Key Line of Defense : Identity Access Management

Identity and Access Management (IAM) is a key line of defense within an organization’s cybersecurity posture. IAM should nest with additional security controls across various other layers (defense-in-depth). Companies have begun transitioning towards cloud data storage within the last few years.  This transition increases the risks of incomplete or misconfigured IAM security controls. Palo Alto’s recent research outlines the startling realities that may give pause to CISOs and Security Engineers alike.

What is IAM (Identity Access Management)?

IAM is a sub-discipline within cybersecurity. Securing IAM is undoubtedly complex, requiring high effort and support to plan, identify, and secure properly. As companies migrate from on-premise IAM (from ‘ActiveDirectory,’ for example) towards a hybrid or fully-cloud (‘AzureAD’) environment, securing cloud identities may be occurring in parallel with securing (on-premise) AD. While this effort may seem doable, adding yet another item to already-overburdened security and engineering teams in parallel creates a significant level of discomfort for the individuals/teams who are implementing those changes/fixes.

Concept of Least Privilege

As organizations transition from on-premises to the cloud,  securing the IAM becomes an increasingly-heavy lift for security teams. PaloAlto’s report found that 44% of organizations allowed IAM password reuse, and 53% allowed weak password usage (a password with <14 characters.) Alarmingly, PaloAlto found the most ubiquitous problem: “99% of the users had access to roles, services, and resources they did not require”. Generally speaking, this figure agrees with what we see daily. Unit42’s profiling of “Unsecure/Incomplete IAM Security Controls” is a consistent theme across organizations of all sizes.

In BreachQuest’s recent blog post, Three Keys to Cyber Security, we outlined the importance of the ‘Concept of Least Privilege.’ Users should be assigned the absolute least amount of privilege needed to complete their day-to-day work and ongoing business requirements. Once an attacker accesses an environment, it becomes difficult to find and remove the actor as time goes on. Granting ‘too much access’ aids attackers. It could increase the likelihood of attackers conducting Lateral Movement & Privilege Escalation attacks. Enforcing the Concept of Least Privilege and granting ‘just enough’ access across all user’s nests with IAM as a line of defense and a defense-in-depth strategy.

Securing IAM

Misconfigured security controls and incomplete IAM deployments are often challenging to identify and secure. They can occur on-premise, in the cloud, and anywhere in-between. Security leadership should prioritize efforts to secure their IAM and accept that it will not be a simple effort. Security leaders and their teams should expect to find ‘unknown unknowns’ as they progress through their IAM journey.

Even though IAM is complicated to fully secure, an organization that begins the journey of securing its IAM will find low-hanging fruit along its path. That low-hanging fruit will become a jumping-off point for further improvements. Organizations that dig into their IAM policies and configuration are better positioned than an organization that has not planned, developed, or implemented an IAM solution. 

IAM may be a difficult journey, but it’s an essential step towards securing any environment.