In May 2021, the Colonial Pipeline, a significant oil pipeline network in the Southeast, experienced a ransomware attack that resulted in the disruption of oil and gas distribution, leading to long queues at gas stations and consumer panic.
While the attack is well-known for its financial extortion, it’s crucial to note that the hackers exploited the company due to a leaked password, an inactive VPN account, and a lack of multifactor authentication: all of which can be summarized as poor identity and access management (IAM).
To enhance the security of IAM systems, this week the NSA and CISA published a Recommended Best Practices Guide for Administrators: Identity and Access Management, which offers practical recommendations to system administrators.
In this post, we’ll summarize the 5 main points in the guide, and how we approach implementing the recommended IAM security controls for our small-medium business customers.
Your company’s policies will determine your particular identity governance, which involves centralizing the management of user and service accounts for improved visibility and control over identities and access privileges, helping to detect and prevent unauthorized access. It encompasses several processes and policies, including segregation of duties, role management, logging, access review, analytics, and reporting.
The significant stages of this identity governance lifecycle, commonly known as “Join, Move, and Leave” events, are considered the most crucial for IT administrators:
- Join: when a new employee joins our organization, how will IT set up their accounts and data access privileges to be in line with their job functions?
- Move: when a current employee moves from one role to another, how will IT modify the accounts and access already in place for their new job role?
- Leave: when an employee is terminated, how will IT security disable all of the users accounts to prevent unauthorized access to company data?
These are common events – especially for industries with high employee turnover. Therefore, it’s important for your IT administrator to have a policy in place (even if it’s just a simple Word document that outlines how to “onboard” and “offboard” employees) to govern the overall IAM process.
Identity Federation/Single Sign-On
The need for users to remember multi-character passwords, which is required by almost every application nowadays, presents a vulnerability as it can be quite complex.
With federated single sign-on (SSO), users can effortlessly gain entry to services furnished by one or multiple partner entities, without requiring a distinct login on each partner website.
With identity federation and SSO (using Microsoft Azure Active Directory, for example) identity management becomes less complex, and the risks associated with users having to manage multiple accounts and passwords are eased up considerably.
You’ve probably already heard of multi-factor authorization (MFA) because within many services and organizations, registering for and using MFA is mandatory.
And for good reason, too: MFA is a very effective security control when implemented correctly and consistently, mitigating common attacks against passwords and also email phishing attacks.
If your organization hasn’t already done so, make sure that your IT administrator enables and enforces MFA on all company accounts.
Ensuring sufficient security, assurance, and trust in the foundations and implementations of IAM is a crucial part of fortifying your company’s IT environment.
The level of hardening required may differ depending on the specific needs of the organization, but it can include:
- Physical and Environmental Hardening: For example, ensure the server room is located behind a locked door with access granted only to those who have a purpose in that
- Network Hardening: Develop and set a network baseline so that anomalous network traffic and/or behaviors can be identified and flagged.
- Backups: Follow the “3-2-1 principles” in the event of a disk failure or other disaster: maintain three copies of the data, in at least two mediums, with one being offsite.
- Least Privileged: Limit user account permissions to those that are necessary to perform their job.
- Network Segmentation: Carefully design and implement network segmentation with security in mind to limit the spread of an intrusion and to disrupt attempts to escalate privilege.
- Network Security Assessment: Perform regular security penetration testing and asset vulnerability security scanning to understand attack surfaces from both outside and inside the organizational boundaries.
- Protect and Manage Critical IAM Assets: Identify your credential/trust stores, control access paths, and provide enterprise-wide management.
Environmental hardening generally makes it harder for a bad actor to exploit IAM components and software, so it’s important for IT administrators to continually find ways to make their organization a “hard target” to dissuade would-be hackers.
IAM auditing and monitoring
Also referred to as security information and event management (SIEM), IAM auditing and monitoring should not only check for compliance, but also monitor for threat indicators and anomalous activities.
This encompasses the generation, collection, and analysis of logs, events, and other information to provide the best means of detecting compliance related infractions and suspicious activities using a solution such as Microsoft Sentinel.
According to one study by IBM, in 2022 the average time to identify a breach was 207 days, and the average time to contain it was 70 days; totalling a 277 day breach lifecycle.
Without an effective SIEM or IAM auditing and monitoring program, attacks such as use of stolen credentials and misuse of privileged access by insiders would not be detected in a timely manner, if at all.
What can my business do to improve our Identity and Access Management?
Some of the security controls discussed above are more difficult and costly to implement than others – for example a full-on auditing and monitoring system.
Understandably, many of the small-medium business customers that we work with simply don’t have a full cybersecurity budget, and therefore cannot afford to implement a 100% robust IAM solution.
However, there are small (and affordable) steps that every company can take to improve their IAM risk profile, such as enforcing MFA and following simple onboarding/offboarding procedures for employees.
Our experienced team of engineers are experts at designing, implementing, and testing a range of security solutions for our small-medium business customers.
If you have any questions about identity and access management for your organization, please feel free to contact us for more information.