The business world has an identity security problem.
Identity telemetry dominated Arctic Wolf’s list of the top 10 security investigation types over the past 12 months, and 70% of organisations were targeted by business email compromise (BEC), an attack that often relies on identity compromise for success, in 2024.
Identities are an increasingly critical part of organisations as they undergo digital transformation, embrace hybrid work models, and rely more heavily on the cloud and web-based applications. Because of this, identity security has become a critical component of an organisation’s security architecture and attack surface management. What an organisation’s user base has access to, what they can do with that access, and how that access is or isn’t controlled and monitored can be the difference between a secured environment and one full of unlocked doors. That is where identity and access management (IAM) can play a major role.
What is Identity and Access Management?
Identity and access management (IAM) is the governance, control, and monitoring of users’ identities and access within a system or network.
Proper IAM is a discipline that involves people, processes, and technologies, and is an ongoing journey that follows what is referred to as the access management lifecycle: establishing a user’s identity and granting access, adjusting access as business and security needs dictate, as well as revoking access.
Modern tools like Okta have streamlined IAM for organisations, allowing them to assign a user a single identity and then manage that user’s access to various applications through a centralised hub.
IAM works to keep those who shouldn’t have access, including threat actors, out of systems and applications, in addition to limiting lateral movement and privilege escalation in the event of an attack. IAM can be utilised for internal users as well as partners and third parties. While not identical, strong IAM management often follows a zero trust framework, as well, which is more focused on the security aspect of identity and access management.
For example, let’s say “User A” needs access to a SaaS application for data to use in an upcoming project. IAM in action would be the IT department verifying that it is “User A” with their known username and password asking for access and approving the reason.
IT would then grant access only for the project’s duration and remove it as soon as that timeframe is over. That access would be monitored as well for any unusual logins or behaviour tied to that application over the designated timeframe (as all user activity should be monitored through a detection and response solution). All those moving pieces — governance, control, and monitoring — work together to make up IAM.
While IAM is a framework, many organisations rely on IAM solutions and tools, such as single sign-on (SSO) applications, multi-factor authentication (MFA) providers, and more. Many aspects of IAM implementation and management, in particular 24×7 monitoring, can be difficult to achieve without robust solutions or a third-party partnership.
The Three Components of IAM Security
Identity and access management is made up of three key components that all work together to better secure an organisation’s attack surface and reduce identity-based risks.
1. Governance. This process of determining, managing, and enforcing all policies and procedures around an IAM system is usually led by an organization’s IT, or security and infrastructure department. An example of governance would be determining how access is granted and revoked, what process and criteria is used for provisioning and deprovisioning users, account lifecycle management for all users, and how access is approved and managed for specific applications.
2. Control. This component consists of the specific tools, technologies, and policies in place to grant or restrict access. Common access controls include MFA, role-based access controls (limiting access to applications or data based on a user’s role), time-based access controls (limiting access to specific time frames), discretionary access control, following a zero trust model which restricts all access without authentication, and following the principle of least privilege (PolP) when controlling that access.
3. Monitoring. Once access has been determined and restricted, an organisation should continually monitor their identity sources to ensure that not only is the system functioning as it should, but there is no suspicious activity or threat-based behaviors occurring. This should, ideally, be done 24×7, with alerts in place for behaviours such as “unusual logins,” “repeated login attempts,” “attempted logins to restricted applications,” and “unusual or unauthorized provisioning of access.”
Why is IAM important in cybersecurity?
As organisations have digitalised operations, turned to cloud-based applications, and embraced hybrid work models and geographically disparate operations, identity has become the new perimeter — one that is far more complex to protect. This challenge is amplified by an evolving threat landscape where threat actors are turning to credential theft and identity-based TTPs to launch sophisticated attacks such as ransomware and BEC.
Common identity-based attacks utilised by threat actors include:
- Breaching identity infrastructure, such as Microsoft Active Directory
- Launching social engineering attacks, such as phishing
- Leveraging previously stolen credentials that may have been harvested from the dark web or from a prior attack on the organisation
The Arctic Wolf 2024 Security Operations Report echoes this. Arctic Wolf found that remote connectivity tools were a top target for threat actors throughout the 12 months the report covered. Identity signals represented seven of the top 10 threats or IOCs leading to alerts, and to complicate or evade detection, threat actors continued to employ infostealers to acquire active credentials or session cookies. At times, Arctic Wolf observed more than 2,000 weekly instances of the Win32.Zbot infostealer Trojan — an infostealer frequently used by threat actors to exfiltrate data while evading detection — across its customer base.
In addition to threat prevention, IAM helps organisations manage their user base and provides vital visibility. Managing identities and having visibility into those identities can be the difference between an alert before a malicious login is successful and a full-scale attack.
Benefits of identity visibility include:
- In-depth knowledge of logins and to where they’re authenticating
- Greater centralised control over user access
- Earlier detection of identity-based incidents as well as suspicious identity activity
- Better compliance management
Organisations achieve more comprehensive protection when identity security data generated by their IAM solution is ingested centrally and analysed holistically. This provides greater context and cross-telemetry correlations, offers deeper threat intelligence and risk context to drive faster threat detection, simplify incident response, and help eliminate alert fatigue.
Identity and Access Management’s Role in Compliance
IAM plays a large role in protecting an organisation’s environment. But it also is a crucial element in meeting compliance obligations, as well as obtaining and maintaining a cyber insurance policy.
Annual audits
IAM practices make the logging and tracking of user identities a much simpler process which, in turn, streamlines the annual audits and reporting processes required in many industries.
Industry-specific regulations
Robust IAM processes can make complying with industry-specific regulations, like those found in the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX) an easier, more automated task. PCI-DSS, HIPAA, NIST SP 800-53, SOX, and more all list strict IAM as a required control.
Cyber Insurance
IAM maturity, such as the implementation of access tools like MFA, is quickly becoming a required security structure organisations need to have in place to obtain and maintain cyber insurance coverage.
Identity and IAM Threats
The Arctic Wolf Labs Predications Report states that 2025 will see IAM systems under attack from threat actors, as permissive policies, misconfigurations, and a lack of monitoring allow for known threat actor TTPs (such as credential abuse and the use of infostealers) to thrive. Securing these tools, technologies, and systems is as vital as implementing them when it comes to your cybersecurity posture.
Ways to better secure IAM include:
- Enforce strong credential controls and password management, including phishing-resistant MFA
- Secure your identity infrastructure, primarily Active Directory
- Set automated blocking on authentication attempts to hinder password-spraying activities, and implement geolocation-based blocking
- Implement network segmentation to limit the ability of threat actors to move laterally if they gain initial access
- Ensure identity telemetry is available for access and monitoring
Learn more about how to protect your IAM systems and about our other predictions for 2025.
Identity Access Management and Arctic Wolf
Arctic Wolf understands the increasingly essential role identity plays in cybersecurity and threat detection.
User identity and access telemetry can be a key piece of evidence when investigating a potential incident. It could be an unusual login from a foreign location at 3 a.m., or a user trying over and over to log in into an application they’ve never had access to. It’s important evidence that can both inform that bigger picture and alert security teams of malicious activity, allowing for swifter, more comprehensive responses. Arctic Wolf® Managed Detection and Response (MDR) ingests identity as one of several sources for monitoring and threat detection and can be integrated with multiple identity solutions for more reliable monitoring and faster responses.
Arctic Wolf believes that security is a journey, so whether your organisation has mature IAM practices or is just starting to implement access controls, the Arctic Wolf Concierge Security® Team is there to guide IT departments, providing organisations with tailored actions and evaluations to harden the identity attack surface.
Explore how IAM security can stop identity threats with the Arctic Wolf 2024 Security Operations Report.
See how Arctic Wolf integrates with two major identity solution providers — Okta and ZScaler.
