IAM May Help Secure Data, But It Needs to be Protected as Well

Marc Ashworth, Chief Information Security Officer, First Bank

Marc Ashworth, Chief Information Security Officer, First Bank

The COVID pandemic has changed many things in business today, including employees working remotely. This new normal increases the need for improved identity and access management (IAM) in the enterprise. The ability for users to remain efficient and gain access to systems remotely while validating their identity is imperative. Flexibility in the system to accommodate employee access as well as contractors, auditors, and other needs is a challenge. All the while providing security teams with the proper monitoring and governance to keep the bad actors out and look for internal threats. Placing identity at the core of your security strategy is a principle of the zero-trust model of security. Many IAM providers are providing the foundation to zero trusts with integrations with other products to help the enterprise validate the user and device access to resources. The concept of “least privileged” access to authentication to the applications should be engrained in the culture of the organization. User requests for access along with management approval of that access must not be more than the user needs. An employee’s job title can be used to set the baseline access for the application. The manager is the first line in validating access requests and current permissions. Assurance that any access exceptions with associated approvals are clearly documented in the IAM or ticketing system. Configuring your IAM and assigning the least privileged access is only part of the equation. Regular reviews of assigned credentials and permissions of a user lead to proper governance. Validating that a user is limited to their assigned duties prevents accidental, unauthorized access to data. This can occur due to a departmental or job change of an employee. Access permissions may be required during a set transition period but removed after a set period. Annual user access reviews of employee access validate that the employee has the proper security clearance.

During the review, there should be careful attention to nested group memberships and administrator groups. Limiting membership to the built-in administrator groups to separate privileged accounts and require multi-factor authentication. Review of those privileged accounts should be performed more frequently. Likewise, regular reviews of critical applications must also be performed on a regular basis. Many application service accounts do not have the same password policies as a user account and are typically created and forgotten. Therefore, regular annual reviews of an account’s applied permissions, settings, and usage by the security or auditing teams. Create service account policies requiring passwords of 25 characters or more with high entropy and periodic password changes. Storage of the passwords in a key vault or password manager that provides logging on when identities are accessed. Consider storing passwords on premise versus in the cloud and restricting access to individual identities in the vault. Some systems will automatically rotate passwords for service accounts on a set schedule. The Solar Winds supply chain attack in December of 2020 is a great example of additional levels of controls required to reduce the risk of compromised credentials. The attack is one of the most sophisticated attacks known to date has no single solution to prevent it. The attackers even bypassed multi-factor authentication. However, there are a few things to protect identities on the enterprise network. Disabling legacy broadcast protocols like LLMNR and Netbios and enforcing SMB and LDAP signing to prevent relay attacks are a few items. Encrypting network connections using IPSec in transport mode between systems to reduce the risk of replay attacks. You may want to consider isolating access to domain controllers and limit the use of administrator accounts. Finally, implementing network segmentation and micro-segmentation of traffic flows to limit lateral movement. No matter what provider you select, security control is implemented or procedures that you put in place for IAM. The ability to continuously monitor and enforce identity policies are crucial. Verification and oversight need to happen, and identity policies need enforcement. Log analysis, event correlation, and traffic inspection is necessary for security teams to search for anomalies and enforce account verification. Security teams should pay careful attention to user behavior and alerts associated with account creation, privilege group changes, trust changes, and failed login attempts. These events and numerous other events that occur can cause event fatigue.

The Concept of “Least Privileged” Access to Authentication to the Applications Should be Engrained in the Culture of the Organization

Implementing event automation can help reduce strain on security analysts. Securing your data by verifying identities and limiting permissions will reduce your risk. Implementing an IAM is only part of the equation for securing your data. Continuous monitoring and regular evaluation of your existing security controls will limit exposure and determine areas of improvement.