Knock knock. Who's there?
Who indeed is knocking on your corporate network or application perimeter’s door? It may not be who you think it is.
Authentication at the network perimeter and identity and access management controls are the usual approaches to protect corporate assets. An additional approach is implementation of Zero-Trust Architecture where access is not granted to a user or device based on location or being inside the corporate network perimeter.
These are all good and necessary, but how are the authentication and Identity and Access Management (IAM) systems themselves being protected? IAM systems store and manage user names, passwords, and access levels to applications and infrastructure. A successful attack on an IAM system means the attacker has visibility to all user names and passwords. IAM systems are targeted by attackers because all the access management data is in one place. Why attack one application or website when you can obtain the “keys to the kingdom” by hacking an IAM system?
The trend of increasingly frequent and successful attacks on IAM and authentication infrastructure indicate that the “identity perimeter” consisting of these authentication and authorization systems are not being protected as well as they should be and that threat detection/response is not what it needs to be.
The purpose of IAM and authentication is to ensure access to corporate resources is granted according to role and business need-to-know. This often means those responsible for IAM and authentication are more often focused on protection of other organizational assets, and not on protection of IAM and authentication assets. The skill and expertise of IAM teams needs to be applied to their own tools and systems. Further, IAM and authentication infrastructure needs to be resilient and have the ability to recover from an attack by reverting to a known good state. Testing of recovery by doing table-top exercises and ensuring backups are properly secured is key to a resilient identity perimeter.
Protection from attacks or compromise of the identity perimeter are dependent on a multi-layered approach that uses existing SIEM, privileged access management tools(s)ystems, multi-factor authentication, backup and recovery procedures, and fraud detection tools. Many of these tools are not new, but may not have been directed to the identity perimeter, or do not collect the data needed to provide adequate threat analysis.
Are your IAM and authentication systems protected? The following checklist is a good start to determining if your IAM and authentication systems are protected. This is not an exhaustive list, but a good starting point.
Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) in place and applied to IAM and authentication systems/infrastructure - threats to IAM and authentication systems must be prevented and any threats or attacks identified as quickly as possible to avoid compromise.
Role based access controls (RBAC) are defined jointly by both IT and business users - IT understands systems and infrastructure access, while business application owners will know the access needed by business users to do their jobs.
Automated processes in place to manage access for new hires, terminations, changes in responsibilities or roles - Management of access roles, adding and removing access, and ensuring people are in the correct access groups is not something that can be done manually. A clear process that is automated as much as possible is necessary to an effective IAM and authentication solution.
Limited access to IAM and authentication systems - the fewer people who have access, particularly privileged access or administrative access, the less likely IAM or authentication systems will be compromised due to people changing roles or leaving the company.
3Factor’s Risk & Strategy Services can assist you in defining risks to your identity perimeter and then constructing an effective coordinated defense-in-depth strategy.