Latest news with #Kerberos
Techday NZ
3 days ago
- Business
- Techday NZ
Quantum computing exposes Active Directory to urgent new risks
Organisations using Microsoft Active Directory as their primary identity management system face a significant cybersecurity risk as the advent of quantum computing begins to challenge established cryptographic protections, according to Certes. Certes has released a technical analysis outlining how the introduction of post-quantum cryptography (PQC), designed to resist powerful quantum computing attacks, reveals vulnerabilities in legacy systems such as Active Directory. The report indicates organisations could be exposed to attacks if underlying identity infrastructure does not evolve alongside cryptographic standards. The analysis warns that most businesses still rely on authentication systems originally built for classical computing environments. These systems employ protocols and structures including Kerberos authentication, domain trusts, and key distribution mechanisms, all of which may be unsuitable as the threat landscape evolves with quantum technology. Expert warning This isn't a hypothetical risk anymore," said Simon Pamplin, CTO at Certes. "The cryptographic standards being pushed out today are being fast-tracked to combat real and present quantum risks. But the problem is that most organisations still depend on Active Directory; a system never designed to survive this level of cryptographic upheaval. Quantum computers are predicted to eventually possess the capacity to break the cryptographic algorithms that underpin many of today's security solutions. In anticipation, new PQC algorithms are being developed and deployed. While these are expected to provide a more secure foundation for future digital infrastructure, Certes warns that existing directory services such as Active Directory were not created with quantum resilience in mind. Certes' technical team notes that, despite advances in other areas of cybersecurity, the core identity and access management systems within many enterprises remain based on decades-old technology. This dependence could create opportunities for attackers to exploit the gap between new cryptographic protections and legacy identity protocols. The firm contends that even organisations investing in modern security features such as multi-factor authentication or cloud-based platforms may remain at risk if their identity backbone is not upgraded to keep pace with cryptographic developments. What's most alarming is the false sense of security," added Simon. "Many CISOs are focused on perimeter security modernisation, MFA here, a cloud migration there, but underneath, the enterprise's digital identity is still built on sand. Industry recommendations Certes is calling on senior decision-makers, including Chief Information Security Officers (CISOs) and IT strategists, to closely review and update their security models. The company advises organisations to assess the specific vulnerabilities associated with integrating PQC into Active Directory environments, map out all current cryptographic dependencies ahead of any PQC-related implementation, and re-evaluate their digital identity strategies to look beyond legacy directory services. The organisation is actively providing guidance to clients in sectors such as finance, healthcare, defence, and government. Certes states that solutions exist today to support data protection in the face of quantum threats, and that its current focus is helping customers establish robust, future-proof strategies to secure critical assets before new attack methods become widespread. The analysis concludes that the intersection of post-quantum algorithms and enterprise authentication, particularly where Active Directory is concerned, poses an urgent and complex challenge for organisations dependent on traditional security architectures. Follow us on: Share on:
Techday NZ
11-07-2025
- Business
- Techday NZ
Hybrid identity security scores decline as vulnerabilities rise
Organisations are finding it increasingly difficult to identify and manage security vulnerabilities in hybrid identity environments, according to the latest 2025 Purple Knight Report from Semperis. Declining security scores The report, based on an online survey using the free Purple Knight security assessment tool, reveals an average initial security score of 61 out of 100 across participating organisations. This marks an 11-point decrease from the previous year's average of 72, highlighting a worsening situation in securing hybrid identity platforms such as Active Directory, Entra ID, and Okta. Developed by Semperis, Purple Knight enables organisations to discover indicators of exposure (IoEs) and indicators of compromise (IoCs) in their hybrid directory environments, offering both a benchmarking mechanism and ongoing tracking support. Variations by company size The survey documented notable differences in security posture between organisations of varying sizes. The highest scores were observed among large organisations with over 10,000 employees, achieving an average of 73. Small companies with up to 500 employees reported an average score of 68. In contrast, mid-sized organisations (2,001 to 5,000 employees) registered the lowest average score of just 52, reflecting particular difficulties faced by this segment. "The largest organisations have more resources, and the smallest organisations often have less-complicated environments to secure," said Sean Deuby, Semperis Principal Technologist, Americas. Addressing the challenges encountered by mid-sized organisations, Deuby added, "The midsized companies are where the IT pros have to do everything. You don't have full-time AD specialists." Sector-specific findings Security gaps were also distributed unevenly across industries. The government sector recorded the lowest average score at 46, followed by the retail industry at 51, and the transportation and education sectors at 57. Despite healthcare achieving the highest industry score of 66, this result still indicates significant room for improvement. Vulnerability categories When examining categories of vulnerabilities, organisations scored lowest in the AD Infrastructure category, followed by Account Security, Kerberos, Group Policy, Entra ID, and Okta. This illustrates a broad range of challenges faced when managing hybrid identity systems. "Hybrid identity environments are complex, and threat actors know it. Overall, organisations can't protect what they can't see. The lower average scores in the 2025 Purple Knight Report indicate how crucial it is for companies to proactively assess vulnerabilities across their hybrid identity systems so they can close security gaps before attackers exploit them," said Deuby. "Purple Knight gives organisations of all sizes the ability to identify vulnerabilities and remediate them before risks become damaging losses because of a compromise." Remediation impact According to the report, organisations that utilised Purple Knight's security recommendations achieved an average improvement of 21 points on their security assessment scores, with some reporting gains as high as 61 points. This demonstrates the measurable benefit of following expert mitigation guidance. Bob G., infrastructure team lead at a global shipping company, explained, "My company has launched a multi-year project to reorganise the environment, which currently consists of about 30 AD forests. Using Purple Knight to scan those environments helps us understand what might break in our permissions structure or what open security vulnerabilities we need to fix." Jose G., global administrator at an IT services company, described the tool's real-world impact: "We suffered an attack that compromised some of our systems, and we thought we were pretty secure in terms of Active Directory. We learned a lot from that event. Out of curiosity, I ran Purple Knight on the environment, and I found a new world of stuff to fix." Eric M., senior identity engineer at a global printing company, reflected on his experience, "I do a pretty good job. And we haven't been breached. But then you see the D-minus on your report card and it's like, wow. There are some things we could do better." Usage and recommendations Purple Knight is officially recommended by organisations including the Five Eyes alliance and the Australian Cyber Security Centre. More than 45,000 organisations have used the tool to date to assess and bolster their hybrid Active Directory security.
