In today’s modern landscape, the standard security perimeter has dissolved, making identity the fresh frontline of defence. Management and identity security have become essential as more businesses move toward cloud services and isolated work models. Effective identity and access management ( IAM ) practices are essential for IT departments to safeguard against cyber-attacks, phishing attempts, and ransomware threats. Organizations can mitigate potential security risks by implementing strong IAM strategies to make sure only permitted individuals have access to crucial resources. Let’s dive into the most crucial things to focus on, all of which are aligned to core zero-trust principles.
Verify expressly
The unmatched ease of access to resources from everywhere, from any device, at any time of day is one of the key factors driving the adoption of cloud technology. Practically speaking, however, it would be foolish to grant this level of unquestioned access without checking whether the request is being made by the appropriate person. After all, we also have devices where usernames and passwords are frequently written down close to the devices they are connected to. To ensure that these access requests are directly verified by IT security teams, especially if they come from unrecognized network locations, there should be some level of confidence given when granting access.
Strong multi-factor authentication ( MFA ) methods could be used to secure requests as an example of how this could look in practice. Powerful methods include approving an access request via a notification in your chosen smart device’s app ( which is currently using biometrics to be opened ), or by using a number matching fast so that the requestor must manually enter the correct “answer” before access is granted. These techniques help to avoid some of the growing methods used by attackers to circumvent MFA prompts, such as sim-swapping and MFA fatigue. These MFA-focused attack strategies have emerged, demonstrating that attackers will usually try to stay one step ahead of developing security features.
MFA is n’t the be-all-and-end-all when it comes to identity security though. It’s just the primary obstacle that security teams must overcome in order to prevent an attacker from compromising an environment. An attacker will give up and move to a more convenient target the more obstacles that are present. MFA will deter most attackers, but not all.
Another cutting-edge method that can add an additional layer of security is user and entity behavioural analytics ( UEBA ). UEBA constantly monitors the various metrics that are generated when a user interacts with the cloud platform, regardless of whether an attacker has passed the MFA test they’ve gone through. Any deviations from what is considered normal for a user are given a risk score, which can lead to the user having to undergo a password reset, or to locking the account until the security team is satisfied that the account has n’t been compromised.
These methods demonstrate a tiny portion of what can be done to improve the IAM platform’s resilience against identity-focused attacks. In the future, this will undoubtedly be done by preventing the use of AI-generated deepfakes.
Everyone is also becoming more aware of Artificial technology, which includes bad actors as well! When someone calls the CFO at the end of a Friday afternoon to approve large invoices for payment, they can have confidence that they are speaking with them, rather than an AI-generated video call. Using features in Microsoft Entra like Verified ID, including having to perform real-time biocompatible scans to prove authenticity, will be commonplace immediately.
Use least-privilege access principles
The permissions and privileges that are provided to make the technology work grow and evolve as well. Identity can accumulate a lot of different al-la-carte permissions over time to carry out really certain tasks. If these permissions are n’t right-sized regularly, it can mean that some identities can carry huge amounts of power over the IT environment. Let’s discuss some ideas that can help reduce this risk.
Role-based access control ( RBAC ) is a method for consistently granting pre-mapped permissions and privileges to fit a particular role or task. With these pre-defined roles, it is simple to allocate the necessary rights for the task at hand. Microsoft 365 and Azure offer a variety of roles straight out of the box, but they also offer specialized roles to fit any organization’s requirements. RBAC roles are always advised to be used as many as possible, and this is especially true when implementing the following technique.
Just-in-time ( JIT ) access takes RBAC a step further. JIT access grants elevated rights on a temporary basis, replacing identities that are stacked with increased permissions and privileges 24 hours a day. As an example of a JIT tool, Microsoft Privileged Identity Management enables appropriate identities to periodically upgrade their permissions to a predetermined RBAC role, as well as adding more checks and balances like approvals, forcing an MFA approval,  , email notifications, or customisation options for how long individuals can have access to a specific permissions. Ultimately, this means that if those accounts with access to higher privileges are compromised, it does n’t necessarily mean that the bad actor will be able to exploit those permissions.
It’s also crucial to make sure there are procedures in place to ensure excellent identity hygiene practices in addition to using present IAM techniques and technologies to keep rights and permissions right-sized. Although this can take many forms, we can highlight two particular tools that can make these processes run more smoothly than a human effort by focusing on Microsoft Entra solutions. Secondly, access reviews can be used to regularly check identities in a setting and provide an indication of whether someone has been exercising their elevated rights. This enables service owners to choose who should be left in which permission groups and no. This is a great way to check on external collaborators who have been contacted by Entra B2B to work for you.
Another method of standardizing permission enablement is through access packages. Applications, groups, cloud services and more, can be grouped into a single package, for example,’ Entry-level Accounting ‘ may be a package created that grants access to payroll software, viewer access to various SharePoint sites and a Microsoft Team. When that person is removed from the access package, for example, if they were to move departments, or get promoted, removing them from this second access package will remove all related access to the bundle of services. This implies that a given identity’s sluggish permissions are less likely to accumulate.  ,
Assume breach
Even with all the best security tools available, organisations are not 100 % defensive from attacks. A prosperous security strategy requires a major component of accepting this reality. It’s crucial to always accept that a breach is real and to increase one’s resilience so that responding to attacks is n’t a frightening experience. A few ideas can be introduced to aid this.
Second, the idea of constant authentication is essential to embrace. Instead of adopting the statement” User X has effectively performed an MFA request; I’ll grant them all the access they’ve requested,” it seems to support some of the ideas covered in this article. However, as we’ve already mentioned, attackers are always trying to get one step ahead of security tooling, so it’s crucial that access restrictions be put in place, even if the user appears to be doing everything properly. Nothing can do this more effectively than changing the sign-in frequency that users will be subject to, particularly if they access willing outside of the organization’s network boundaries. However, it is important to strike a balance between ensuring sensible security practices and affecting the user experience, which is the source of frustration.  ,
Responsive access controls can also be used to facilitate access request decision-making. For instance, if User X logs into a SaaS platform they use every day from their authorized device within the organization’s network boundary, that poses little risk. In the majority of cases, access should be provided. But, take User Y who is logging on from an external IP address that’s a recognized private VPN platform, on an unregulated device, looking to save substantial amounts of information from SharePoint. Real-time dynamic controls like the Sign-in or Risk policies in Entra ID Protection can help keep resources better protected in these circumstances, and this may be a genuine request, but it may also be indicators of identity compromise.
In summary, implementing a zero-trust security model with a focus on IAM is necessary for combating cyber attacks, phishing, and ransomware. Organizations can significantly lower the risk of illegal access and medial movement within their networks by adhering to principles like recognize directly, least privilege, and assume breach. In putting these principles into practice, technologies like MFA, JIT access, and UEBA are of utmost importance. Also, constant monitoring, identity analytics, and deception technologies help detect and respond to possible breaches quickly, ensuring a strong and resilient security posture.
Ricky Simpson is US solutions director at Quorum Cyber, a Scotland-based cyber security services provider. He left Microsoft’s Edinburgh home in first 2023 after spending many years working in roles in cloud, security, and compliance. He graduated from Robert Gordon University in Aberdeen with a BSc in computer science.
