face the dangers of identity sprawl
- Posted: Wednesday June 23 2021 7:56 AM
Kamel Heus explores the concept of identity sprawl, the risks associated with it, and suggests five best practices organizations can implement to ensure a strong identity consolidation strategy.
The events of the past 18 months have prompted businesses large and small in all industries to hit the fast forward button when it comes to digitization. As a result, securing critical applications and infrastructure becomes a much more complicated proposition.
The increased reliance on cloud-hosted applications, word loads, and services means that securing the business’s rapidly evolving hybrid and multicloud architectures in a consistent manner is now a top priority. It’s no easy task when human and machine identities multiply, thanks to the growing volume of microservices, workloads and DevOps activities.
Ultimately, securely leveraging the benefits of the cloud and successfully growing cloud ecosystems requires an overhaul of digital identity and access management. This means dealing with the frustrating and risky problem facing growing organizations with diverse systems and platforms: identity sprawl.
The problem of identity sprawl
When a user’s identity is managed by multiple isolated systems or directories that are not in sync with each other, the resulting multiple identities create a potential insecure attack surface that attackers can target.
“Identity sprawl” typically occurs when an application or system is not or cannot be integrated with an organization’s central directory service. This results in the creation of another set of user identities that must be managed separately to support access to this application or system.
The rising administrative overhead and costs associated with managing all of these fragmented identities is just the starting point for the challenge. In addition to making it much more difficult to enforce consistent security and compliance policies, sprawling identities also creates a risk that users will reuse their passwords for different services, leaving the business more vulnerable to snooping. credentials.
Privileged user accounts in particular are a primary target for external attackers seeking to compromise corporate data and systems. After gaining control of a privileged account, cybercriminals can operate undetected, potentially for months, under the guise of a trusted user. By using this access, they are then free to steal confidential data, corrupt business processes or launch a ransomware attack. Last year, more than 50% of U.S. organizations said they were grappling with the impact of privileged credential theft.
To reduce the risk of misuse by malicious insiders or external threat actors, organizations will need to take a holistic approach to Privileged Access Management (PAM), using identity consolidation and zero trust principles to protect users and business assets.
Here are five definitive best practices that can help underpin and enforce a less privileged identity strategy that is key to reducing business attack surfaces and preventing breaches from occurring.
Centralizing all identities on an identity repository will create a single source of trust that both simplifies the administration of access control, authentication and authorization for all users and groups, and ensures a consistent approach to privilege security.
With the inherent flexibility that is essential for today’s complex business environments, leading PAM solutions now make it easy for organizations to use the identity directory that best meets their needs (Active Directory, Okta , Ping, etc.). Indeed, by connecting UNIX and Linux systems to Active Directory using AD Bridging and providing the consolidation capabilities for IaaS environments that are critical to cloud transformation, modern PAM solutions provide multi brokerage capabilities. -directory which ensures that privileged users can be authenticated against any user directory. .
In other words, centralizing identity management and reducing identity proliferation is the essential first step that will allow security teams to stay on top of the risks associated with managing privileged account access in an environment. constantly evolving.
Bind privileges to identities
Obtaining a unified view of all identities that links all rights, permissions, and privileges to an organization’s preferred directory will further simplify the enforcement of consistent security and compliance policies.
These permissions can allow an individual to perform functions, access data, or administer systems and should ideally be combined with an authentication method that is most appropriate to the sensitivity or privilege of the user. a user’s access, and the reliability of the devices or locations they use and work from. Unlike using shared accounts, linking a user to an identity also ties individual responsibility to each identity.
Federated SSO access
For a seamless user experience, enabling federated single access (SSO) to resources in the preferred directory will ensure that employees can simply log in as themselves and always receive the correct permissions. Replacing passwords with secure tokens, federated single sign-on also gives the business greater control over who has access to what, without disrupting workflows or employee productivity. Users authenticate once, using that authenticated session to access all of the applications they are authorized to use.
Just in time access
Privileged accounts pose a serious threat to organizations if they fall into the hands of an attacker. By temporarily granting users additional roles and privileges to perform a task that matches their function, for the exact time it takes to complete the job, organizations can take a least privilege approach and enforce access controls. granular. So while it may be legitimate to allow a web administrator to access systems running web servers and associated management tools, connection to machines that process credit card transactions is not legitimate and remains blocked. .
No permanent privilege
After implementing elevation of privilege just in time to complete a task, organizations should ensure that access is revoked after the current task is completed. For example, an employee can only access a particular service during business hours or for a specific period of time. Once the session is terminated, access rights are revoked, which closes the window of opportunity for potential attackers if a user’s account has been compromised. Using today’s modern PAM solutions, access can easily be reassigned as needed.
Reduce cyber risks by curbing the spread of identities
The growing complexity of enterprise infrastructures means that organizations must take a “never trust, always verify, enforce least privilege access control” approach to protect their sensitive data and resources.
Putting in place comprehensive controls over who has access to what resources, when, why, and for how long begins by slowing down the sprawl and consolidation of identities. After that, organizations will be in a better position to maintain centralized control and governance over identities and access privileges.
Implementing a comprehensive PAM strategy based on zero trust principles is key to reducing the risk of misuse by malicious insiders or external threat actors. Ensuring that only authorized people, machines or departments access the right resources, at the right time, and for the right reasons can condense the organization’s attack surface, while ensuring that user productivity is maximized.
Kamel Heus is VP EMEA at ThycoticCentrify.