IAM within the framework of defence in depth

IT leaders should address their internal processes to minimise their organisations’ IT security risk exposure and attack surface. This becomes ever more complex as business IT environments evolve.

Leaders not only need to consider which employees and job roles require access to which IT systems, but also non-human access controls where either an internal or external system is granted access to a given IT resource.

However, as Varun Prasad, vice-president of ISACA San Francisco Chapter and an ISACA emerging trends working group member, points out, companies tend to overlook or rush through certain traditional access management processes due to the ever-increasing size and complexity of their IT landscape.

“It is important to periodically review access authorisations to all assets in the environment by appropriate management personnel,” says Prasad, adding that this should not be a “checkbox” activity but should involve a thorough evaluation of access entitlements to detect privilege access creep.

Prasad believes the accounts and authorisations included in the review should go beyond those that provide access to production systems. It should also include all non-human identities and where access to source code repositories, keystores, secret vaults and datastores is needed.  

Given that human error is often the main reason for cyber security incidents, Prasad recommends automating key processes such as account provisioning, deprovisioning and access reviews. Another good practice he recommends is interfacing the organisation’s centralised identity access management (IAM) platform with the corporate human resource management system, which offers a way to automate the offboarding of employees.

It is important to periodically review access authorisations to all assets in the environment by appropriate management personnel Varun Prasad, ISACA

“The access review process should also be automated at periodic intervals to ensure all access rights are commensurate with job responsibilities,” he adds.

While social engineering is a well-understood attack vector for stealing someone’s password, Prasad notes that analysis of recent cyber attack patterns shows that by using phishing and social engineering, cyber attackers are also able to steal the unique codes generated to access systems that use multifactor authentication (MFA).

He urges organisations to implement phishing-resistant MFA techniques instead of using the traditional code-based MFA methods, as this removes the human element in the process. Popular phishing-resistant MFA techniques include web-based authentication (WebAuthn) and public key infrastructure (PKI)-based authentication.

According to Forrester, generative artificial intelligence (GenAI) that builds on proven machine learning and AI models’ heritage can help organisations identify new identity threats in on-premise applications, software-as-a-service (SaaS) applications and cloud infrastructure platforms.

One IAM trend identified by Forrester is that some tools automatically generate identity and access policies to thwart these threats. Some IAM systems are also using GenAI to enable non-techies to run queries and reporting more easily.

“Citizen administrators and business users can ask questions such as, ‘Which five applications are the riskiest from an identity entitlement perspective?’ and receive answers from IAM systems in natural language,” note Forrester analysts in The top trends shaping identity and access management in 2024 report.

Despite significant advances in the platforms, tools and utilities – some of which offer the integrated AI and analytics Forrester refers to – that are used to manage IAM, Prasad says access management is still a top priority for security practitioners as there is plenty of room for improvement.

For instance, according to data from the Cloud Security Alliance, IAM-related risks are among the top two threats to cloud computing. Prasad also points to an Identity Defined Security Alliance poll of 500 large organisations, which found that 84% of those were impacted by an identity-related breach last year. 

The good news, at least from an IAM perspective, is that public cloud service providers such as Amazon Web Services and Microsoft Azure provide capabilities to implement phishing-resistant MFA to access their cloud environments. Prasad says the US Cybersecurity and Infrastructure Security Agency (CISA) views these techniques as the gold standard for protection against phishing and mandates their use as a part of a zero-trust strategy

Secure culture

Beyond IAM technology, Prasad recommends companies establish a strong security-aware culture and practise basic IAM hygiene – follow the principle of least privilege, track all identities, monitor usage and periodically review entitlements.

Given the large number of IAM-related root causes behind data breaches and cyber incidents, he adds that it is critical to ensure a smooth and efficient operationalisation of IAM governance processes in the IT environment because a well-managed IAM landscape is the foundation for a strong cyber security posture.   

So, while IAM essentially provides a static defensive perimeter and should be at the heart of the defence against cyber phishing and ransomware attacks, Andrew Peel, cyber security expert, and Scott Swalling, data and cloud security expert, at PA Consulting, urge organisations to recognise that it will be breached. They suggest that IT security leaders use their wider security operations capability to proactively deliver threat detection and response, including approaches such as zero trust.   

Peel and Swalling recommend that organisations develop capabilities to detect and analyse signals that could be an indicator of attempted or existing compromise. For instance, trend analysis on usage and breaches can be used to identify and fix vulnerabilities.

This is fundamentally a people challenge, not merely a technological one. By prioritising human factors in our security strategy, we can build a more effective and resilient posture towards cyber attacks, phishing and ransomware Mike Gillespie, Advent IM/CSCSS

“Threat detection tools – such as security information and event management capturing IAM and privileged access management logs – combined with established playbooks can reduce the impact of a successful phishing campaign by detecting and responding to anomalous activities such as seeking escalation of rights,” they say.

According to Peel and Swalling, a coherent identity-centric security approach needs to be a core part of an organisation’s defences if it is to successfully combat cyber, phishing and ransomware attacks. They point out that the use of high-quality identity data and technology services to control access to resources, combined with proactive threat detection and response capabilities, plus user education, is vital for a security posture designed to meet rapidly evolving cyber attacks.

“We cannot address a human problem with technology alone,” says Mike Gillespie, managing director and co-founder of independent security consultancy Advent IM, and vice-president of the C3i Centre for Strategic Cyberspace and Security Science (CSCSS).

Gillespie believes security must shift to a more people-centric approach since it is ultimately the individuals who require access, whose identities must be managed and who need to be authenticated – and it is they who are currently enabling the failures, even when that is inadvertent.

“We must recognise that this is fundamentally a people challenge, not merely a technological one. By prioritising human factors in our security strategy, we can build a more effective and resilient posture towards cyber attacks, phishing and ransomware,” Gillespie says.

Emerging threats

Last year, several IAM technology providers were targeted by cyber attackers. This has ramifications for how IT decision-makers select providers of IAM products and services.

Analyst Forester reports that organisations are seeking reassurances from IAM providers about their internal operational processes and security practices, as well as the security underpinning cloud-based, SaaS IAM offerings.

In The top trends shaping identity and access management in 2024 report, Forrester reports that customers now demand that their IAM providers comply with regulations and frameworks such as SOC 2, FedRAMP, ISO 27002 and PCI.

Additionally, customers are looking for assurances that the IAM provider’s workforce has been vetted. The report recommends that IT security chiefs demand multifactor authentication for all workforce business and admin users, without exception, and prioritise IAM providers that embrace secure-by-design and secure-by-default principles.

Overall, while technologies such as IAM play a supportive role in combating cyber attacks, they depend on individuals to make the right choices. To build an effective defence, Gillespie says organisations need to empower well-trained, security-conscious personnel who are backed by the right technology.

“Instead of having IT impose access restrictions arbitrarily, let’s engage our teams in identifying their access needs,” he adds.

By prioritising collaboration and understanding, Gillespie says it is possible to create a security framework that truly protects both the people and the organisations they work for.

Source

Leave a Comment

Shopping Cart
Shopping cart0
There are no products in the cart!
Continue shopping
0
Scroll to Top