Today is the second International Identity Management Day. A new initiative launched in 2021 by the National Cybersecurity Alliance and the Identity Defined Security Alliance. The aim of which is to bring the security industry together to raise awareness, share best practices and tips on how both organisations and individuals can effectively manage and secure their digital identities.
Kontex, as a leading Irish Cyber Security consultancy working closely with SMB and Enterprise to review, establish or improve IAM programs, is delighted to participate in this initiative.
The next security breach announcement is never far away, with 2 major identity providers recently communicating breaches (Okta and Azure AD). Such breaches raise many questions such as “What are the real consequences of improperly managing and securing digital identities?”
Each year, the Cloud Security Alliance (CSA) releases its “Top Threats to Cloud Computing” study, dedicated to defining and raising awareness of key risks and vulnerabilities in the cloud. In their report, two out of their top ten threats related to IAM. Insufficient Identity, Credential, Access & Key Management and Account hijacking.
What weaknesses to look for in your IAM.
- Lack of protection of credentials and secrets
- Lack of Cloud Security Architecture and Strategy
- Lack of secure key and secret management capabilities around rotation of keys, passwords and certificates
- Failure to regularly review access for external access and non-federated systems
- Inability to scalable identity, onboard access management systems
- Use of legacy system preventing the use of multifactor authentication or a move towards password less authentication
- Insecure Interfaces and APIs
How to address IAM Improvements in your organisation.
- Centralise Identity and reduce number of accounts leveraging identity federation
- Make SSO a mandatory requirement
- Enforce the principle of least privileged
- Issue and regularly review IAM guidelines as standard
- Centralise all IAM projects and turn them into program with roadmap, scope and objectives
- Ensure external access is governed, regularly reviewed and utilizing PAM
- Ensure a well-defined life cycle is understood and adapted for both identity and access (HRM driven triggers and automated IAM)
- Automate IAM
- Implement Role-Based Access Control (RBAC)
- Adapt Zero Trust and ensure IAM is essential building block of the future state
- Disable legacy authentication protocols
- Build IAM data lake to gather, profile, monitor and report on data related to IAM in real-time.
- Leverage next generation ML/AI tools to process signals and introduce behaviour analytics
- Require MF and enable Passwordless
- Improve Continuously
- Profile organisation and sign up for Threat Intelligence with advanced feed from Darknet
At a more personal IAM level, we know for the less tech savvy it can be confusing. This Consumer Authentication Strength Maturity Model explains very well the different levels of password security. Top tip, you don’t want to be at level 1!
What is the future?
Passwordless authentication! A means to remove the user’s involvement entering their own password and replacing it with something else. Introducing a stronger, more predictable, and improved user experience so that the result is a more seamless and secure way to authenticate.
The FIDO Alliance is key, and it strives to improve the current status quo with open standards (FIDO stands for “Fast Identity Online”) to promote “authentication standards to help reduce the world’s over-reliance on passwords.”
In Gartner’s Impact Radar for 2022, the Passwordless Authentication is described as ubiquitous and transparent security within the reach, the report predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement Passwordless methods in more than 50% of use cases — up from 5% in 2018.
If you would like to implement Passwordless Authentication in your enterprise or to just know more, please contact firstname.lastname@example.org.
- The Okta 2022 breach https://www.reuters.com/technology/authentication-services-firm-okta-says-it-is-investigating-report-breach-2022-03-22/
- Azure Active Directory Exposes Internal Information https://www.secureworks.com/research/azure-active-directory-exposes-internal-information
- Top Threats to Cloud Computing <https://cloudsecurityalliance.org/>
- Impact Radar for 2022 https://www.gartner.com/en/documents/4008322
- Thread Intelligence https://www.vectra.ai/blogpost/cyber-enemies-network-behavior-gives-away-the-attacker
- Thread Detection https://www.lepide.com/data-security-platform/threat-detection-and-response.html
- Personal Security Checklist https://github.com/Lissy93/personal-security-checklist
- Identity Management Day https://www.idsalliance.org/identity-management-day-2022-what-and-why/
- PAM and Least Privilege https://www.cyberark.com/what-is/least-privilege/
- General Access Control Guidance for Cloud Systems SP 800-210 SP 800-210, General Access Control
- Guidance for Cloud Systems | CSRC (nist.gov)
- Zero Trust https://www.okta.com/initiatives/workforce-identity/adopt-a-zero-trust-security-model/
- Zero Trust https://go.forrester.com/certification/zero-trust-certification/
- Zero Trust https://techcommunity.microsoft.com/t5/security-compliance-and-identity/new-blog-post-next-evolution-of-the-microsoft-sentinel-zero/m-p/3280408
- Zero Trust How CrowdStrike’s Identity Protection Solution Works | Video