Saturday, June 25, 2022

The 5 Worst Mistakes You Can Make In IAM & How To Fix Them

 


Over the years, I have written a ton of content ranging from Biometrics to Cybersecurity, with everything and anything in between. This has resulted in the publication of 9 books, and some 20 eBooks, with this group growing quickly (thanks to KDP, it is a very easy process to get self-published). Just in the last months I have written some 7 whitepapers, ranging from the CMMC to the DevSecOps to Windows 365 restoration.

But there is one area that has eluded me to write, and that is the topic of Identity and Access Management. This is the field essentially where all of the usernames and passwords are properly managed (at least in theory), with the primary purpose of protecting these crown jewels from the hands of the Cyberattacker.

It’s not just simply assigning login credentials and telling employees to follow your security policies, but it has become much more complex than this because of the heavy adoption of cloud-based platforms such as those of the AWS and Microsoft Azure.

From within them, there are a ton of sophisticated tools that an organization can use to manage all of the usernames and passwords of their employees.

One such tools is that of the Azure Active Directory. At the simplest level, you can create various user profiles, and from there, you can assign blanket login credentials to whomever. So, through just one login, your employees will be able to gain access to other shared resources that they need to conduct their every day job tasks.

In fact, the concept of IAM is now becoming a key concern in the Cyber industry, and according to a recent conducted by Cider Security, it is ranked second as the second biggest problem that organizations face when migrating to the cloud. More information about this can be seen here:

https://www.cpomagazine.com/cyber-security/greatest-risks-to-ci-cd-security-include-flow-control-mechanisms-identity-access-management-dependency-chain-abuse/

But despite the suite of tools that are available from AWS and Azure, trying to gain control of your IAM processes can still backfire for the following reasons:

*There is way too much assumption on part of the business that the IAM structure the cloud provider has to offer will be 100% congruent to what has already been established. Very often, this is not the case, and the painstaking of process of mapping out what goes where needs to happen first.

*After the migration to the cloud, there is often a sense of the lack of “command and control” amongst many IT Security teams into the login credentials of employees, because of the lack of not being trained before hand of what to expect.

*If the IAM is not configured properly, many employees will experience the problem of having to login multiple times in order to gain access to what they need to. Very often, new passwords will have to be set up, thus making the employee having to remember dozens of them, which defeats the whole purpose of IAM all together. This will lead to huge employee frustration, with the end of result of the “Post It Syndrome” reappearing, and in a worst-case scenario, the downloading of unauthorized apps.

*Not disabling accounts after an employee leaves the organization.

*If your employees are frustrated (as eluded to before), another problem is that they will simply start sharing passwords once again, causing even more problems down the road, such as the lack of accountability as to who is accessing what.

My Thoughts On This:

Just as much as you need to create a rock-solid Cybersecurity Policy in general, you need to create the same thing for your IAM platform. You need to take a cut of the cloud platform that you are intending to create and see how well your IAM policies fit into it. In other words, create a sandbox like environment first, and play around with that to make sure all is well before you release your IAM policies into the production environment.

Second, don’t let the security tools that are available in AWS or Azure dictate your cloud migration. They are only there to help you, so you don’t have to spend extra $$$ in trying to upgrade your security tools. Rather, you need to figure out how those tools can fit into your IAM environment. I know that Azure has an entire security center full of stuff, but it is up to you to figure out what you really need and how it will fit in.

Third, make IAM one of your first priorities in anything you do that relates to your IT and Network Infrastructure. Both the authentication and Cyber threat landscape are becoming extremely dynamic and complex, thus by staying on top of your IAM needs and objectives, you will leave less backdoors behind for the Cyberattacker to penetrate into.

Fourth, whatever tools you use (for example in Azure), make sure that you configure them to your own settings. Never rely upon the default settings!!!

Fifth, managing an IAM platform is not as easy as you think. It can become quite complex, depending upon size of your organization, and the kind of cloud deployments that you are intending to have. Thus, don’t be afraid to ask for help. This is where the role of the Cloud Services Provider (CSP) can be of immense help. Not only can they help you with your configurations, but they can manage them for you as well, so that you stay focused on what is most important to you:  running your business.

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...