Organizations are eager to find fresh ways to weave AI into their operations and speed up the adoption of generative AI technologies. They’re also brainstorming innovative AI solutions to meet this growing demand. This drive is pushing the use of cloud infrastructure to expand rapidly.
Recent reports indicate that identity and access management (IAM) risks remain among the top threats to cloud computing. A survey by the Identity Defined Security Alliance revealed that 84% of over 500 large organizations faced identity-related breaches last year. While there have been strides in IAM platforms, tools, and utilities—some incorporating AI—access management is still a key concern for security teams. Here are some IAM best practices for companies to adopt:
Centralize IAM
Centralizing identity management is crucial. A unified platform for managing identities and their access rights simplifies the user experience and reduces password-related frustrations. This approach gives IT a clear view of all identities and their permissions, enhancing visibility and security. It streamlines policy implementation, helps track user behavior, and boosts compliance. It’s vital for organizations of all sizes to ensure that the specialized applications each team uses are connected to this central platform.
Implement Phishing-Resistant MFA
Phishing and social engineering are primary drivers of ransomware attacks and data breaches. Cybercriminals often steal the unique codes needed to access systems. To combat this, companies should adopt phishing-resistant multi-factor authentication (MFA) instead of traditional methods reliant on codes. Techniques like web-based authentication (WebAuthn) and PKI-based authentication are effective, and major cloud providers like AWS and Azure offer options to implement these solutions. The US Cybersecurity & Infrastructure Security Agency (CISA) recommends these methods as essential for a zero-trust strategy.
Minimize the Cloud Unknown
About 50% of organizations report having been attacked through unknown or unmanaged assets, like unused virtual machines or resources created outside approved methods. These unknowns pose risks with identities and privileges that could be exploited by attackers. Full visibility into the cloud environment—including all identities and their associated entitlements—is essential. Organizations must also keep track of non-human identities, such as service accounts and bots, particularly as AI use grows.
Back to IAM Basics
As IT environments grow more complex, companies often overlook essential access management tasks. Regularly reviewing access for all identities isn’t just a box to tick; it requires careful assessment to spot any unnecessary privilege elevation. This review should cover all identities, including non-human ones, and extend to all data repositories. Human error is frequently behind cyber incidents, so automating key processes—like account provisioning and access reviews—makes sense. Linking the centralized IAM platform to HR tools streamlines offboarding and ensures access rights align with job roles.
Beyond implementing advanced IAM solutions, companies should cultivate a strong culture of security awareness and adhere to basic IAM hygiene. This includes applying the principle of least privilege, monitoring identities, and regularly reviewing access rights. With the prevalent role of IAM in numerous data breaches and cyber incidents, effective IAM governance is crucial for a robust cybersecurity foundation.
Varun Prasad is the Vice President of the ISACA San Francisco Chapter and a member of ISACA’s Emerging Trends Working Group.