Robust cloud IAM should align to zero-trust principles | JP
In today’s digital landscape, the traditional security perimeter has dissolved, making identity the new frontline of defence. As organisations increasingly adopt cloud services and remote work models, managing and securing identities has become paramount. Effective identity and access management (IAM) practices are essential for IT departments to safeguard against cyber-attacks, phishing attempts, and ransomware threats. By implementing robust IAM strategies, organisations can ensure that only authorised individuals have access to critical resources, thereby mitigating potential security risks. Let’s dive into the most important things to focus on, all of which are aligned to core zero-trust principles.
Verify explicitly
One of the main drivers fuelling the ongoing adoption of cloud technology is the unparalleled ease of access to resources from anywhere, from any device, at any time of day. In practical terms though, it would be short-sighted to allow this level of unchallenged access without verifying that the access requests are being made by the correct person. After all, we still live in an age where usernames and passwords are often written down near the devices they’re used on. IT security teams should have sturdy mechanisms in place to explicitly verify these access requests so that there can be confidence assigned with allowing access, especially from unrecognised network locations.
Some examples of how this could look in practice would be by using strong multi-factor authentication (MFA) methods to secure requests. Strong methods include approving an access request via a notification in your chosen authenticator app on a smart device (already using biometrics to be unlocked) or by using a number matching prompt so that the requestor must manually enter the correct ‘answer’ in their app before access is granted. These methods help skirt some of the growing techniques attackers are using to try and get around MFA prompts: namely, sim-swapping and MFA fatigue. The emergence of these MFA-focused attack techniques demonstrate that attackers will always try to stay one step ahead of emerging security features.
MFA isn’t the be-all-and-end-all when it comes to identity security though. It’s merely the first hurdle that security teams must place between an attacker and their goal of compromising an environment. The more hurdles that are in place, the more likely an attacker will give up and move to an easier target. MFA will deter most attackers, but not all.
User and entity behavioural analytics (UEBA) is another modern technique that can provide an additional layer of security. Regardless of whether an attacker has managed to get by the MFA hurdle they’ve encountered, UEBA consistently monitors the different metrics that are generated when a user interacts with the cloud platform. Any deviations from what’s considered normal for that user are assigned a risk score, and if enough anomalies are caught, it can force the user into a password reset experience, or even lock the account altogether until the security team is satisfied that the account hasn’t been compromised.
These techniques demonstrate a small piece of what can be done to bolster the IAM platform to be more resilient to identity-focused attacks. Where this will inevitably move to in the future will be in protecting against the use of AI-generated deepfakes.
AI technology is also becoming more accessible to everyone – this includes bad actors too! Using features in Microsoft Entra like Verified ID, including having to perform real-time biomimetic scans to prove authenticity, will be commonplace soon, ensuring that when someone gets that call from the CFO at the end of a Friday afternoon to approve huge invoices for payment, they can have confidence they’re speaking with their CFO, and not an AI generated video call.
Use least-privilege access principles
As organisations grow and evolve, so do the permissions and privileges that are provisioned to make the technology work. Over time, identities can accumulate huge amounts of different al-la-carte permissions to perform very specific tasks. If these permissions aren’t right-sized regularly, it can mean that some identities can carry huge amounts of power over the IT environment. Let’s cover some concepts that help mitigate this risk.
Role based access control (RBAC) is a way to consistently provision pre-mapped permissions and privileges to suit a specific role or task. These pre-defined roles make it easy to provision the correct amount of rights for the task at hand. Cloud platforms such as Microsoft 365 and Azure come with many roles out of the box, but also allow for custom roles to suit the needs of any organisation. It’s recommended to use RBAC roles as much as possible, and this goes doubly so for when implementing the next technique.
Just-in-time (JIT) access takes RBAC a step further. Instead of having identities stacked with elevated permissions and privileges 24 hours a day, JIT access grants elevated rights on a temporary basis. Microsoft Privileged Identity Management is an example of a JIT tool, and allows appropriate identities to temporarily upgrade their permissions to a predetermined RBAC role, and can include additional checks and balances like approvals, forcing an MFA approval, email notifications or customisation options for how long individuals can get access to a certain permissions. Ultimately, this means that if those accounts with access to higher privileges are compromised, it doesn’t necessarily mean that the bad actor will be able to exploit those permissions.
In addition to using modern IAM techniques and technologies to keep rights and permissions right-sized, it’s also important to ensure that there are processes in place to ensure good identity hygiene practices. This can come in many forms, but if focusing on Microsoft Entra solutions, we can highlight two specific tools that can help make these processes work smoother than a manual effort. Firstly, access reviews can be used to periodically check identities in an environment and provide an indication of who has been using their elevated rights or not. This leaves service owners empowered to make decisions about who should be left in permission groups or not. This is also a fantastic way of auditing external collaborators who have been invited into your tenant via Entra B2B.
Access packages are another way of keeping permission enablement standardised. Applications, groups, cloud services and more, can be grouped into a single package, for example, ‘Entry-level Accounting’ may be a package created that grants access to payroll software, viewer access to multiple SharePoint sites and a Microsoft Team. Once that person is removed from the access package, for example, if they were to move departments, or get promoted, removing them from this single access package will remove all associated access to the bundle of services. This means that stagnant permissions are less likely to accumulate on a given identity.
Assume breach
Even with all the best security tools available, organisations are never 100% immune from attacks. Facing this reality is a key part of a successful security strategy. It’s important to always assume a breach is possible and to increase your resilience so that responding to attacks isn’t a daunting experience. A couple of concepts can be introduced to help out here.
Firstly, the idea of continuous authentication is important to embrace. Instead of adopting the mindset of “User X has successfully performed an MFA request therefore I’ll grant all the access they’ve asked for”, seems to complement some of the concepts already covered in this article, but as highlighted earlier, attackers are always going to try to get one step ahead of security tooling, and so it’s vital that limits are put on access, even if the user seems to be doing everything correctly. Nothing does this better than altering the sign-in frequency that users will be subjected to, especially if access content from outside of the organisation network boundary. Note though, there is an important balance to be struck between enforcing sound security practices and impacting the user experience so the point of frustration.
Adaptive access controls can also be utilised to galvanise decision-making on access requests. For example, if User X is logging on from their registered device, within the organisational network boundary, to a SaaS platform they use every day – that poses minimal risk. Access should be granted in most instances here. However, take User Y who is logging on from an external IP address that’s a recognised anonymous VPN platform, on an unregistered device, looking to download massive amounts of information from SharePoint. This could be a legitimate request, but it also could be signs of identity compromise, and real-time adaptive controls such as the Sign-in or Risk policies in Entra ID Protection can help to keep resources better protected in these scenarios.
In summary, implementing a zero-trust security model with a focus on IAM is essential for combating cyber attacks, phishing, and ransomware. By adopting principles such as verify explicitly, least privilege and assume breach, organisations can significantly reduce the risk of unauthorised access and lateral movement within their networks. Technologies like MFA, JIT access and UEBA play a crucial role in enforcing these principles. Additionally, continuous monitoring, identity analytics, and deception technologies help detect and respond to potential breaches swiftly, ensuring a robust and resilient security posture.
Ricky Simpson is US solutions director at Quorum Cyber, a Scotland-based cyber security services provider. He headed Stateside in early 2023 having spent several years working in cloud, security and compliance roles at Microsoft’s Edinburgh home. He holds a BSc in computer science from Robert Gordon University in Aberdeen.