Identity and Access Management (IAM) are the policies, procedures and technologies that enable an organisation to manage their digital identities. Digital identities are considered to be an integral component of an organisation’s cybersecurity framework and are often the first thing exploited by threat actors in cyber-attacks. Because a digital identity is used to authenticate people, organisations and systems, to ensure only access is given to the right resources at the right time, it is critical to test, and where necessary, reset an organisation’s IAM framework to ensure they remain ahead of current and emerging cyber threats.
Strong IAM capabilities enforce policies and controls prescribed by industry frameworks, such as ISO27001 and The Essential Eight. Embedding IAM best practice principles of ‘need to know’ and ‘least privilege’ can mitigate security incidents caused by malicious attackers or accidental insiders. Governance and administration tooling, and privileged access management solutions are the gold standard to help maintain best practice. They work to significantly reduce IAM-related security risks, and improve data confidentiality, integrity and availability by:
- Increasing visibility and auditability of standard and privilege user accounts;
- Reducing human error and promoting productivity improvements through identity lifecycle automation;
- Supporting compliance by enforcing logic and rules prescribed by regulatory obligations; and
- Strengthening authentication and authorisation mechanisms using single sign-on and multi-factor.
Although these security applications support the functionality and procedures of IAM, there are several challenges that should be addressed in every IAM uplift project, including:
- Difficulties screening and approving user access requests, and bypassing the formal vetting processes;
- Conducting reconciliation activities in an environment with several authoritative identity repositories; and
- Lack of policy and procedure that fully utilise IAM solutions, such as automated deprovisioning, access review cadences, and role/rule-based access.
Steps to improve your IAM security posture
There are a several tactical, low-cost steps an organisation can take to commence their IAM uplift journey. These include:
- Containing root or administrator user accounts by creating separate user accounts for administrative tasks and disabling or deleting credentials associated with the root account.
- Enabling multi-factor authentication on all user accounts (especially privileged accounts) to add an additional layer of security, preventing unauthorised access by stolen or cracked user credentials.
- Provisioning accounts with only the permissions required for their job function, and utilising security groups to provision access to shared information assets and repositories.
- Configuring privileged account monitoring, or behavioral analysis on account activity, to enhance visibility of usage and mitigate potential misuse or execution of unauthorised actions.
- Vaulting, rotating and managing secrets for privileged accounts, especially those used for system services.
- Establishing routine access review cycles to revoke permissions accumulated over time or deactivating dormant and orphaned user accounts.
- Reviewing and assessing organisational information security policies, procedures and the quality of controls on a regular basis to ensure they align to the business as it adapts over time.
Taking stock of your businesses current IAM posture and embedding simple hygiene practices can work to mitigate access control issues, streamline operational workflows and protect against sophisticated cyber-attacks and insider threats.