mind of a CISO 2025: Resilience in an AI-Accelerated World" report warns that rapid, AI-assisted development is expanding the attack surface and exposing foundational weaknesses. Published September 23, the study links faster release cycles to gaps in access control, data protection and hardware security, and highlights rising API and network vulnerabilities. It calls for continuous offensive testing and collective intelligence to mitigate escalating risks.

Essential Security Tools Every Organization Should Deploy

🔐 Security leaders face a shifting threat landscape, tighter regulation, and increasing IT complexity, so a well-integrated toolset is essential. The article outlines 13 core solution categories — from XDR, MFA and IAM to DLP, CASB, backup/DR and AI‑SPM — and explains how each strengthens detection, access control, data protection and recovery. Emphasis is placed on integration, automation and real-time response to reduce manual verification and satisfy compliance and cyberinsurance requirements.

Regaining Control of AI Agents and Non-Human Identities

🔐 Enterprises are struggling to secure thousands of non-human identities—service accounts, API tokens, and increasingly autonomous AI agents—that proliferate across cloud and CI/CD environments without clear ownership. These NHIs often use long-lived credentials, lack contextual signals for adaptive controls, and become over-permissioned or orphaned, creating major lateral-movement and compliance risks. The article recommends an identity security fabric—including discovery, risk-based privilege management, automated lifecycle policies, and integrations such as Okta with AWS—to regain visibility and enforce least-privilege at scale.

CSO Awards: Security Innovation and Transformative Work

🔒 CSO highlights seven award-winning security initiatives that showcase practical innovation across vulnerability management, third-party risk, multicloud security, secure coding, threat detection, and AI-driven hunting. Profiles include BMHCC’s risk-based remediation delivering a 70% risk reduction, FSU’s tighter vendor assessments, Marvell’s unified cloud vulnerability platform, and Mastercard’s developer-focused security conference. The pieces emphasize automation, AI, and cross-team collaboration as key drivers of measurable security impact.

Microsoft Fixes Entra ID Token Flaw Allowing Impersonation

🔒 Microsoft has patched a critical token validation failure in Entra ID (formerly Azure AD), tracked as CVE-2025-55241 and assigned a CVSS score of 10.0. The flaw combined misused service-to-service (S2S) actor tokens issued by the Access Control Service (ACS) with a validation gap in the legacy Azure AD Graph API that enabled cross-tenant impersonation, including Global Administrators. Microsoft released a fix on July 17, 2025 and said no customer action is required; there is no indication the issue was exploited in the wild. Security firms warned the vulnerability could bypass MFA, Conditional Access and logging, potentially enabling full tenant compromise.

AWS Organizations SCPs Now Support Full IAM Language

🔐 AWS announced that AWS Organizations service control policies (SCPs) now support the full IAM policy language, adding features such as NotAction, NotResource, resource-level Allow statements, conditions in Allow, and more flexible action wildcards. The update is available across AWS commercial and GovCloud (US) Regions. These changes simplify permission models, reduce prior workarounds (such as tagging-based exceptions), and make SCPs more expressive and concise. AWS recommends careful wildcard use and continuing to prefer explicit Deny statements for robust controls.

Source-of-Truth Authorization for RAG Knowledge Bases

🔒 This post presents an architecture to enforce strong, source-of-truth authorization for Retrieval-Augmented Generation (RAG) knowledge bases using Amazon S3 Access Grants with Amazon Bedrock. It explains why vector DB metadata filtering is insufficient—permission changes can be delayed and complex identity memberships are hard to represent—and recommends validating permissions at the data source before returning chunks to an LLM. The blog includes a practical Python walkthrough for exchanging identity tokens, retrieving caller grant scopes, filtering returned chunks, and logging withheld items to reduce the risk of sensitive data leaking into LLM prompts.

Protecting SMBs From Ransomware: Trends and Defenses

🔒 Small and medium-sized businesses are increasingly targeted by ransomware gangs that exploit weak defenses, offer Ransomware-as-a-Service, and adapt tactics with AI-driven tools. RaaS industrialization and discoveries like ESET's PromptLock demonstrate how attackers can scale reconnaissance, exploitation and social engineering. SMBs face double-extortion, DDoS and coercive pressures while repeat payments remain an issue despite a decline in aggregate crypto payouts. Practical defenses—Zero Trust, timely patching, reliable backups, EDR/MDR and tested incident response—can materially reduce risk.

AWS Lambda: Cross-Account Container Images in GovCloud

🚀 AWS Lambda now supports creating or updating functions using container images stored in an Amazon ECR repository in a different AWS account within GovCloud Regions. This removes the previous need to copy images into a local ECR repo and streamlines centralized image management and CI/CD workflows. Administrators must grant the Lambda resource and the Lambda service principal the necessary cross-account permissions.

ICO Warns Schools: Students Fuel Insider Data Breaches

🔒 The UK's Information Commissioner's Office (ICO) warns that pupils represent a significant insider threat in schools, reporting that 57% of education-sector data breach reports originate from students. In an analysis of 215 breach reports between January 2022 and August 2024, nearly a third of insider incidents involved stolen or guessed passwords, 97% of which were committed by students. The ICO highlights additional causes — weak data protection (23%), staff sending data to personal devices (20%), misconfigured access rights (17%), and deliberate bypassing of controls (5%) — and cites incidents where students accessed systems holding thousands of records. Practical recommendations include strong password hygiene, MFA, tightened access controls, prohibiting pupil use of staff devices, secure shared-device management, and better parental engagement.

From Prevention to Rapid Response: The New CISO Era

🔒 CISOs are shifting from an all-or-nothing prevention model to a containment-first strategy that assumes breaches will occur. Organizations are investing in sharper visibility, automation and precise network segmentation to stop lateral movement and reduce blast radius. Modern zero trust implementations enforce context-aware, least-privilege access across hybrid environments, enabling faster detection and automated response while preserving user experience. In sectors such as fintech, CISOs must also balance strong background security with seamless interfaces and user education to sustain trust.