With so many networks moving away from the traditional perimeter-based deployment towards a series of decentralized resources, it can become overwhelming trying to keep track of each user and the actions they are performing.
In earlier documentation, this framework directed you to go through and inventory all the user accounts currently used in your organization, as well as the privileges granted to said accounts. The ultimate goal is to direct you towards embracing a centralized identity and access management (IAM) provider that allows you to implement granular controls and provisioning for user accounts.
You are likely already using one or more IAM platforms in your network. Any dashboard that allows you to create and manage user accounts for accessing an application or network resource counts as an IAM platform. For example, you can create and manage Active Directory user accounts on your local Windows domain. You can create and manage user accounts through big cloud providers like Google. However, modern enterprise-grade IAM aims to centralize accounts as much as possible so that the same organization-managed and secure accounts are used across all company resources. This is done by using high-end IAM providers like Microsoft Entra ID or Google Workspace.
These professional IAM platforms provide business administrators with powerful controls and features to ensure consistent security for their employee user accounts. These include:
Role-Based Access Control (RBAC): allows admins to decide what different employees can and cannot do by assigning them “roles” that each contain different privileges and permissions. Users can be assigned multiple roles, allowing admins to become very specific when controlling the user’s level of access. For example, employees who should be able to input customer data in a database would be assigned roles like “Database Contributor” and “Customer Data Specialist”. However, they would not be granted roles that allow them to modify the database's back-end schema. Those roles would be reserved for database administrator employees.
Principle of Least Privilege: While not solely limited to IAM, the principle of least privilege is a security strategy that is heavily emphasized in all scenarios where user identities are allowed. It requires all user accounts to be granted only the rights and permissions needed to do their jobs, and nothing more.
Privileged Access Management (PAM): Every organization is going to have resources that are of a critical nature and should only be accessed by specific, verified identities. PAM is an IAM technology that allows admins to keep an eye on the privileged accounts in their network, as well as what activities those accounts are performing. This ensures that no blind eyes are turned to any employees.
Just In Time (JIT) Access and Just Enough Access (JEA): Part of ensuring the confidentiality, integrity, and availability of sensitive resources is keeping access to them as limited as possible. When privileged accounts are authorized to access resources, they are given a token that allows them to create a session to access the selected resource. These sessions should be as confined and limited as possible, which is where JIT and JEA access come into play. Just-in-Time Access is a security strategy that ensures users can only start sessions when they absolutely need to, while Just-Enough-Access ensures their sessions only last as long as they need to. The goal is to make sure their access to sensitive resources is as limited as possible, even among those users who are allowed to access them.
Continuous Authentication: Building off of the previous strategies, requiring users to authenticate regularly ensures that full integrity is maintained, even if a user has already been authenticated once. Threat actors can compromise user sessions even after they have been validated. This is an entire subcategory of cyberattacks known as session hijacking. By implementing continuous authentication, users are required to provide their identity after a set time or when they attempt to perform new/unusual actions. While this may be inconvenient for the users themselves, it is essential for keeping identities secure. An example of this is setting MFA to expire a few hours after authentication, requiring the user to authenticate again when the time expires.
Context-Based Authentication: Zero Trust security architecture enforces the idea that simple authentication factors are not always enough to prove that a user is truly who they say they are. Threat actors get craftier every day, and it isn’t a reach to assume they can spoof even the most complex of user authentication factors. IAM platforms allow admins to require deeper analysis of access requests. Context-based authentication takes into account other details about a subject, such as their geolocation and the time of day they are requesting access.
Depending on which IAM solution you choose, there will be different procedures for implementing the above security strategies. However, most professional IAM platforms offer them in some form, and you should make every attempt to implement them to limit the attack surface of your company identities as much as possible.
By implementing a professional solution for identities, you can rein in the sometimes-confusing number of accounts employees are using across different websites and services. The goal is to provide employees with a single account on your identity provider, such as a Microsoft Entra/365 account or a Google Workspace account. Moving forward, those accounts are to be used for all websites and services rather than dedicated accounts. This can be accomplished via Identity Federation, which is covered in further documentation. Identity federation has become very possible and allows users to sign up for services using their existing accounts on major identity provider platforms. Identity federation even allows users to use their accounts for resources beyond the Internet. For example, they can use their Microsoft accounts to authenticate to their Windows desktops and laptops. Pursuing this strategy will make administration more comfortable, as they now have a full view of what employees are using with their company credentials. This helps mitigate frustrating security risks like privilege creep and Shadow IT.