The term “identity and access management,” or “IAM,” refers to a framework of corporate procedures, regulations, and technology that support the management of digital identities to guarantee that users only obtain access to data when they have the right credentials. Identity and access management is abbreviated as “IAM.” In addition to the actual users, IAM also covers service accounts and system accounts, both of which are very important for IAM administrators to handle inside their respective businesses. It is essential to conduct frequent inventorying, auditing, and monitoring of all of these identities and the access they have in order to guarantee that effective identity and access management, including permissions and active status, is carried out. Handling the ever-increasing complexity of digital identities may be a difficult task, particularly considering the drive in business toward cloud and hybrid computing environments. Despite this, the need for identity and access management is more vital now than it has ever been. During the last several years, we have seen a variety of cyber operations conducted by nation states effectively access protected data by either focusing on the trust that has been developed inside networks or by exploiting weaknesses in IAM products and/or IAM implementations.
Attacks may come from a wide variety of sources, including as nation-states, terrorist organizations, organized criminals, hacktivists, and people with the intent to do damage or steal information. Organizations are vulnerable to these kinds of attacks and cause shame to a company or group. In addition, businesses might be targets of attacks when a trusted user is the one responsible for the compromising of sensitive data (e.g., insider threat). The skills, goals, and strategies used by the broad range of threat actors are quite diverse. For instance, nation-state actors have enormous resources at their disposal and are able to devise multi-year strategies for acquiring access to essential resources. Indirect approaches, such as taking advantage of the supply chain, are another option open to them.
By taking use of known flaws in IAM, a malicious actor may get the same level of access to resources as regular users by imitating normal behavior, which makes it more difficult to identify the malicious actor. Because of this, the malicious actor is given more time to get access to resources and escalate privileges in order to achieve permanent access.
For instance, a recent CISA Warning (AA21-321A)4 revealed that Iranian government-sponsored advanced persistent threat (APT) actors are aggressively pursuing a wide variety of targets across several U.S. critical infrastructure sectors by taking advantage of IAM vulnerabilities to compromise credentials, elevate privileges, and create new user accounts on domain controllers, servers, workstations, and in directories responsible for authenticating and authorizing users and devices. These actors might use this access to launch further attacks, such as the exfiltration or encryption of sensitive data, the installation of ransomware, or extortion.
The following best practices and risk mitigation strategies suggested by CISA give suggestions that aid in combating potential dangers to the IAM by discouraging it, preventing it, detecting it, limiting the harm it does, and responding to it.
Governance of Identities
Identity governance may be defined as the process by which an organization centralizes and orchestrates the administration of its user and service accounts in line with the rules they have established. Identity governance offers businesses more insight into users’ identities and the access credentials they have, as well as improved controls to identify and prevent unlawful access. It is composed of a collection of procedures and regulations that address the division of responsibilities, role management, logging, access review, analytics, and reporting.
Environmental Hardening
In order to fortify the business’s operating environment, one must first ensure that the IAM foundations and implementations have been suitably protected, ensured, and trusted. The degree of hardening required will vary depending on what is being safeguarded. For instance, credential issuing systems that provide cryptographic digital certificates or stores of passwords are more significant since they ensure authentication for the whole of an organization. The implementation of cryptographic techniques must also be adequate to ensure the degree of security that is required by the system and that is presumed to be there.
The combination of Identity Federation and Single Sign-On
Identity federation employing SSO inside and/or between companies, including the employment of identity providers, reduces risks by centrally managing variations in policies and risk levels across the organizations and removes broad adoption and dependency on local identities. Without officially specifying the rules and degrees of trust and assurance across organizations or between different identity providers inside an organization, an organization is vulnerable to attacks that are based on flaws in each federated identity access management system. By centralizing the administration and control of authentication and access across many systems and from numerous identity providers, single sign-on (SSO) offers a capacity for mitigating risks. If it is effectively implemented, it also has the potential to increase the authentication assurance level that is necessary for initial sign-on, as well as to regulate and protect the authentication and authorization information that is sent from system to system.
A multi-factor authentication system
Usernames and passwords have been the primary pillars of user authentication since since multi-user computer systems came into existence. MFA stands for multi-factor authentication, and it is a method that is used to bolster the security of the authentication procedure by forcing the user to provide a number of “factors” that fall into a variety of categories. Authenticators for multi-factor authentication (MFA) may be implemented as software that is installed on a mobile phone or another device, or they can be implemented as specialized hardware tokens. Some multi-factor authentication (MFA) solutions are intended to strengthen password security by adding a second element, while others, referred to as “passwordless” solutions, are aimed to do away with the need of using passwords entirely. Password-free multi-factor authentication (MFA) solutions often require the use of two factors in conjunction with one another. For example, a cryptographic credential may be stored on a hardware token, and the token might be unlocked by using a memorized PIN.
IAM Monitoring and Auditing
The auditing and monitoring of IAM should not just check for compliance, but should also watch for threat indicators and unusual actions. This includes the development, gathering, and analysis of logs, events, and other information to give the best methods of discovering compliance related transgressions and suspicious activity. Without an efficient IAM auditing and monitoring program, threats like the exploitation of privileged access by insiders and the use of stolen credentials would not be discovered in a timely way, if they were discovered at all. These auditing and monitoring capabilities may be coupled with automated tools that coordinate reaction activities to counteract the threats made against the IAM. A situational understanding of the security posture of an organization’s IAM may also be gained via effective reporting from audits and monitoring.
The objective of this article was to offer a clear knowledge of how different mitigations battle the risks and to provide practical advice on what businesses should do now. In addition, the study aimed to provide a clear understanding of how various mitigations counter the threats. This covers the following:
• Do an evaluation of your existing IAM capabilities and risk posture.
• For those parts of the system that might need some work, choose, layer, integrate, and appropriately configure secure solutions in accordance with the recommended procedures outlined in this document and in the recommendations cited therein.
• Ensure that an adequate degree of security is maintained at all times in order to effectively manage risk throughout ongoing operations.
• Always be aware of the right way to use IAM and any potential hazards.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.