Iam May Help Secure Data, But It NeedstTo be Protected As Well

Marc Ashworth, Chief Information Security Office, First Bank

Marc Ashworth, Chief Information Security Office, First Bank

The concept of “least privileged” access to authentication to the applications should be engrained in the culture of the organization

The COVID pandemic has changed many things in business today, including employees working remotely.

This new normal increases the need for improved identity and access management (IAM) in the enterprise. The ability for users to remain efficient and gain access to systems remotely while validating their identity is imperative. Flexibility in the system to accommodate employee access as well as contractors, auditors, and other needs is a challenge. All the while providing security teams with the proper monitoring and governance to keep the bad actors out and look for internal threats.

Placing identity at the core of your security strategy is a principle of the zero trust model of security.

Many IAM providers are providing the foundation to zero trusts with integrations with other products to help the enterprise validate the user and device access to resources.

The concept of “least privileged” access to authentication to the applications should be engrained in the culture of the organization. User requests for access along with management approval of that access must not be more than the user needs. An employee’s job title can be used to set the baseline access for the application. The manager is the first line in validating access requests and current permissions.

Assurance that any access exceptions with associated approvals are clearly documented in the IAM or ticketing system.

Configuring your IAM and assigning least privileged access is only part of the equation. Regular reviews of assigned credentials and permissions of a user lead to proper governance. Validating that a user is limited to their assigned duties prevents accidental unauthorized access to data. This can occur due to a departmental or job change of an employee.

Access permissions may be required during a set transition period, but removed after a set period.

Annual user access reviews of employee access validate that the employee has the proper security clearance.

During the review, there should be careful attention to nested group memberships and administrator groups. Limiting membership to the built-in administrator groups to separate privileged accounts and require multi-factor authentication. Review of those privileged accounts should be performed more frequently. Likewise, regular reviews of critical applications must also be performed on a regular basis.

Many application service accounts do not have the same password policies as a user account and are typically created and forgotten. Therefore, regular annual reviews of an account’s applied permissions, settings, and usage by the security or auditing teams.Create service account policies requiring passwords of 25 characters or more with high entropy and periodic password changes. Storage of the passwords in a key vault or password manager that provides logging on when identities are accessed. Consider storing passwords on premise versus in the cloud, and restricting access to individual identities in the vault.Some systems will automatically rotate passwords for service accounts on a set schedule.

The SolarWinds supply chain attack in December of 2020 is a great example of additional levels of controls required to reduce the risk of compromised credentials. The attack is one of the most sophisticated attacks known to date has no single solution to prevent it. The attackers even bypassed multi-factor authentication. However, there are a few things to protect identities on the enterprise network. Disabling legacy broadcast protocols like LLMNR and Netbios and enforcing SMB and LDAP signing to prevent relay attacks are a few items. Encrypting network connections using IPSec in transport mode between systems to reduce the risk of replay attacks. You may want to consider isolating access to domain controllers and limit the use of administrator accounts. Finally, implementing network segmentation and micro-segmentation of traffic flows to limit lateral movement.

No matter what provider you select, security control is implemented or procedures that you put in place for IAM.The ability to continuously monitor and enforce identity policies are crucial. Verification and oversight need to happen and identity policies need enforcement.

Log analysis, event correlation, and traffic inspection is necessary for security teams to search for anomalies and enforce account verification. Security teams should pay careful attention to user behavior and alerts associated with account creation, privilege group changes, trust changes, and failed login attempts. These events and numerous other events that occur can cause event fatigue.

Implementing event automation can help reduce strain on security analysts.

Securing your data by verifying identities and limiting permissions will reduce your risk.

Implementing an IAM is only part of the equation for securing your data. Continuous monitoring and regular evaluation of your existing security controls will limit exposure and determine areas of improvement.

Weekly Brief

Read Also

Vulnerability Management in Today's Enterprise Environment

Vulnerability Management in Today's Enterprise Environment

Darren Death, Vice President of Information Security, Chief Information Security Officer, ASRC Federal
Making Your Cybersecurity Program a Success

Making Your Cybersecurity Program a Success

Bob Turner, Higher Education CISO, University of Wisconsin-Madison
Feeling Vulnerable? A Primer on Building a Vulnerability-Based Table Top Exercise

Feeling Vulnerable? A Primer on Building a Vulnerability-Based...

Kristy Westphal, CSIRT, Vice President, Union Bank
Too Much Technology? Simplicity is Key in Vulnerability Management

Too Much Technology? Simplicity is Key in Vulnerability Management

Earl C. Duby, Jr., Chief Information Security Officer, Lear Corporation
Addressing Cyber Attacks

Addressing Cyber Attacks

Mark Connelly, CISO, Boston Consulting Group
BYOD is the New WiFi: We Must Learn from History to Enable Mobile Data Security

BYOD is the New WiFi: We Must Learn from History to Enable Mobile...

Dan Lohrmann, Chief Strategist & CSO, Security Mentor