To understand the importance of access management in defending your company, it’s first useful to think about the cyber-attack chain.
There are subtle variations of this, but in essence, common steps are:
- Reconnaissance – An attacker can start with non-technical reconnaissance by researching publicly available resources such as social media and public websites before shifting to technical reconnaissance – gathering information about software being used on publicly accessible services and how those services are connected.
- Initial compromise – The hacker can choose to attack through either targeting the organisation’s technology, a trusted third-party, or their people. Once the attacker gains initial access to an organisation they may choose to continue the attack, or they may choose to cash out at this stage by selling the access they’ve gained to another attacker, who has been looking for a way into the target. There is a whole market for buying and selling this access on the dark web facilitated by so-called “initial access” brokers.
- Persistent access often follows, which helps the attacker ensure they can access the same device more easily next time around.
- Discovery and movement – if an attacker compromises a device, then all they’ll initially have access to is what is on that device. If they compromise a user’s credentials, then they will initially only be able to access the same information as their victim.
Discovery and movement is all in aid of understanding the target they’ve compromised and figuring out where they want to go next. The ultimate goal is often getting credentials that will provide access to something really powerful such as a large database of sensitive information. - Goal fulfilment – Once an attacker has access to a large part of the network, including some critical services, they can set about accomplishing their goal – whether that’s spreading malware, stealing information or causing damage.
Identity and access management is a combination of policies, processes and technologies that work to ensure it’s only the right people and devices that have access to the right applications, systems and information at the right time.
Managing access has two parts: Authentication and Authorisation.
- Authenticating the user is about ensuring they are who they claim to be and that they can be trusted. An identity is most commonly verified through what are called authentication factors. These are the “something you know” – such as a password, “something you have” – such as a one-time verification code or “something you are” – such as a biometric identifier such as a fingerprint.
The role of authentication in defence is about trying to make sure that the initial compromise – or Step 2 above is made harder for an attacker, because users are being properly checked before they are granted permissions to access a network.
Questions to ponder:
- How does your organisation authenticate users?
- Do you have Multi-Factor Authentication (MFA) in place, and on what services?
- How frequently and what are the prompts for a user to re-authenticate?
- Are any third parties you do business with authenticated where they connect with your data?
- Authorising what a user can access and do (such as downloading a file, or granting other users access to an application) is about making sure that even if a specific user’s account is compromised (meaning an attacker has got around the authentication step), the attacker is limited in step 4 of the cyber-attack chain, so they are restricted to a narrow confine of what the compromised account can access. In theory this makes it much harder for the attacker to be able to progress to step 5.
Questions to ponder:
- How are user permissions restricted in your organisation?
- Are you capturing and recording what users do once they are authenticated and how are any anomalies monitored?
- How frequently are you checking users’ access levels are appropriate and not beyond what they need to perform their roles?
- What does your process look like for removing access when users change roles or leave the organisation?
How identity and access management (IAM) is done
IAM can be quite complex. How you tackle this will largely depend on the size of your organisation, your organisation’s identity needs (for example, if you are needing to authenticate not just your employees but also your customers and partners), your budget and what technologies you are using.
Many businesses will opt either to use the services of their cloud providers to manage access for employees and partners if their needs are simple, or work with a separate identity service provider if their needs are more complex to add layers onto existing solutions to manage identities, provide secure logins, and prevent unauthorised access to back-end development tools such as APIs.
Common IAM tools to be aware of
- Multi-factor authentication: This increases the bar for an attacker by forcing a user to provide a combination of factors before they are authenticated.
- Single sign-on: This allows a user to authenticate to multiple applications and services across an organisation using one set of credentials.
- Lifecycle management: This is a way to automate provisioning and access management, basically by assigning users to a specific group with set base-level permissions that gives a central view on what users assigned to a specific group can access. This is then validated on a regular basis to ensure the user is still assigned to the correct group to enable them the permissions they need to do their job but nothing more.
Where to start?
You will already be practicing some form of identity and access management in your business, whether you are aware of it or not. A good place to begin is looking at the “Questions to ponder” above and then think about the way your organisation does things from an attacker’s perspective.
If you were an attacker, how would you break into your organisation and then get to the valuable access or information? This helps put you in the right frame of mind to assess whether you have the right defences, or whether you need to invest in additional process or technology improvements.