Identity is a concept that has existed since the dawn of the computer, but identity and its protection is becoming ever more important. Historically the identities we use have been stored and managed in on-premises environments. With cloud computing and the new normal of working from home, identity is now the only parameter that companies and organizations can use to exert control over systems and accesses.
The cloud has made the security of identities an on-going issue for the past 10 years, but increased working from home has made this issue a business critical one. No longer are the users located behind a firewall with all the monitoring and security that this unit provides. Nor are the users restricted to laptops issued and configured by their companies, they can use whatever unit they have access to at any given point in time. Security, and security monitoring, is a challenge under these circumstances and leaves companies with control only over the identities of the users.
There are many three letter acronyms out there, related to identities:
- Privileged Identity Management – PIM
- Privileged Access Management – PAM
- Identity Access Management – IAM
Thoroughly integrated with the concept of identity is the password used to secure it. But even with their importance in the security of identities, passwords are not ‘sexy’. They are more of a bother than anything else. Therefore, little focus is on the security of the passwords themselves. At this point in the history of cybersecurity, passwords are a necessity, even with the increased focus on biometrics and the password-less, as it is being promoted by Microsoft currently.
As cybersecurity professionals dealing with the new normal, in which users are distributed across the world and using a plethora of different cloud vendors, often working from home, we have a single parameter we can control explicitly – the identity. Hence, the title of this article “Identity Is the New Black”. This new and ever-increasing importance of identities creates increased risk and, in many organizations, compliance headaches.
In many organizations, Microsoft Active Directory is the core identity store and user management system. And for many years this has been good enough. Today, however, viewing Active Directory as ‘just a user store’ is no longer viable.
The user identities and their passwords are now federated out to cloud vendors such as:
- Microsoft Azure
- Microsoft 365
- Amazon Web Services
- Oracle Cloud Infrastructure
- Google Cloud
Surely, you have cloud vendors in your infrastructure that are not listed above, and that just underlines the argument of the importance of the core identity store. There are organizations that have not realized, that with the cloud and the new normal of working from home, the core identity store is now a critical component in the infrastructure. It has always been important, but with the enormous growth of the cloud components in the organizational infrastructures, this importance has increased beyond the risk appetite that most organizations are willing to accept.
There is this single source of identities with huge importance across many internal systems and many different clouds. Has a thorough risk assessment been done on your Active Directory instance? Or has it just been extended to include cloud environments on top of the traditional responsibilities? With no thought on the increased importance to the overall security of the organization?
In my experience, the usual answers to the above questions are: no, yes, yes, unfortunately…
With the ever-increasing importance of the security of identities, cybersecurity professionals must be able to advice customers on risk assessments and procedures for securely managing the identity stores. Identities and the passwords associated with them are at the core of the overall security of a modern organization which uses the cloud in parts of its business. We all know that passwords are only as good as the complexity they have – hence, the increasing use of Multi Factor Authentication (MFA). In the past few years, the focus has been on rolling out MFA to privileged users, like administrators, as part of privileged identity management projects. Good practice, but now is the time for rolling it out to the end users as well.
Changing user behavior is always an uphill struggle, but MFA is an absolute must – especially now that the user accounts are distributed across different cloud vendors and the users working from home on devices we no longer control.
With the new normal of working from home, or anywhere, the security of the identities and the accesses the identities provide is of extreme importance.
Therefore, my recommendations are:
- Use MFA for everybody, not just privileged accounts
- Perform a risk assessment on the identity store and keep it updated as its integrations change
- Perform regular IT audits of the identity store and the integrations between the store and external partners, such as cloud service providers
- Secure the identity store on its own subnet and control the traffic allowed on that subnet
- Perform regular reviews of the privileged accounts/groups who are members (Should they all still be members?)
- Automate the removal of users when they leave the organization
In addition, Microsoft provides some good guidance on how to secure Active Directory. Most of that guidance can be extended to other identity stores.
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.