InfoSec Advisory By Del Aden
Today, APRIL 13, 2021 is the identity Management Day! The identity Management Day held the second Tuesday of April, is a day of awareness to educate business leaders, IT decision makers, and the general public about the importance of managing and securing digital identities. Identity Management Day aims to inform us about the dangers of casually or improperly managing and securing digital identities by raising awareness, sharing best practices, and leveraging the support of vendors in the identity security space. There are many ways to participate as a consumer, practitioner or an organization.
Identity Management & Access Control Models
The word “identity” has many meanings—it can be the way that we perceive or define ourselves, a physical identifier like a driver’s license or passport, or it can be something you may not even think much about.
In a world defined by our use of technology, how we are identified digitally is important.
Our digital identities and the credentials that protect them define how we work, interact with each other, access technology, execute transactions, and so much more.
For organizations, Identity and Access Management (IAM) “is the discipline that enables the right individuals to access the right resources at the right times for the right reasons,” according to Gartner. Consequently, weak or improper identity management increases risk.
The vast majority of data breaches making headlines are the result of poor identity management.
Twitter, Marriott, Nintendo…the list goes on. These breaches often leverage weak identity management, such as weak or previously compromised passwords, not leveraging multi-factor authentication and single sign-on or leaving standing privileges open.
For consumers, identity management is the discipline of protecting our personal digital identities as we communicate, shop, and transact our daily lives online. For individuals, poor password hygiene and careless online behaviour can lead to compromised accounts or identity theft.
These incidents occur when we use weak passwords, fail to enable two-factor authentication, or carelessly click on malicious links.
Access control models have five flavours: Mandatory Access Control (MAC), Role-Based Access Control (RBAC), Discretionary Access Control (DAC), Rule-Based Access Control (RB-RBAC), and Attributes based Access Control (ABAC)
Identity Management Service Components
Single sign-on (SSO)
An IAM system can also be used to deploy single sign-on (SSO) technologies. Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials – for example, a name and password – to access multiple applications.
SSO can be used by enterprises, smaller organizations and individuals to ease the management of various usernames and passwords. This can significantly decrease the number of passwords users need. SSO incorporates a federated-identity approach by using a single login and password to create an authentication token, which can then be accepted by various enterprise systems and applications.
Multifactor authentication (MFA)
Password alone does not provide the strongest security. Multifactor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.
Multifactor authentication combines two or more independent credentials: (1) what the user knows, e.g. password; (2)What the user has e.g. security token and (3)What the user is, e.g. biometric verification.
Challenge-response authentication mechanism (CRAM)
In its simplest form, challenge-response authentication is composed of two basic components: a question and a response. The goal of the question, or challenge, is to require a response that only authorized users will know. CRAM can be static, for example your mother’s maiden name.
It can also be dynamic, for example some financial institutions provide their account holders with a small security token that constantly generate response codes. Another example of CRAM is the use of One-Time Passcode (OTP)
Privileged Access management (PAM)
In an enterprise environment, “privileged access” is a term used to designate special access or abilities above and beyond that of a standard user. Privileged access allows organizations to secure their infrastructure and applications, run business efficiently and maintain the confidentiality of sensitive data and critical infrastructure.
Privileged access can be associated with human users as well as non-human users such as applications and machine identities. Examples of privileged access used by humans include: Super user account, Domain administrative account, Local administrative account, Secure socket shell (SSH) key, Emergency account, Privileged business user. Examples of non-human privileged access include: Application account, Service account, SSH key, Secret account, etc.
Importance of identity management
Identity management is an important part of the enterprise security plan, as it is linked to both the security and productivity of the organization. In many organizations, users are granted more access privileges than they need to perform their functions.
Attackers can take advantage of compromised user credentials to gain access to organizations’ network and data. Using identity management, organizations can safeguard their corporate assets against many threats including hacking, ransomware, phishing and other malware attacks.
In this regard, Identity management systems can add an additional layer of protection by ensuring user access policies and rules are applied consistently across an organisation.
Consequently, an identity and access management (IAM) system can provide a framework with the policies and technology needed to support the management of identities. Many of today’s IAM systems use federated identity, which allows a single digital identity to be authenticated and stored across multiple different systems.
Identity-related breaches are making headlines almost every day, leading to expensive clean-up costs and reputational damage. Below are some of the statistics with regards to Identity Management:
- 79% of organizations have experienced an identity-related security breach in the last two years, and 99% believe their identity-related breaches were preventable.
- 81% of hacking-related breaches leverage weak, stolen, or otherwise compromised credentials
- 74% of data breaches involve access to a privileged account.
- 73% of users use the same password for multiple sites, and 33% of people use the same password every time.
- 81% of IT security professional said the number of identities in their organizations has at least doubled over the past decade.
Today, nearly 100 percent of advanced attacks rely on the exploitation of privileged credentials to reach a target’s most sensitive data, applications and infrastructure. If abused, privileged access has the power to disrupt business. As such Organizations MUST implement privileged access management (PAM) solutions such as Cyber Ark to protect against the threats posed by credential theft and privilege misuse. PAM refers to a comprehensive cybersecurity strategy – comprising people, processes and technology – to control, monitor, secure and audit all human and non-human privileged identities and activities across an enterprise IT environment. To ensure your PAM deployment is effective, consider the following best practices:
- Employ temporary privilege escalation
- Keep track of assets and privileges
- Deploy attribute-based access control (ABAC)
- Monitor assignment of privileges versus usage
- Deploy zero trust, everywhere
- Record and audit
- Monitor and alert
This Identity Management Day is a reminder to make identity management and digital identity security a priority, empowering organizations and consumers to reduce the risk of experiencing a data breach and potentially damaging data loss.
Remember that Identity management is the practice that enables the right individuals to have appropriate access to the right data, accounts, and networks. It is an important asset for businesses of any size to keep data secure. Consequently, it is your corporate responsibility to “Secure Your Business with Strong Access Controls and Proper Identity Management.”
About the Author
Del Aden is a UK based InfoSec & Business Continuity Consultant, with main focus on helping organisations to implement Digital Transformation, defend their digital infrastructure and plan their Business Continuity Strategies. Del is also a Freelance writer, international Conference speaker and a Global trainer.