As digital information and systems continue to move toward cloud-based technologies, we often hear the expression “Identity is the new firewall”. This statement emphasizes the increasing importance of identity management (IDM) as a fundamental component of every IT security program. 90% of data breaches begin with some form of phishing, and these phishing attacks are often being used to steal credentials. Rather than trying to identify and exploit a vulnerability from the outside, many attackers find it easier and more productive to compromise a user’s credentials, and then “walk in the front door.” In order to protect your organization it’s important to understand the value of identity management and implement best practices to reduce risk when it comes to users.
What Is Identity Management?
Identity management, which is also sometimes referred to as identity and access management (IAM) is the overarching technique and strategy for verifying a user’s identity and ensuring accuracy before giving access to a system or network.
Why is Identity Management Important?
Organizations need to utilize identity management best practices in order to verify who is gaining access to their systems, and keeping their information and data safe. Without proper identity management, hackers can easily access systems and steal information.
5 Keys to Identity Management
1. Use a cloud-based identity management directory. A cloud-based system enables integrated and coordinated access to both on-prem and cloud-based applications and data. For businesses utilizing Microsoft Office 365, Azure AD is an excellent option. Okta is also a very good 3rd party directory.
Utilizing a cloud-based identity directory allows you to utilize “identity federation” which enables the use of common credentials across cloud-based SaaS applications, rather than carrying around a key ring of unique credentials for each cloud-based system. In many cases, this can also enable a “single sign-on” experience where you do not need to re-authenticate when accessing cloud-based applications and services. This increases convenience for users and IT organizations like.
The use of a common directory service also provides critical integration to identity management processes. When an employee or contractor leaves the organization, the disabling of their primary logon credential will automatically disable their ability to log on to all of the integrated/federated on-prem and cloud-based systems and services, rather than disabling accounts for these services individually.
2. Multi-factor authentication (MFA). Perhaps the single most important security technology to allow business and IT security personnel to sleep at night. MFA will typically utilize something you know (a password) with something you have (often a cellphone) to provide an important layer of protection beyond passwords alone. No matter how strong a password may be, it is always possible that it can be compromised through social engineering or eavesdropping. By adding the additional factor, the likelihood of identity compromise drops significantly.
In most organizations, the use of MFA should be a requirement for remote access to company networks, systems and data. As more organizations move resources to the cloud, as well as the increase in “work from home,” more and more access to systems and data will fall into this “remote access” category and require MFA.
The cost and level of effort to implement MFA have come down considerably in recent years. The use of native MFA features of the cloud-based identity directory is the most recommended, as this will be most cost-effective (often included for free in the cost of the directory service) and will be much easier to implement.
3. Privileged Account Management (PAM). Attackers will seek to gain access to privileged “administrator” accounts because these accounts have the ability to bypass many standard security controls and have the greatest ability to access confidential data. Privileged accounts should not be used for daily activities such as reading emails or internet browsing, as these activities raise the risk of an account compromise. PAM technology solutions provide an additional layer of security for privileged accounts. CyberArk is the recognized leader in this space, and although costly, provides an extra layer of security by managing privileged accounts by automatically changing passwords every time the account is used. For small and medium-sized businesses, your cloud-based directory service provider may provide similar functionality. Administrative accounts are often granted exceptions to good practice password standards, but these accounts actually require greater diligence rather than less. It may be appropriate to require the use of MFA for all use of highly privileged administrator accounts.
4. Strong password standards. In the well-publicized Solar Winds breach, one of the contributing factors was an easily guessed password. It is important to have password standards that prevent passwords from being easily broken through simple dictionary-based “password spray” attacks. Try not to make password rules overly complex, which can lead to users writing passwords down. Requiring a password to contain alphanumeric and special characters is helpful, but generally, password length is the best defense against brute-force password cracking. It’s a great suggestion to ask employees to utilize a 16-character password generator to create a complex 16-character password for any critical accounts and reinforce this with multi-factor authentication. However, it is far more important to utilize MFA than to have overly complicated password standards.
5. Security event monitoring. A solid identity management program is the foundation for monitoring against network intrusion. A modern cloud-based identity directory, such as AzureAD for Office 365, can provide many critical alerts of potential compromise of network identities, such as:
Accounts logging in from a unique or unusual geographic location.
Accounts that are concurrently logged on from multiple locations.
Accounts that log on from different geographic locations in a timespan would be impossible for a legitimate authorized user to accomplish.
Identity management is the “new firewall” especially with the rapid move toward cloud-based applications and systems. By implementing these fundamentals of identity management, large enterprises, as well as SMBs can make significant progress in protecting their critical applications and data.
Learn more about security fundamentals:
We’re committed to helping you learn all about security systems you can implement to improve security at your organization. Our articles are devoted to ensuring your organization is able to reduce risk in a way that is manageable and affordable.
Cyber Incident Planning & Response
Paul Huttenhoff is an experienced leader of CyberSecurity Programs in several of the largest companies in the Energy sector, serving as an executive consultant for Emagined Security. In this series of Security Fundamental articles, he examines the “essential few” elements that every company, large or small, needs to address to manage critical cyber risk.