BioStar 2 data breach: How IGA failures could not have prevented it from happening

In the “Advice from the Experts” section, vpnMentor recommends implementing proper access rules on databases.

data breaches

Just as the sun rises and sets, so another data breach occurs. As more organizations incorporate biometrics as an authentication method, securely storing this type of immutable information becomes more important. While users can change passwords to protect their data, they cannot change their fingerprints should malicious actors compromise the information. In the “Advice from the Experts” section, vpnMentor recommends implementing proper access rules on databases. This suggestion highlights the shifting perimeter. Securing data stored in cloud databases requires robust Identity Governance and Administration (IGA) programs.

How Is the BioStar 2 Breach Related to Access Rules?

You may be thinking that simply monitoring the servers’ security and configurations would have been enough. In reality, misconfiguration only created part of the problem. The researchers compromised the BioStar 2 database with credential theft. After gaining access to the unsecured server, they obtained administrative access by using administrative credentials stored as plain text in the database.

Although the initial entry point existed as a publicly facing server, the primary threat vector was the ability to compromise privileged accounts.

3 Access Rules That Would Have Mitigated BioStar 2 Security Risk

Once the researchers gained access to the misconfigured server, they had complete access to administrative accounts, including user permissions and security settings. With these credentials, they made themselves look like authorized users.

Fine-Grained Access Controls

Problematically, once the researchers gained access to the server, they could read and change any data contained within it. As you seek to manage your cloud storage, you should be thinking strategically about the way in which users can interact with data.

The report never details what user account served as the starting location. They simply mention that weak passwords enabled them to access and change information.

Protecting against this type of threat requires enforcing “least privilege necessary” within your IT infrastructure. Protecting against authorized access to applications or databases no longer secures data. As you modernize your infrastructure, you need to incorporate context-aware access controls that limit users’ ability to change data. Assuming that the initial vector was a standard, not privileged, account, enforcing “least privilege necessary” read/write access could have prevented data alteration.

Firefighter Access Controls

After obtaining access to the server, the researchers explain that they were able to view administrative account information, including username and password. While the lack of secure hashing provided data for the researchers to obtain privileged access, the lack of privileged access controls exacerbated the initial control weakness.

“Check-in/check-out” privileged access controls protect against data corruption. Creating timebound privileged access controls that require approval enable you to monitor privileged access within the ecosystem. The administrator would need to approve the access before anyone could alter the information.

Continuous Monitoring

Internal access governance needs to incorporate continuous monitoring for anomalous access requests. In the same way that you monitor for external vulnerabilities, you need to monitor for internal vulnerabilities.

Using automated tools streamlines this process. Peer- and usage-based analytics enable you to enforce risk-aware access policies. Incorporating monitoring, particularly over privileged user accounts, enables you to better control access within your ecosystem.

data breach BioStar 2 IGA

How User and Entity Behavioral Analytics (UEBA) Could Have Prevented the BioStar 2 Security Breach

Equally important, BioStar 2 lacked the appropriate user behavioral monitoring that would have proactively detected the researchers’ activities. The researchers used authorized credentials, but BioStar 2 was unable to detect changes in the users’ behaviors that would have alerted them to a data breach.

UEBA aggregates data such as location, device, and habits to provide a holistic picture of each users’ access to resources. Incorporating UEBA into your IGA program provides a depth and breadth of information that can identify potential credential theft. With UEBA, you can detect risky actions such as using an unknown device, logging in from an unexpected location, or accessing information at an unusual time.

Using UEBA enables you to mitigate new internal risks in near real-time to protect against credential theft or privilege misuse.

As you migrate business-critical operations to the cloud, your IGA program should act as the foundation for your digital transformation initiatives. As part of the Shared Responsibility Model, you need to control access not only to but within your ecosystem by ensuring that only the right people have the right access to the right resources for the right time and reason. More than ever, organizations need to create strategic identity-focused privacy and security programs that protect data at the most vulnerable threat vector.

This guest post was written by Diana Volere:

Diana Volere is a strategist, architect, and communicator on digital identity, governance, and security, with a passion for organizational digital transformation. She has designed solutions for and driven sales at Fortune 500 companies around the world and has an emphasis on healthcare and financial verticals. 

In her role as Saviynt’s Chief Evangelist (, she delivers Saviynt’s vision to the community, partners, and customers, addressing how to solve present and future business challenges around identity.  Her past twenty years have been spent in product and services organizations in the IAM space. Outside of work, she enjoys travel, gastronomy, sci-fi, and most other activities associated with being a geek.