Building a Cybersecurity Strategy: Identity Access Management

Identity Access Management

After reviewing Asset Management, the next topic in the ‘Building a Cybersecurity Strategy’ series is Identity Access Management (IAM). IAM has everything to do with the ‘who’ of an organization. All the various types of accounts and their associated privileges fall into this category. Without strong Identity Access Management practices, the compromise of a single user can spell disaster for an organization.

Several key concepts can greatly decrease the likelihood of a compromised account and greatly limit the damage should a compromise occur:

• Principle of Least Privilege

• Securing Administrative Accounts

• Strong Password Policies

• MFA

• Password Manager

• Administrative Controls

Principle of Least Privilege

The Principle of Least Privilege can be defined as giving a user the least amount of permission to accomplish their role within the organization. While a simple concept, this prevents users from accessing sensitive information not required for their role and limits the impact should their account become compromised.

For example, an engineer does not need to access the payroll information for the organization. At the same time, an individual working in Human Resources does not need access to blueprints that may be considered trade secrets.

Securing Administrative Accounts

Every organization will inevitably have users that have elevated privileges. Employees working in IT must have administrative rights to manage IT assets – there’s no escaping that. However, securing administrative accounts is important as it is the end goal for any hacker.

One great way to accomplish this is to leverage two accounts for administrators. One account should be used for day-to-day activities such as messaging, email, surfing the internet and the other for administrative duties. Should the employee get phished or download a malicious program, the attacker will have only gained access to the lower privileged user account.

Separation of Duties is another important concept in securing administrative accounts. Preventing one admin from having control over the entire organization limits the damage done should that admin’s account become compromised. An example is dividing the administrative duties of managing user accounts, networking devices, and patch management across three individuals rather than a single admin having access to all three systems.

Service accounts, accounts required by various applications throughout the organizations, can also be a challenge. It is highly recommended to leverage both a strong password policy and password manager to securely generate and rotate passwords to service accounts.

Strong Password Policies

The rules of a strong password policy are a hotly debated topic in the cybersecurity industry. Often, graphics are posted showing the calculation time, based on length or complexity, an attacker would need to crack a password. The problem with these flat estimates is the numerous password databases built by hackers over endless security breaches. A 16-character password is very strong until that password has been reused and included in a different breach.

Generally speaking, the follow attributes allow for a strong password policy:

General User Accounts

• Length: At least 12 characters

• Complexity: Letter, Number, Upper / Lower case, Symbols

• Age: 1 Year

• History: 5 Passwords

• Multi Factor Authentication

Note: Increased Length + MFA allow for a longer password age

A banned word list includes commonly guessed passwords and can also be used to include passwords contained in security breaches. This greatly improves password security as a password such as ‘Winter2021!!’ would meet the above criteria but be almost instantly by an attacker.  More sophisticated tools can be used to prevent incremental changing of passwords (i.e., MyP@ssw0rd1 -> MyP@ssw0rd2)

Multi Factor Authentication

Simply put, Multi Factor Authentication is one of the best ways to prevent a user account from becoming compromised. In this current threat landscape, there are numerous ways a hacker could steal a password. Adding an additional layer to login vastly decreases the likelihood of that attacker gaining access to an organization. Enable MFA. Seriously, do it.

Should an employee fall victim to a phishing email, MFA adds a layer of complexity to prevent an attacker from leveraging stolen credentials. You can learn more about how to spot a phishing email in our blog post ‘How to Gut a Phish [Dissecting a Phishing Email]’.

Most modern cloud-based application offer native multi-factor authentication with some having it enabled by default. All the major cloud platforms including Azure, Amazon Web Services, and Google Cloud have MFA capabilities. While there a variety of methods accomplish MFA, known as form-factors, simply having it enabled is a strong start.

When using more modern identity access solutions, conditional access can also be leveraged to streamline the MFA process and lock out malicious attempts. By configuring conditional access, administrators can granularly control how and where users can login. A conditional access policy can be defined to:

• Automatically deny all login attempts outside of the United States

• Require Multi-Factor Authentication when outside of the corporate network

• Allow users to login with just a password when on the corporate network

Password Managers

Encouraging employees to leverage password managers greatly prevents password re-use and allows for random generation of passwords increasing account security. By leveraging a company wide password manager, administrators can set extremely long, random passwords, that do not have to be memorized or written down.

Commercial solutions include features such as auditing, secret sharing, and Active Directory integration. At the very minimum, personal password managers can be leveraged by employees to increase security with organizational accounts.

Administrative Controls

While not as exciting or as elaborate as conditional access or password managers, administrative controls such as strong documentation and IAM policies can help secure user accounts. Aligning user roles and required permissions, known as Role Based Access Control, can greatly reduce excessive permissions and streamline the on-boarding / off-boarding process for new employees. Administrators can leverage a Role Based Access Matrix to quickly assign permissions to users.

Tip: Permissions should always be assigned to a role and then that role assigned to a user. Avoid assigning rules to users directly.

Another administrative control is the process in which users are on-boarded and decommissioned. Leveraging RBAC, administrators should have a clean process to quickly provision a user account for a new employee or contractor. When that employee or contractor leaves the organization, steps should be outlined to securely remove the user’s access to the organization.

Additional controls around auditing user accounts for residual user accounts or access should be performed annually at the minimum. Identifying accounts that have not been logged into in several months, reconciling the user list with HR’s termination lists, and the RBAC Matrix with HR’s Job Title / Department list are all great ways to audit user access.

Help With Who’s Who?

While high level, following these concepts will greatly reduce the likelihood of user account compromise and reduce the impact should it happen. Such concepts are simple in theory but become more complicated in practice and implementation. It is important that technical and administrative controls align. People are the most important but most vulnerable component to any organization and it is crucial to keep them safe.

If your organization is interested in learning more about Identity Access Management or interested in assistance with a user account review or aid in developing policies and procedures, please do not hesitate to contact us. Stay tuned for the next installment of Building a Cybersecurity Strategy.