Identity and access management

From CNM Wiki
Revision as of 01:30, 7 January 2021 by Gary (talk | contribs) (Secure access with MFA & conditional access policies)
Jump to: navigation, search

In cyber-security, identity and access management (alternatively known by its abbreviation, IAM, as well as identification and access management or, simply, identity management; more narrowly known as user management; hereinafter, IAM) is practice and a set of concepts based on that practice of granting each user of some system a right system-user role.

The goal of IAM can be stated as to "enable the right individuals to access the right resources at the right times, and for the right reasons" (as quoted in Wikipedia. IAM combines business processes, policies, and technologies.


User management

User management defines the ability for administrator(s) to manage user access to various IT resources like systems, devices, applications, storage systems, networks, SaaS services, and more. User management is a core part to any directory service and is a basic security essential for any organization. User management enables admins to control user access and on-board and off-board users to and from IT resources. Subsequently a directory service will then authenticate, authorize, and audit user access to IT resources based on what the IT admin had dictated.

Traditionally, standalone user management has been grounded with on-prem servers, databases, and closed virtual private networks (VPN). However, recent trends are seeing a shift towards cloud-based IAM, granting administrators greater control over digital assets.

Components

  1. Directory: Directory services connect users to the IT resources they need. As the core user store, the directory is the foundation of any identity, access, and device management program. There are two primary classifications of directories — the on-premises directory, such as the legacy service Microsoft Active Directory, and the cloud directory platform.
  2. Directory extension: Because conventional on-prem directories are ill-equipped to manage many of today’s resources (e.g., Mac, Linux, SaaS, IaaS), a whole category of solutions has been created to extend credentials to other platforms and locations.
  3. SSO: Single sign-on solutions strive to consolidate the plethora of web application accounts and resources into one login process via the web browser. This category is also known as first-generation IDaaS (Identity-as-a-Service).
  4. Privileged account management: Some directories don’t provide sufficient security or management of critical systems like databases and network infrastructure. Privileged account management has sprung up to fill the void. These systems provide more stringent access controls, including the ability to manage systems and tightly control access to high-value IT resources.
  5. Password managers/vaults: End users need to remember so many passwords that a category of solutions has emerged to help. Password vaults store the passwords to your websites and can generate secure passwords for you.
  6. Multi-factor Authentication (MFA or 2FA): Passwords are an imperfect form of identity protection. To prevent the breach of high-value resources, a second method of authentication is essential.

Practices

Strengthen security

Enterprise security once meant simply installing anti-virus software and a firewall. It used to be that easy. Today, security is at least five layers deep, as shown here:
  • Network security: Firewalls, intrusion detection/prevention solutions, VPNs, and others
  • Device security: Measures to secure servers, desktops, and laptops
  • Application security: Measures to secure internal and web applications
  • Data security: Measures to secure data at rest and in flight
  • Identity security: Foundation of enterprise security
Each layer is integral, but identity security is fundamental. That’s because if a hacker can get credentials, then many other security measures can be bypassed. At that point, the hacker is already “inside” and can do as they please. The good news is that there are steps you can take to significantly bolster identity security.

MFA & conditional access policies

You can take strong measures to verify that users are who they say they are and that they’re accessing only the resources they need to do their jobs.
  1. Enforce password requirements. A high-end computer can now crack an eight-character password in 5.5 hours. (Source: “Password Facts & Tips for Secure Online Presences.” Halock. Accessed Oct. 6, 2020. https://www.halock.com/passwords-fascinating-facts/). Luckily, IT has the ability to implement password requirements. Most experts recommend enforcing a 12-character password requirement — though supporting longer passwords is preferable. Here are some factors to consider for password complexity:
    1. Set length of password
    2. Support numbers and characters
    3. Prohibit password reuse
    4. Ensure compliance with applicable regulations
    It’s also worth taking into account new NIST guidance that stipulates that a longer password is preferred over a shorter but more complex one, as it’s more difficult to crack but easier for users to remember. Complexity clearly plays a vital role in password security. You can train your users to make passwords of a certain length, but people are just people and they are inevitably beset by password fatigue. For example, a report from LastPass found that 61% of employees reuse passwords despite 91% of them knowing better. (Source: “The Password Exposé.” LastPass. Accessed Oct. 6, 2020. https://lp-cdn.lastpass.com/lporcamedia/document-library/lastpass/pdf/en/LastPassEnterprise-The-Password-Expose-Ebook-v2.pdf). So, encourage your users to leverage a password manager to ensure that passwords meet stringent complexity requirements and increased length.
  2. Require multi-factor authentication. Conventional passwords no longer cut it. Employees are prone to using the same password across multiple sites, and prone to ignoring best password practices. Even if passwords are long and complex, there’s still the possibility of them being stored in insecure ways. MFA is an easy way to have some extra peace of mind over your business. With MFA, the standard password is supplemented with another form of authentication, be it a TOTP code generated by an app, a hardware security key, or a fingerprint. This doesn’t make it twice as difficult for hackers. It makes it exponentially more difficult. They not only need something you know, but also something you have. In fact, Google found in a study that MFA via an on-device prompt stopped 100% of automated bots, 99% of bulk phishing attacks, and 90% of targeted attacks on Google accounts. (Source: “New research: How effective is basic account hygiene at preventing hijacking.” Google Security Blog. Accessed Oct. 6, 2020. https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html)
  3. Enforce conditional access. Set policies to limit user access to organizational data and resources unless they meet certain conditions, such as using a trusted device or accessing via a trusted IP network. If a user isn’t on a trusted device or network, you can either reject their access or require additional authentication, such as MFA, before access is granted. Here’s the conditional access workflow.

Configure and secure devices

Another important practice is to configure and secure the devices used to access organizational data. Whether they’re Mac, Windows, or Linux devices, you can take steps to lock them down before users log in. You should extend users’ core identities to their devices so they use the same credentials on their devices as they do to log into their other resources, such as SaaS apps, and you can ensure those credentials are centrally managed and secured.
You can also apply key device security measures such as:
  • Enforce full disk encryption
  • Set lock screen for 120 seconds or less
  • Disable USB mass storage devices
  • Disable control panel access/system preferences access
  • Disable local guest and administrator accounts
  • Default users permissions as standard non-admin/nonsudoer accounts
  • Patch devices (and installed applications)
With the right device management solution, you can also unlock security commands (e.g., lock and wipe) to use on remote devices if they’re lost, stolen, or otherwise compromised.

Implement regular security training

Identities are intrinsically linked to user behavior. When everyone on the team understands the dangers associated with identity sprawl, then everyone is invested in eliminating it and keeping the company secure.
Train employees about password hygiene, including what makes a password secure and why it’s vital to avoid repeating passwords between work and personal accounts. Train employees how to recognize phishing attempts, including emails. Train employees about shadow IT, too, and discourage risky behavior like circumventing IT to create unmanaged accounts.
With regular training — once a quarter, for example — you can reduce risky practices and encourage users to help protect your organization and its identities. With the right solution in place, you can also train and enable employees to manage and change their core credentials directly on their devices, which is more secure than email- or formbased methods of managing their identities.

Don't use apps for your directory service

Some small startups bypass traditional on-prem directories all together. Instead, they use SaaS-based apps as their core identities.
Using identities from SaaS apps like Google Workspace or M365/Azure Active Directory can be effective for other cloud resources while requiring little investment and maintenance from IT departments.
The only problem with this is that solutions like Google Cloud Identity and Azure AD weren’t built to be truly comprehensive and encompassing directory services. They don’t offer the degree of control required from an identity provider, nor do they connect to a wide variety of IT resources.
Users access far more resources than simply web applications — and they work on a variety of operating systems (Mac, Windows, Linux, etc.). They also need an internet connection, file storage, and access to cloud servers at AWS. Manually adding user profiles to each of these resources is time consuming, prone to human error, and encourages password fatigue. Additionally, IT admins will lack the control they need to centrally enforce security best practices like MFA, increasing the risk of a breach.

Use a cloud directory platform

Modern cloud directory platforms are built from the ground up to manage identities and resources across the cloud and on-prem. Google Workspace? Check. Wi-Fi networks? Check. AWS, Salesforce, Slack, GitHub, and more? Check, check, check, and check.
These platforms seamlessly integrate with on-prem and cloudbased IT resources via industry-standard protocols including LDAP, RADIUS, SAML, and SCIM. With this kind of platform in place, one identity can traverse the plethora of apps, devices/systems, files, and infrastructure that modern business requires via these protocols.
They also store identities securely (i.e., one-way hashed and salted) to make it incredibly difficult for credentials to be decrypted.
That way, each user has one authoritative identity to access virtually all their IT resources, and admins centrally manage and secure that identity — all from the cloud.

Challenges

Vulnerable identities

Credential theft drives breaches — but everyone likes to say, “It will never happen to me.” However, more than one in four data breach victims last year were small businesses. (Source: “2020 Data Breach Investigations Report.” Verizon. Accessed Oct. 6, 2020. https://enterprise.verizon.com/resources/reports/2020/2020-data-breachinvestigations-report.pdf)
Clearly, greater security and stronger authentication are paramount for every organization, large or small. These are some steps you can take to fortify your identities:
  • Enforce strong identity controls, including strict password requirements.
  • Require multi-factor authentication on devices, applications, and other high-value access points.
  • Train employees to use strong, unique passwords, and train them to recognize phishing attempts.
  • Encourage users to implement a password manager.

Identity sprawl

Think about all the accounts and passwords the average person has today: email, social media, banking, and on and on. The average internet user has a whopping 150 online accounts — and growing.
This is called identity sprawl, and it’s even worse at workplaces where you have to factor in a variety of internal and SaaS-based apps. Users have a different account for Slack, M365, Salesforce, GitHub, Google Workplace, and more. Aside from being a headache from a compliance perspective, identity sprawl hurts companies in two big ways:
  1. Identity sprawl decreases security. "People average 150 accounts, but only 5 passwords." — Telesign. Identity sprawl creates a chaotic environment that is difficult to secure. When an employee leaves, instead of being able to deprovision access to all resources with one click, IT must be meticulous and deprovision access individually for each resource. One mistake, one oversight, and someone has access who shouldn’t. To hackers, identity sprawl looks a lot like opportunity.
  2. Decentralized identities reduce efficiency. At the user level, identity sprawl leads users to spend more time logging in and to reuse their passwords (and to ring the help desk when they inevitably can’t remember which password goes to which account). LastPass even discovered that the average user ends up wasting 36 minutes a month just on typing passwords. (Source: “The Password Exposé.” LastPass. Accessed Oct. 6, 2020. https://lp-cdn.lastpass.com/lporcamedia/document-library/lastpass/pdf/en/LastPassEnterprise-The-Password-Expose-Ebook-v2.pdf) On the admin side, it’s even worse. IT loses centralized control. They make a change in the central user directory, and it ends up propagating to only some IT resources. This requires admins to keep track of which resources require separate control. The solution is to consolidate identities, but our next challenge — legacy IAM solutions — is a major roadblock toward that goal.

Legacy identity management solutions

Microsoft Active Directory has served valiantly as a core identity provider since its release with Windows 2000. It earned an early stronghold on the market that’s still in place, but a lot has changed since 1999. In fact, the dominance of Microsoft AD is the single biggest reason for identity sprawl. AD doesn’t effectively manage devices that don’t run Windows — and the number of Mac and Linux devices has been on the uptick year after year.
AD is also poorly equipped to authenticate SaaS-based identities and other cloud resources. The result is a multiplicity of unmanaged identities. So identity sprawl stems directly from companies where the IT department’s hands are tied because they still have to use AD.
The other major legacy directory in place at companies is OpenLDAP.
LDAP is better with Linux and Unix systems than AD, but it has the same difficulties managing cloud infrastructure. Furthermore, OpenLDAP is partial to LDAP, and so other ascendent protocols like SAML, OAuth, and the re-emerged RADIUS are out of reach. Same with the ability to manage Windows and Mac devices.
Ultimately, as long as these legacy systems continue to lock companies into their identity management solutions, IT will be unable to keep up with the changing identity landscape.

Shadow IT

Shadow IT refers to systems and solutions implemented inside organizations without the IT department’s knowledge or approval. Shadow IT is:
  • Widespread — 80% of workers use non-permitted SaaS apps. Check out this case study to learn more.
  • Risky — More than 1 in 4 shadow IT apps is high-risk. Check out this case study to learn more.
  • Expensive — Shadow IT accounts for 30-40% of IT spend.
Check out this case study to learn more. In other words, shadow IT is a major factor contributing to the identity crisis that IT faces today. Whether it's for collaboration, communication, or the transfer of files, shadow IT means more unmanaged identities.
Ultimately, you likely can’t eliminate shadow IT all together. The approach to mitigate it involves training employees about shadow IT and eliminating the need for shadow IT by improving your IT infrastructure to better accommodate and manage the types of apps and IT resources that are likely to be implemented by rogue innovators.

Vendor lock-in

The market to manage your identities has never been so competitive. As a result, one of the more subtle factors working against identity management is vendor lock-in. This refers to all of the companies that are trying to woo you and your organization into using their platforms (often for free) so that you become dependent on their services. Eventually, this means they can lock you into paying for their other services. As TechBeacon put it, once you’re locked in, “it can be hard to port to another vendor’s platform without considerable effort and cost”. (Source: Vijayan, Jaikumar. “Serverless vendor lock-in: Should you be worried?” TechBeacon. Accessed Oct. 6, 2020. https://techbeacon.com/enterprise-it/serverless-vendor-lock-should-you-be-worried)
Microsoft, Google, Amazon — they all know that if they lock up your corporate identities now, you’ll be beholden to them later. These are savvy businesses. Why do you think that they offer so many valuable services for free? For them, storing your identities (on their infrastructure) means additional revenue elsewhere and locking you into their ecosystem.
For Microsoft, it’s Windows, M365, and Azure. For Google, it’s Google Workspace, Chrome/Android, and Google Cloud Platform. For Amazon, it’s AWS and buying goods and services. They design their infrastructures to be funnels — funnels that eventually guide you to paying for their services and excluding alternatives.
Don’t be a pawn in another player’s game. Understand that your identities are perceived as long-term corporate assets and protect them.

Strategy quality

Use this checklist to assess your current IAM strategy:

  • Centralized Management
  • Single Sign-On
  • Manage by Groups Requirements
  • Compatible with Windows, Mac, & Linux
  • Extensible to the Cloud
  • Cross-platform Device Management
  • Unique Wi-Fi credentials for each user
  • Multi-Factor Authentication
  • Password Complexity Management
  • Secure Passwords (i.e. not clear text or encrypted)
  • Uses Core Protocols such as LDAP, SAML, RADIUS, SSH, REST
  • Automated Provisioning and Deprovisioning
  • SSH Key Management
  • IAM platform utilizes zero-trust security practices

Poor

(0-5) If you’re in this range, then your IAM strategy is actively hurting your company’s efficiency and security. You likely don’t have an identity provider or need to scrap your existing one. Giving your IAM strategy a makeover should be your top priority.

Fair

(6-8) You’re keeping your head above water, but you’re not able to think about the future. Your IAM strategy is either causing lapses in security or has incompatibility with critical resources. Survey your needs and consider making a major change.

Good

(9-11) If you scored in this range, that means your IAM strategy is serving you well. Still, all it takes is one missing plate in your armor for a hacker to deal a costly strike. Keep reading to find ways to address your IAM solution’s shortcomings.

Excellent

(12-14) Give yourself a pat on the back. You’ve already got a high-functioning IAM strategy. Focus your efforts on staying ahead of the curve and being prepared for the changes coming in the identity market.

See also

Related lectures