By now, most of the industry has realized that we are seeing a shift from the legacy perimeter-based security model to an identity-centric approach to cybersecurity. If defenders haven’t noticed this, malicious actors have, with 80% of web application attacks using stolen credentials and 40% of breaches that don’t involve insider threats and bugs. ‘users involving stolen credentials, according to sources such as Verizon 2022. Data breach investigation report.
Compromised credentials were involved in incidents such as the 2021 Colonial National Pipeline breach, the 2021 Oldsmar Florida water treatment plant attack, and an attack on the South Staffordshire water treatment plant in the UK in 2022, illustrating that these incidents may have spilled over. from the digital realm to the physical realm, affecting critical infrastructure.
Fortunately, we are seeing a shift in the industry to pivot towards a zero-trust cyber security model, underpinned by an emphasis on identity and data rather than the legacy castle-and-moat approach that preceded and led to several decades of fragility. defense and massive data breaches. This pivot includes guidance from leading organizations such as the National Security Agency (NSA), which together with the Cybersecurity and Infrastructure Security Agency (CISA) recently published guidance “Best Practices Recommended for administrations: identity and access management (IAM)”.
The guide opens by discussing the current threat landscape along with an overview of threat mitigation techniques. The NSA notes that some of the most common techniques used by malicious actors include activities such as creating new accounts to maintain persistence, exploiting vulnerabilities to forge authentication claims, exploiting existing users and their access and exploiting insecure system defaults and configurations. Highlighted sections of the guide are dedicated to identity governance, environmental hardening, identity federation and single sign-on (SSO), multi-factor authentication (MFA), and auditing and supervision, which we will discuss below.
Identity government
Identity governance helps organizations centralize and orchestrate activities associated with both user and person entities (NPEs), such as service accounts, to align with their organizational policies. These activities cover the entire lifecycle of an account or identity, such as when a person joins, moves, or leaves an organization or team, triggering activities associated with their credentials and associated permissions. This same concept applies to NPEs, such as machine-based identities that need credentials and permissions to perform activities within an architecture.
Determining who has access to what and the risks associated with that access and then dynamically managing access appropriately is no easy task. Identity governance enables a centralized approach to ensuring organization-wide policy enforcement, as well as mitigating risks such as identity sprawl and loss of permissions, where individuals’ accounts are managed correctly, but their associated permissions regularly extend beyond what they actually need for their jobs. . When this happens and those credentials are compromised or abused, it can wreak havoc on organizations.
By leveraging innovative and emerging technologies, organizations can enable this governance while leveraging capabilities such as condition-based access control and less permissive dynamic access control instead of credentials and long-lived access. Implementing identity governance can help mitigate attacks such as phishing, insider threats, and malicious actors creating accounts to maintain persistence beyond their initially compromised account. The NSA guidance also recommends using privileged access management (PAM) solutions for advanced features such as just-in-time access control.
Environmental hardening
Identity governance uses hardware, software and digital environments to enable its implementation, and this is where environmental hardening comes into play. The NSA guidance notes that environmental hardening activities such as patching, asset management, and network segmentation, along with other security best practices, are key to mitigating the potential of compromised credentials, as well as to limit the blast radius, should an incident occur.
It is well known that malicious actors regularly attempt to compromise IAM components, so ensuring the security of the environments in which these components operate is a key consideration. This includes performing activities such as creating a comprehensive asset inventory, understanding the connectivity of the assets you have identified, and protecting assets appropriately based on how important they are to a business. You don’t apply the same level of resources and rigor to a publicly available, non-sensitive system as you do to your crown jewel systems, for example.
Identity federation and single sign-on
Knowing that credentials are a key target for malicious actors, using techniques like identity federation and single sign-on can mitigate the potential for identity sprawl, local accounts, and lack of governance of identity This may involve extending SSO between internal systems and also externally to other systems and business partners.
SSO also brings the benefit of reducing cognitive load and user burden by allowing users to use a single set of credentials across all enterprise systems, rather than needing to create and remember different credentials. Failure to implement identity federation and SSO inevitably leads to a proliferation of credentials with disparate local credentials that are generally not maintained or governed and represent ripe targets for bad actors.
SSO is generally facilitated through protocols such as SAML or Open ID Connect (OIDC). These protocols help exchange authentication and authorization data between entities such as identity providers (IdPs) and service providers. It is key for organizations using SSO to understand the protocols involved, as well as how the service providers involved have secured the protocols and the services themselves. The guide provides a logical representation of an example authorization data flow.
US National Security AgencyBest practices for implementing identity federation and SSO include knowing which systems in your environment are integrated with SSO or using on-premises identities, understanding how your trusted partners can leverage on-premises accounts, and using configuration management solutions to support local account identification, tracking, and reporting. use in an environment while working to get more systems federated and integrated with SSO to reduce local account usage and associated risks.
Multi-factor authentication
By now, most CISOs should be familiar with MFA. But for those who aren’t, at a high level, MFA requires users to use multiple factors as part of their authentication activities. Think of a username and password plus an SMS text or code sent to an authentication app on your phone. As shown in the NSA guidance, these factors usually take the form of using something you have, know, or are (such as biometrics) as validation tools.
We know that malicious actors look for credentials to carry out their activities, and using MFA significantly reduces the risk of compromising credentials, especially high-security approaches like phishing-resistant MFA.
MFA helps mitigate situations where passwords have been exposed through external system compromises or by unauthorized users who convince victims to share their passwords. Using strong MFA form factors ensures that just exposing a username and password doesn’t leave an account at risk. The NSA guide ranks the types of MFA from weakest to strongest such as SMS or voice, application-based MFA, and phishing-resistant MFA, such as PKI-based systems and fast identity hardware tokens ( FIDO).
IAM audit and monitoring
It is often said that many organizations are already engaged; they just don’t know it yet. This is where activities such as identity access management auditing and monitoring come into play, with value beyond compliance purposes: it helps identify anomalous or malicious activity present in an environment.
IAM auditing can provide insights into how systems are being used or abused, detect problems earlier in their lifecycle, help gather forensic evidence that may be needed later, as well as ensure that privileged users know that their activities are being monitored.
To prepare to implement IAM auditing and monitoring successfully and effectively, organizations must first understand what normal behavior is, familiarize themselves with organization-defined policies and processes, and identify users with access to critical assets so they know who the users are and what activities they are doing. more critical to audit and control.
Organizations must also ensure that they have sufficient analytical tools and capabilities to make use of the data and telemetry collected, as well as ensuring that they have the tools to aggregate and consolidate it, To start. Organizations will also want to ensure that they are not collecting noise and irrelevant data that simply distracts from the signals that are of real concern and pose risks to the organization.
The NSA Checklist
For organizations looking to implement identity and access management (IAM) protocols recommended by the NSA, the agency provides an appendix to the guidance that provides a detailed checklist for each of the areas covered throughout this article. This provides a quick list approach to enable organizations to address the key and most pressing activities in securing their IAM systems and processes.
Copyright © 2023 IDG Communications, Inc.
Source link
As the world of cloud-based data and network security becomes increasingly complex, IAM (Identity and Access Management) best practices are key to protecting the valuable information from unauthorized access. The United States National Security Agency (NSA) recently conducted research to assess the effectiveness of existing IAM capabilities and develop recommendations for administrators to improve their security. Their comprehensive security posture report revealed that the most effective means of defense is the implementation of zero-trust strategies. So what does this mean for administrators?
Zero-trust architecture (ZTA) is a security strategy that assumes organizations’ networks and resources may already be compromised and that users, networks andother assets should be trusted only to the extent that they can be objectively verified. This means that the traditional model of “trust but verify” is replaced with “verify then trust.” To make this strategy effective, the NSA recommends that organizations start by identifying any organizational assets, both in the cloud and on-premises, that need protection. Administrators can then implement authentication methods such as RSA SecurID and biometric verification for users when attempting to access these assets.
Frequently accessing cloud-based resources, especially from remote locations, can be a major challenge for administrators today. That is why it is important to implement enterprise-wide IAM initiatives that enable secure authentication, authorization and auditing of user activity across all resources. At Ikaroa, we provide a comprehensive suite of cloud-based IAM solutions designed to meet the needs of organizations of all sizes. Our expert team of security professionals can help administrators formulate best practices for implementing zero-trust architecture to protect valuable assets.
In conclusion, the only way to ensure the highest levels of security is to embrace zero-trust principles. By implementing the NSA’s recommended IAM best practices, administrators can protect organizational assets and ensure users are accessing authorized resources securely. Ikaroa is committed to helping administrators of all sizes implement the right IAM solutions to guard their data, networks and resources.
