Cyber Resilience for Identity and Access Management

User identities — we all have more than one in the digital era. User identities are what enable users to access corporate systems and conduct their day-to-day job functions. However, it’s these same identities that attackers take advantage of to execute attacks within your environment. The latest threat reports show that the majority of modern attacks — from ransomware, data exfiltration, fraud, and more — leverage identities at some stage of the attack.

Because of the significant use of identities in these attacks, organizations must take care to appropriately secure identities within their environment. Protections go beyond simply managing usernames and passwords or adding multifactor authentication. Identity management expands these security controls to include access certification, which is the process of identifying access needs for employees and third parties, such as vendors and partners, based on their role or function and ensuring each user is granted just-in-time access and permissions to only the information and resources they need to do their work.

When prioritizing cybersecurity initiatives, developing the tools and processes for protecting identities should be at or near the top of the list given the critical role identities play in cyber resilience. When organizations dial in and standardize processes for protecting identities by defining access around roles and activities, they reduce the chances of identities, and subsequently, other protected assets, from being exposed.

Common Risks to Identities

When securing identities, most organizations focus on and implement controls around external threat actors. Because of this, overly permissive entitlements often go overlooked leading to more impactful incidents when they do occur. For instance, how many people have access to HR information that shouldn’t have it? Or client information for clients they never work with? If you’re not monitoring this type of access, the answer is probably more than you realize. Or, how often does someone drop sensitive files into a less secure location such as a department file share? It happens a lot more often than organizations like to admit.

Prioritizing and enforcing least privilege access with just-in-time access to data goes a long way in protecting sensitive information from accidental, unauthorized access by insiders.

Vulnerabilities Around Identity and Access Management

Most identity and access management (IAM) vulnerabilities are related to improper configuration, a lack of visibility, poorly defined processes, or a breakdown in processes.

Not Keeping Up with Organizational Changes

One of the biggest challenges we continue to see in most environments is excessive permissions accumulated over time, usually by more tenured employees. As roles evolve, employees typically get access to new resources. Over time, this may result in access to a significant portion of the company’s information and data.

Overly permissive identities widen the scope and impact of an attack. Good IAM practices ensure that a user’s scope of information is limited to the needs of their role and regularly evaluated for deviations. Organizations need processes in place to ensure that joiners (new employees) and movers (employees changing roles) have access granted or revoked based on their evolving role in the organization. Leavers (employees exiting the organization) also need a process as they are quite often overlooked.

Organizations should also consider defining or optimizing processes to address these common scenarios that can lead to identity exposure:

  • A new employee fills a new role that’s not fully defined. In many cases, organizations grant too much access just in case they need it.
  • An employee needs temporary access to new information, for example, to support a special project or to cover for someone who’s sick or on leave. In this case, it’s important to put a time limit on the access.
  • Temporary elevated access for IT staff during troubleshooting. This type of access should be approved, reviewed, and granted for only a limited amount of time.
  • Credentials used by machines and processes, especially with elevated privileges. This scenario is increasingly common in Modern Operations environments where infrastructure is consistently evolving.
  • Database users with global read-only access. While it may seem like overkill to set up a limited read-only account, it is worth it as it limits exposure if a bad actor gets access to the account.
Excessive Session Times

When organizations configure their IAM platform, it’s not uncommon for some out-of-the-box defaults, such as session timeout limits, to not be configured to best practices. Or it’s possible that some accounts are exempted from these configurations without appropriate review of risk due to company culture or system limitations.

Session times should be determined using a risk-based approach based on role, function, and intended activities. For instance, when you invite users to click a checkbox at login to remember their credentials, should that privilege be granted forever for everyone in each instance? For those on the go, an hour may be the best timeframe for remembering credentials because that’s how long they’re likely to be in one location.

By putting some real thought into customizing session times based on roles and activities, you can reduce the risk of exposing credentials.

Not Protecting Your IAM Platform

Because identities are the keys to the kingdom, threat actors will often work to escalate permissions once they have a foothold in an environment. One way they can do this is by targeting and compromising the underlying security authentication system: your authentication platform.

One such technique was used by bad actors during the SolarWinds incident in December 2020. For months prior to public disclosure of the compromise, threat actors were utilizing the “golden SAML” attack within environments, allowing them to impersonate any user, bypass MFA requirements, and ultimately make it much harder for security teams to detect.

Lateral Movement in the Event of a Breach

The goal of cyber resilience is to minimize exposure and impact of an attack, which includes limiting the “blast radius” if a breach does occur. With proper tools and controls in place for IAM, a breach can be less costly to the organization. While other resilience techniques such as endpoint protection are important, protecting identities and access is critical to preventing unauthorized lateral movement to other systems within the environment. Good IAM management is the best control point for preventing lateral movement and limiting the blast radius of a successful attack.

Getting Locked Out at an Inconvenient Time

While building and improving processes to protect your identities, it’s crucial to consider the entire lifecycle of an identity. While that includes joiners, movers, and leavers, identity plays a role in incident response and recovery activities as well. While administrative use should be limited, incident response teams must also take into consideration what accounts and permissions they may need access to during incident response. Processes must be designed to ensure authorized users are not completely locked out of your systems.

How Evolving Solutions Can Help

When it comes to identity and access management, organizations have a lot of moving parts to consider. One thing we’ve learned over our 25+ years of helping organizations operate resilient systems is that IAM isn’t the same for every organization. Every organization has a unique workforce accessing unique resources.

Evolving Solutions can help you take a holistic look at your organization’s entire identity system from mainframe to mobile apps and walk you through the journey of internal and external threats to help you understand how systems can be misused and the role of identity management in shoring up your cyber resilience.

In our experience, we’ve learned that many organizations have the right technology in place but haven’t been able to invest the time needed to build robust processes around that technology. Evolving Solutions can help you develop the processes to effectively manage identities throughout their entire life cycle, including the role identities play in incident response.

IAM platforms hold a lot of promise for improved cyber resilience. Evolving Solutions can help you navigate the complexities of IAM so you can get the best value from your IAM investment.

Jon Roberts

Security Architect

Jon Roberts is a Security Architect at Evolving Solutions. Connect with Jon on LinkedIn here.

Photo of Jon Roberts

Related Blog Posts