IAM (Identity Access Management) is a comprehensive solution that takes care of authorization and authentication. As organisations battle against cyber threats in terms of authentication and authorization, IAM could literally solve the challenges in the real-time world. IAM is simple if organisation size is small and complex as organisation size grows. IAM is not only applicable to user accounts but also to service accounts, machine accounts,etc. IAM tools include Azure AD, CyberArk, Okta,etc. In this article, let us explore the challenges in securing and common misconfigurations being done that led to account compromise or overall domain compromise. Let us consider a company called Billion as a hypothetical reference throughout the article.
Service Accounts:
Service accounts are accounts used by applications and services to carry out necessary tasks. Attackers love to target service accounts as they are least monitored by the cyber security team. Let’s say Billion has around 20 service accounts configured for various business purposes. Now Billion have left certain service accounts unaddressed, meaning they are left unattended even after their purpose comes to an end. An attacker will target service accounts by first compromising user accounts via a phishing email and then using the net user command to reconnaissance any service accounts, thereby compromising them by kerboarasting. Service accounts are not being monitored by the cyber security team, as they think they are legitimate. Another important aspect of service accounts is that they do not require human interaction and lack MFA.
The cyber security team, along with the IAM team, must ensure only proper permissions are provided to service accounts to carry out specific tasks. An audit has to be performed on service accounts and user accounts, and any accounts that are no longer in use must be immediately disabled. The SOC Team should gather a list of service accounts and monitor for any suspicious activities like scheduled task creation, new accounts being created with high-level privileges,etc.
MFA Fatigue:
A lot of organisations fail to maintain a user repository. Lets say Billion has around 4000 users across various levels, and they have failed either to update new users onboarded or not have a list of users who have been onboarded until now. This might lead to MFA fatigue, as some users might not be enforced with MFA. MFA plays a vital role in preventing account compromise, even when credentials are compromised.
Organizations must ensure the use of MFA for all users, and a policy has to be enforced for any new user in such a way that any new user onboarded must complete MFA before allowing them to sign in via IAM tools like Azure AD.
Excessive permissions granted:
Many organizations tend to give more permissions than are required for a user, which often leads to catastrophic damage when the account is compromised. As organizations grow, more granular controls have to be made for each user based on their role.
Let’s say a user belonging to Billion needs admin access to manage the functionality of a certain application or server. Now the user needs to be granted admin-level access via IAM only for the specific server or for a specific service or application. This is also called the principle of least privilege.
Poor log auditing:
Many organizations fail to log user activities, which makes it difficult to trace the malicious activity of any user. IAM tools should have audit/user logs enabled, and the logs must be forwarded to a centralized solution like SIEM, which alerts for any suspicious activities about any users. Sometimes even insider users tend to carry out malicious activities, which can be alerted via the SIEM solution.
Let’s say an insider in Billion carries out malicious activities like creating or deleting new accounts or accessing themselves as an admin. As a cyber security team, it is important to log the user sign-in or audit logs into SIEM so that any suspicious activities will be alerted and the SOC team, along with the IAM team, can take immediate action.
Conclusion:
Organizations must always be precise in granting permissions to users. Implementing the principle of least privilege can help organizations limit the scope of attacks. IAM is easy for people who understand the organizational structure so that they can implement robust security controls.