As cybercrime grows more aggressive and confrontational, security should be a top priority. Identity and Access Management (IAM) is crucial in developing cybersecurity strategies and serves as a tool for mitigating risks, such as spear phishing using ML to trick employees.
New technology shapes both the security challenges and solutions, and as businesses must keep up with the technological development new threats are constantly emerging. Employees value that company systems and data are available no matter where they are, and that they get quick and easy access on all devices.
From multi-factor authentication to role-based access control, IAM solutions makes sure to protect sensitive information. This guarantees that the right people have the right access at the right time and for the right reasons.
– The foundation of IT security is to protect business processes and maintain confidentiality, integrity and accessibility throughout all systems and data sources. In the era of the distributed workforce, IAM has become a cornerstone technology, says Consulting Manager at Columbus, Reidar Boldevin.
The right use of IAM ensures fast and secure access for new employees, making the necessary systems and solutions available for their defined roles. This extends to both partners and employees, where IAM guarantees access only to essential services and information for a specified duration.
From securing the perimeter to the identity
The transition from the office being the primary workplace to remote work becoming more prevalent presents a significant change in securing employees. The IAM system is shifting from securing the perimeter to securing the identity.
– You have two functions in an IAM system, and that is managing authentication (who is signing in), and authorization (who has permissions), says Boldevin.
He paints an example saying it is like an invitation to a VIP event. You can show your ID to confirm who you are, but you need to be on the VIP list to get access.
– You can further add Identity and Governance Administration (IGA) management, to make it a bit more advanced, Boldevin explains.
With Identity Governance & Administration (IGA) your business can provide automated access to the right resources at the right time. It reduces manual administration, while streamlining your organization’s business processes and governing and detecting access risks. This is called the joiner, mover, leaver processes.
Joiner process: Managing the onboarding of new employees, including creating user accounts and granting initial access rights.
Mover process: Handling changes in an employee's role, department, or responsibilities, which may require adjustments to their access rights. It also includes work on projects that require temporary or permanent access.
– If there are changes in position, old access rights must be removed, while rights for the new role are granted. A common scenario is the accumulation of privileges throughout an employee's tenure with a company. This makes a long-standing employee a very lucrative target, says Boldevin.
Leaver process: Managing the offboarding process, including revoking access rights when an employee leaves the organization.
Depending on the relationship the leaver has with the company, it may be prudent to limit access to the bare minimum throughout the termination period, or even revoke access prior to informing the employee in case of intentional misconduct or gross negligence.
– Controlling the lifecycle of users and automating or controlling access based on business need and risk is an added value you provided by an IGA system, says Boldevin.
Targeting specific roles
Phishing and spear phishing are the most typical attacks, says Boldevin and elaborates:
– Spear phishing targets a specific individual, such as a company's CFO. The difference between the two is that regular phishing can involve sending out hundreds of emails to numerous employees, hoping that some will take the bait. It is like fishing with a net. In contrast, spear phishing requires research. Who is this person? Who is in their circle? What can I write to make the content trustworthy? Although it requires more work, spear phishing is more credible and has a greater chance of success.
AI can be an additional threat.
– If you have gained access to someone’s email address, you can extract hundred emails sent from that person and feed them into a machine learning model. It will then learn how that person phrases things, and which expressions and words they typically use, says Boldevin.
The result is that the machine learning model constructs an email to look like this exact person wrote it, down to punctuation and sentence length.
Security addons to IAM systems operate in the background to create risk models for users and logins. By automatically mapping the way each employee works, it becomes possible to detect and respond to deviations from common work patterns.
– Let's say you are based at the office in Oslo, and suddenly, a login-attempt from a different city appears. With Microsoft's Identity Protection, the system looks at where you usually work, which systems you use, and when you typically work. And if there is a significant deviation from that, it flags it as a risk that may require you to approve multifactor authentication, says Boldevin.
It is also possible to have conditional access, so you can decide on areas where you should not be logged in.
– If someone tries to log in from another city, you will get a notification on your phone. You must confirm it using the Microsoft Authenticator app. If you are not trying to log in at that moment, you might wonder what is happening. Then, a number appears on the screen, and you must enter it into the Authenticator app. This is called number matching. The hacker cannot see the number, so they cannot confirm unless they know the correct number.
Read more: AI fighting AI: The Future of Cybersecurity - Are You Ready?
Consulting Manager at Columbus, Reidar Boldevin, highlights the importance of IAM. Photo: Columbus.
As a security partner, Columbus identifies the benefits of robust IAM solutions. With Microsoft Identity Protection and our assessments, we assist organizations in detecting, investigating, and remediating identity-based risks.
– The key benefit for businesses is that IAM enhances security, efficiency, compliance, and user experience, says Boldevin.
Start with an assessment
The best way to increase your security level is to do an assessment. Columbus’ assessment was originally developed for Active Directory for Microsoft, but the methodology works well for any system.
Interviews and data collection may contain, but are not limited to the following Zero Trust and NIS2 areas:
- Identity Management System
- Identity and Access Management
- User Provisioning and Authentication
- Strong Authentication
- Credentials and Authentication
- Trust Determination
- Access to Resources and Least Privilege
- Secure Administration and Adaptive Access Control
- High level executive presentation of the results and recommendations
- Detailed documentation of the findings with technical explanation. Tailored discussion about your current implementations and if they are not in accordance with best practices.
- Clear plan of remediation accompanied by heatmaps for each area of the IAM implementation. Remediation plan emphasizing both quick wins and strategic initiatives.