Best Practices
Having a mature Identity and Access Management (IAM) program is not an absolute requirement for implementing an identity-centric approach to security, but it’s sure to improve the effectiveness. The following Best Practices, focused on IAM fundamentals, are recommended hygiene tips that focus on the people and process, as well as the technology, aspects of an IAM program.
Best Practice
Description
This is the DNA of your IAM program for every service and function you will support (provisioning, certs, privileged access, physical access, etc.)for on-prem (mainframe, AD, etc.) as well as all cloud providers (SaaS, CSP’s). A uniquely identifiable catalogue of entities is important and a must. If you are just starting your identity program, this is the best place to start. If you consider yourself advanced, but cannot account for every identity and associate it with an owner, this is a critical gap.
Authoritative sources for identities provide essential data to make informed decisions regarding user access, including what access to provision and when to enable/disable that access. Proper maintenance of this authoritative data requires defined lifecycle management processes for both employees and non-employees, regular validation and update of identity information, and storage of accurate data within a repository. The authoritative source can then be linked to automation, for example birthright provisioning/de-provisioning and attribute-based access control mechanisms.
This allows for a programmatic approach to managing access and entitlements to support policy enforcement during authentication and authorization. Utilizing AD/LDAP and the concept of security groups, can be a huge advantage to efficiently granting and removing access.
Lock down administrative access to the Active Directory service by implementing administrative tiering and secure administrative workstations, apply recommended policies and settings and scan regularly for misconfigurations – accidental or malicious – that potentially expose your forest to abuse or attack.
Enable both basic and advanced auditing and periodically review key events via a centralized console. Monitor object and attribute changes at the directory level and changes shared across domain controllers. Mature organizations should look for risk signals across basic access types that violate security policies, for example segregation of duty rules.
Widespread encryption of your network, including Active Directory, requires a solid, highly automated recovery strategy that includes offline backups for all your infrastructure components as well as the ability to restore those backups without reintroducing any malware that might be on them.
Best Practice
Description
Automated feeds allows your organization to react to changes in the user life cycle at a frequency that strengthens your security posture. Consider utilizing batch, instead of real-time syncs, of your HR data. Adding a predecessor job that verifes the feed is within normal ranges of expected terminations, protects against the possibility of your HR system sending incorrect data possibly disabling a large number of personnel and disrupting the business.
Ideally tied to lifecycle events (move, join, leaves) provisioning provides a smooth on-boarding for new employees and transition for existing employees. However, de-provisioning is the easier solution to implement, as it does not require any approvals. Once you are connected to your authoritative HR source, you can process all separation events without any discrimination or further validation and is vital to minimize unnecessary access and the associated security risks with orphaned accounts and entitlements.
Automation allows you to realize the full benefit of an IAM program with the goal of reducing the number of manual access changes managed through your Service Management application or other ad-hoc processes.
Best Practice
Description
Fostering collaboration and consistency between all those who manage system or data access in the organization will lead to a better end-user experience, identification of potentials for organization-wide efficiencies (automation, process improvements, etc.), while also reducing the risk of audit findings. Once established, moving to a combined coarse grained and fine grained model can reduce the focus of governance oversight to exception-based access.
Governance policies are inherently identity-centric. A successful governance program cannot be achieved without a common understanding of the scope and responsibility of your IAM Program.
Perform an assessment and start with the higher priority applications and those that present the most risk if compromised. This allows focus for implementation efforts related to the applications that will provide the most benefit.
This will allow you to provide a smooth change of responsibilities and mitigate the impact of the organization transfer. Have user access reviewed by the old and new manager and agree on a transition plan to phase out access that is no longer needed.
Best Practice
Description
In addition to MFA, the level of assurance of authentication should match the value of the asset being protected and should include risk scores from a variety of sources Fraud & Risk, device info, etc. Advanced organizations are looking to standards-based, frictionless solutions.
Ensure that third party access to critical assets is included. Once this is complete, implement a tool to keep up with the changes introduced into the environment, embedding this process into the asset and services lifecycle management.
Best Practice
Description
Ensures that all IAM policies and controls are adhered to and provides a vehicle to determine overall impact prior to making any IAM program changes.
A configuration management database is critical to any successful IAM program. It provides the ability to quickly understand your application stack and the priority under which they should be included in an IAM program.
To ensure the effectiveness of the existing business processes and to identify areas of improvement and efficiencies.
Bridge the gap with application owners by considering the IAM implications in these discussions. This allows for a comprehensive assessment and reduces the risk of delays and violation of security policies.
It may also be possible to use a key management system (KMS) which will give you key rotation capability.
Streamlines user access by providing a single point of access regardless of application deployment model, and reduces the number of credentials that are at risk of being compromised.
Enables behavioral/pattern analytics used to identify risky or anomalous activity.
Allows access to sensitive resources based on the risk status of the user at the point of accessing the resource, while providing for an automated response to the access decisions of an organizations management structure, by identifying sensitive access due to elevated permissions.
Allows for higher assurance during an authentication event based on the current access profile of a user at the point of login by identifying sensitive resources due to elevated permissions.
Role and entitlements should be reviewed on a regular basis and most frequently for privileged access. Leveraging role mining solutions can identify excessive privileges.
Best Practice
Description
Establishing visibility is the initial step in practicing Cloud Identity Infrastructure Entitlement Management (CIEM). Achieving visibility through the following steps allows you to effectively manage entitlements, reducing access risk in cloud infrastructure: create a categorized list of inventory resources, list human and service identities, list third-party access, classify privileged permissions, create two-way full permissions mapping, discover admins, discover privileged identities, monitor continuously.
Reviewing and analyzing the activity logs for all identities (including federated) enables insight into the permissions that identities in cloud environments are actually using. This best practice achieves several goals:
Determines which permissions are actually necessary for each identity’s business function and, by understanding which are granted but not required, detects over-privileged identities.
Determines which identities are completely not in use and can be retired.
Activity tracking also enables the profiling of the baseline behavior of each identity in the environment.
Such profiling can in turn be useful in detecting certain behavior patterns used by malicious actors as part of the cyber “kill chain” (e.g. persisting in an environment, performing reconnaissance or escalating privileges) by being anomalous to the identity’s ordinary behavior profiled in the baseline.
This type of anomaly is a crucial trigger/alert that needs investigating to reduce the potential impact from breaches and a malicious actor’s ability to carry out attacks using privileges provided within a cloud environment.
By using information gathered from the environment, it is possible to gain visibility into granted permissions and the permissions actually needed, deduce the gap between them and get a recommendation for a least-privileged configuration.
This process should automatically create the artifacts, such as policy documents and infrastructure as code snippets, necessary for applying the recommendation according to the cloud platform’s specifications. These artifacts can be for manual use or applied through infrastructure as code utilities.
The remediation process of excessive permissions findings should be integrated into well defined organizational workflows. The CIEM implementation should support the following features:
Notifies the appropriate stakeholders of newly detected over-privileged identities.
Generates tickets to assign and track the responsibility for approving and/or applying the remediation for identities with excessive permissions.
Automates the remediation process when applicable based on the organization’s policy
In addition, a CIEM solution should have readily available reports that can be collected and analyzed, as well as a programmatic interface (API) that allows outside platforms to query and trigger it so its analysis is as accessible as possible to other tools that are part of the organization’s workflow.
Reviewing workload activity in the early stages of the pipeline (testing and/or staging) enables assessment of the permissions required for the workloads to perform their business function and enforcement of the minimum permissions needed as soon as possible (“shifting left”).
This enforcement can then be embedded into the CI/CD pipeline by requiring permissions assigned to workloads in later stages (mainly production) to be first validated at an earlier stage.
To truly achieve least privilege, the time factor must also be taken into account. A CIEM implementation should enable organizations to provide privileged permissions only at the time they are required, based on business justification and approved by an authorized person.
A CIEM solution should be able to detect and allow the easy remediation of configuration findings that show identities as vulnerable to being compromised.
The detection should include findings such as static credentials that have not been rotated for a significant period of time, credentials such as keys or passwords that haven’t been used for a while, privileged users for which MFA is not enforced and/or a password that doesn’t meet a certain level of complexity.
Keeping track of versions of permissions to be able to revert to previous versions on demand is an important requirement for a CIEM solution.
Given that they are a complex component of managing cloud infrastructure, changing permissions can easily lead to services not being available to identities that legitimately need access to them. Security and DevOps professionals may understandably lack the confidence and willingness to limit permissions to achieve least privilege.