61% of businesses don’t effectively monitor their software access setting, which means that anyone could potentially gain unwarranted access, and the IT department would be none the wiser! Therefore, the importance of proper and strategic identity and access management (IaM) cannot be overstated.
IaM combines technologies and policies to manage user identities and help control user access to business resources (data, apps, systems). An effective IaM strategy is imperative in thwarting the increasing proportion of threat actors that seek to compromise and take over user accounts in cyber attacks.
A particularly undesirable outcome from an ineffective or missing IaM strategy is a takeover of privileged accounts. These privileged accounts provide the veritable keys to your kingdom of most important IT assets.
As cloud computing and hybrid work arrangements gain steam, software infrastructure likely has more attack vectors than ever before. In this article, you’ll get a better understanding of what IaM is, why it matters for your business, and some IaM best practices for improving your security posture.
What is Identity and Access Management?
To fully understand identity and access management, it’s useful to break it down into two components:
- Identity management entails creating, maintaining, monitoring, and deleting information about a user’s identity and setting appropriate controls that authenticate (or verify) that users are who they claim to be.
- Access management is all about using policy-based decisions to authorize access to various resources given the specific attributes of a user’s identity.
For as long as societies, tribes, or nations have had secrets, they wanted to safeguard them against outsiders. This means the concepts of identity and access management have long existed, albeit in more primitive forms. The origins of modern IaM arguably began with access control lists (ACLs) in the 1990s. These lists specified a set of permissions associated with a specific computer resource.
Why IaM Matters?
IaM is important both from a security and productivity standpoint. The security lens is that this combination of technological solutions, policies, and frameworks is an effective way to protect digital resources from compromise through account takeover attacks.
IaM also matters for productivity. Modern solutions provide automated capabilities that save a ton of time for IT security teams in manually provisioning or de-provisioning user access. This automation extends to end users who spend less time waiting for manual password resets when locked out of their accounts. Efficient workflows around access management help ensure users have the right suite of tools and access to complete their work at any given time; no more and no less.
Challenges in Enforcing IaM Policies
A big challenge in enforcing IaM policies is the complex IT ecosystems in which companies operate. These ecosystems require policy enforcement and administration across cloud resources, standard user accounts, customer accounts, and privileged/admin accounts. Furthermore, with most businesses using multiple cloud providers, there are distinct IaM concepts and tools to understand in any provider’s cloud ecosystem.
Another challenge is the short-lived nature of many cloud workloads. Applications can be spun up on virtual machines or containers in minutes; cloud infrastructure can be temporarily used for staging or testing/development. Assigning and tracking user permissions in this fleeting ecosystem comes with visibility challenges.
Facilitating remote work access is also a tricky part of IAM. Covid changed the work landscape seemingly permanently, with most businesses now catering to hybrid work arrangements. For users working at home, IaM solutions must facilitate user access across multiple devices and platforms.
The Way Forward: IaM Best Practices
The discipline of IaM provides a way forward for businesses looking to improve cybersecurity and keep fraudsters at bay. Here are four best practices to secure business resources and accounts against hacks.
1. Identify and limit access to your high-value data
Hackers today have a laser focus on accessing high-value data. Whether it’s sensitive data about customers or intellectual property, exfiltrating this information provides a pretext to demand hefty ransoms from businesses to return the stolen information. If the victim doesn’t pay, the data often ends up on the dark web for sale or for free.
Within the complex IT ecosystems operated by most businesses today, high-value data could live anywhere from the cloud and on-premise servers to inside SaaS apps. It’s your job to take on the mantle of data detective and discover your most valuable data assets.
Having identified this data, audit current access levels and determine who really needs that access. Take a hardline attitude here and de-provision access for users who don’t need it. The point here is to reduce the number of possible user accounts from which takeover gives direct access to sensitive information.
2. Enforce a strong password policy
Strong password policies remain an essential part of any IaM strategy, partly because businesses are reluctant to move away from using passwords to guard logins. Non-technical hacks, such as guessing passwords or automating login attempts with stolen passwords, still work with surprising regularity when targeting both employees and customers. An effective password policy communicates to users the importance of setting strong passwords, changing passwords with an appropriate frequency, and not reusing the same password across multiple accounts.
3. Use MFA to guarantee a user is who they claim to be
Multifactor authentication (MFA) provides additional assurance about a user’s identity. MFA works by requiring users to provide two or more distinct categories of evidence that verify who they are upon logging into an application or initiating a transaction. Commonly, MFA implementations pair something the user knows (their usual username-password credentials) with something they have in their possession (smartphone, hardware token) or something intrinsic to who they are (e.g. fingerprint, retina scan).
Mandating MFA for all users helps to mitigate many identity-focused cyber attacks, including phishing, credential stuffing, and brute force password hacks. The infamous Colonial Pipeline breach of 2021 could’ve been deterred had the company enforced MFA on a user’s compromised VPN account. Threat actors seized control of the VPN account using credentials found in a dark web leak.
4. Adopt the principle of least privilege
The success of nefarious cyber acts often depends on how well (or poorly) a targeted organization exercises control over access permissions. Your business can get caught if it emphasizes user experience to the detriment of security when setting access permissions for what users can do and what resources they can access. Giving most users free reign to access many or all systems and resources is a risky strategy that will backfire.
The principle of least privilege takes a more cautious approach by only providing the access levels that are strictly necessary for a user’s job role. As a user’s role changes, you can revoke and provision access to the relevant applications and data as needed. Sticking to this principle helps reduce the likelihood that an account takeover automatically results in the desired access or control over data and important systems.
Authenticity Goes Both Ways
In today’s digitized world, authenticity goes both ways. An effective IaM strategy based on best practices helps internal IT security teams verify the authenticity of user identities and restrict access appropriately to sensitive resources. But what about proving the authenticity of your brand to your users and customers?
Threat actors today regularly use spoofed domains and sophisticated emails that direct unsuspecting targets to malicious websites that appear similar to branded domains. Users can unknowingly download malware or disclose credentials on these fake websites.
Memcyco provides a solution: full-scope identity verification and protection for both brands and end users. A digital watermark provides customers with instant and definite confirmation that your websites and correspondence are truly yours. Meanwhile, detection capabilities help to alert you about attempts to impersonate your brand, be it through phishing scams, domain spoofing, cloning, or other forms of brand identity theft. Learn more about Memcyco here.
Eyal is head of demand generation at Memcyco