Thursday, November 21, 2024

Strong Cloud IAM Must Adhere to Zero-Trust Principles

In today’s digital world, the old security borders have vanished. Identity has become the front line of defense. As more companies switch to cloud services and remote work, the urgency to manage and secure identities is greater than ever. Effective identity and access management (IAM) is critical for IT teams to fend off cyber threats, phishing scams, and ransomware. By applying strong IAM strategies, organizations can ensure that only the right people access vital resources, reducing security risks. Let’s look at some key focus areas, all grounded in zero-trust principles.

Verify Explicitly

One reason cloud technology is taking off is the ease of access from anywhere, at any time. But it’s naive to allow such open access without verifying who’s making the request. Too often, people keep usernames and passwords close to their devices. IT security must have reliable systems to confirm access requests, especially from unfamiliar networks.

Using strong multi-factor authentication (MFA) can make a big difference. This might include approving a request through an app on a mobile device, or using number matching, where the user enters a specific number in an app to gain access. These methods help counteract evolving attacks like SIM-swapping and MFA fatigue. Attackers continuously develop new tactics to bypass security features, so adding layers of protection is essential.

MFA is just the start. It lays the groundwork, but attackers can still get through. User and entity behavioral analytics (UEBA) offers another layer of security. It constantly tracks user interactions with the cloud. If a user’s behavior strays from the norm, it triggers alerts. In serious cases, it can require a password reset or even lock the account until security gets involved. This approach is a small piece of the puzzle, especially as we prepare for future threats, like AI-generated deepfakes.

AI is now in the hands of many, including those with malicious intents. Tools like Microsoft Entra’s Verified ID, which uses real-time biomimetic scans for verification, will soon be essential. This way, when someone gets a call from the CFO for urgent payments, they can be sure they’re speaking to the real CFO—not an AI mimicking their voice and image.

Use Least-Privilege Access Principles

As organizations grow, so do the permissions for technology. Over time, identities can accumulate an excessive number of permissions. If not regularly reviewed, this can mean that some identities end up wielding too much power over IT.

Role-based access control (RBAC) can help with this. It allows businesses to assign pre-defined permissions tailored to specific roles. Microsoft 365 and Azure offer many built-in roles but also allow for custom ones. It’s best practice to use RBAC as much as possible.

Then there’s just-in-time (JIT) access, which takes RBAC a step further. Instead of keeping elevated permissions active 24/7, JIT access provides temporary rights when needed. Microsoft Privileged Identity Management is one tool that supports JIT access, allowing users to temporarily elevate their permissions with added checks like MFA and approval notifications. This practice ensures that even if an account is compromised, the attacker may not exploit high-level permissions.

Good identity hygiene is also crucial. Regular access reviews can keep track of who is using elevated permissions. This information empowers service owners to make informed decisions about access. Additionally, access packages allow organizations to group services, making it easy to manage permissions. If someone changes roles, they can be removed from the package, eliminating unnecessary access.

Assume Breach

Even with top-notch security tools, no organization is entirely safe from attacks. Acknowledging this truth is vital for a successful security strategy. Always assume a breach is possible and build resilience to handle attacks when they occur.

Continuous authentication plays a key role here. Instead of thinking, “User X passed MFA, so they get full access,” you should set limits on access even when a user follows all protocols. Adjusting sign-in frequency, especially for remote access, helps maintain security without frustrating users.

Adaptive access controls can further strengthen decision-making on access requests. For instance, if a user logs in from a recognized device on the office network, grant access. But if another uses an unknown IP from a VPN to download large files, that raises red flags. Tools like Entra ID Protection can assist in assessing these risks in real time.

Ricky Simpson serves as the US solutions director at Quorum Cyber, a cyber security services provider based in Scotland. Having traveled for his role in early 2023, he previously worked in cloud, security, and compliance at Microsoft in Edinburgh. He holds a BSc in computer science from Robert Gordon University in Aberdeen.