Posted on August 2, 2021
Want to interview Gerry?Contact
A robust Identity and Access Management (IAM) approach is an essential part of any modern cybersecurity strategy. IAM is all about making sure that authorized users, and only authorized users, can access the resources they need when they need them – and making sure all other access is denied.
The four basic components of Identity and Access Management include:
IAM has evolved a great deal over the past few years. In the early days of networking, a password was considered sufficient for authentication. And once authenticated, users were often authorized to access virtually any resource on the network, with the possible exceptions of sensitive HR or financial files and network system files. User management was manual, and basic encryption was considered to be the only data security that was needed.
As cybercriminals grew more sophisticated, it became essential to upgrade all four IAM components. With most companies migrating to hybrid cloud setups, IAM has also become more complex. As a result, adopting a cloud-based approach is now one of the best ways to implement state-of-the-art Identity and Access Management. Cloud Identity and Access Management – extending IAM to resources in the cloud – is an essential part of the overall IAM protocols of organizations that extensively leverage cloud-based resources or intend to do so in the near future.
The following best practices require, depend on or are, at minimum, complementary to IAM controls and illustrate its importance to organizations that are considering implementing cloud identity and access management.
The traditional approach to networking established the perimeter at the interface between the company’s network and the outside world. The perimeter was well-defended with firewalls and software defenses such as antivirus and antimalware software. In essence, the perimeter was defined physically: resources were either in the office or out.
That boundary no longer makes sense. In fact, it really no longer exists. In the wake of the coronavirus pandemic, the number of remote workers has exploded, and no one expects things to fully—or perhaps even mostly–return to the way they previously were. Companies are also increasingly turning to cloud-based solutions and adopting SaaS offerings. A physical perimeter doesn’t mean much when users can be anywhere, on or off the network, accessing resources that can be anywhere–on the corporate network, on private or public clouds, or in a SaaS app.
Today’s best practices call for defining a perimeter around each individual through strong identity authentication, regardless of where they are working, and enforcing resource-specific authorization to whatever each individual needs for their job, regardless of where those resources are.
CASB brokers between users and cloud-based apps and resources ensure that company security policies are enforced for resources in the cloud, just as they are for resources on on-premises servers—in essence, extending IAM protocols to cloud-based resources.
As companies started migrating to the cloud, and remote users became more common, many companies added new authentication tools or features to adapt. For many companies, the result was a patchwork approach to IAM, with different IAM systems and protocols used to access resources on the corporate network than for accessing resources in the cloud. This is definitely sub-optimal; it creates work for the IT staff and increases the likelihood of policies being applied inconsistently.
It’s much more secure and efficient to centralize IAM in one system. And with the ongoing migration to the cloud, for most companies, cloud-based solutions that authenticate and authorize users wherever they are, for whichever resources they are accessing, is the most sensible way to go. It is certainly a much more efficient approach than routing all traffic via a hub and spoke approach back to company servers in a single datacenter. By centralizing IAM in the cloud companies can easily set policies that can be effectively and consistently implemented for all use cases.
Countless companies have been hacked due to weak identity controls. Many users choose simple passwords that are easy to remember (and easy to crack) or reuse passwords which, if compromised in one place are then compromised in other places as well. Requiring strong passwords is an important step, but it’s not enough. Too many compromised strong passwords can be found for sale on the dark web. Sensitive information and apps should be protected with multi factor authentication (MFA), which requires a second factor, such as a code sent to the user’s phone, to be entered or approved in addition to a password. For especially sensitive materials, one of the factors should be biometric-based, such as face or fingerprint recognition.
Least privilege access, a central tenet of Zero Trust security, stipulates that users should have access to only the apps and data they need to do their jobs. If a user’s credentials are compromised or if the user is malicious or simply careless, least privilege access limits the damage that can be done. Many companies rely on Role-Based Access Control (RBAC), a scheme that grants employees access to resources based on their roles in the company. A more granular approach is more secure, giving each individual employee access to the exact resources they need to do their specific job. For example, not all HR specialists need access to all elements of employees’ files or all of the same apps. In the past, implementing least privilege at the individual user level was administratively complex. ZTEdge’s patent-pending Automatic Policy Builder makes it simple and pain-free to maintain and implement individual user-level least privilege access policies for IAM.
And, of course, “least privilege” needs to cover access to resources on company servers as well as resources in the cloud.
In the old “castle-with-a-moat” perimeter-based approach to cybersecurity, attention was focused primarily on North-South traffic, i.e., traffic to and from the outside world. Little attention was paid to East-West traffic that flows between company servers and resources. Microsegmentation, in conjunction with IAM-managed least privilege access, changes all that by isolating apps and resources from each other to limit the damage that could be done if a malicious actor was able to get onto the network. Microsegmentation minimizes the “blast radius” of a successful attack by cloaking network apps and resources from threats.
Privileged accounts such as admins or super admins can be especially dangerous if compromised, so IAM solutions must be able to enforce extra safeguards for these accounts. Multi-factor authentication, preferably with a biometric component, should be standard, as well as time- and location-based access restrictions. Another approach is to create temporary, one-time use privileged accounts, so if a credential is compromised it is unlikely to be of any use.
Best practices for managing access to cloud-based apps include restricting access based on time or on user IP address. One of the challenges for this approach is that with users working remotely, their IP addresses may vary, making it problematic to include in IAM policies. ZTEdge addresses this issue by routing cloud access through a dedicated ZTEdge IP address for each organization. Access to risky cloud-based apps can also be entirely blocked. Additionally, limits can be placed on users’ ability to upload or share data with cloud-based apps.
Last, but certainly not least, periodically reviewing and updating IAM policies regarding apps and users are essential best practices. Apps that are no longer used and no longer supported can be breach vectors; the same goes for accounts of users who no longer work for the company, or who have been reassigned. Policies may be great at the time they are set, but resources, needs and threats all evolve over time, so policies need to be reviewed and updated on a regular basis.
Cloud Identity and Access Management is already an essential function that integrates with and underlies most operational cybersecurity, including IAM for on-premises resources. Today’s best practices for IAM call for a centralized approach that accommodates users who may be on- or off-premises, and who require access to resources that may be on the company’s network or based in the cloud.
A recent cybersecurity report revealed that 55 billion new brute force attacks on RDP ports had been detected between May and August of 2021 - over 450 million attacks every day.
In a new twist on email-based attacks, cybercriminals are recruiting disgruntled or greedy employees to deploy ransomware in their employers' systems, in exchange for a cut.
Information security and IT professionals are increasingly facing a resounding lack of support for their efforts to keep their companies cyber safe with the biggest rebellion coming from the youngest workers.