The Importance of Identity and Access Management

Share :

The business world has an identity problem.

According to Verizon’s 2023 Data Breach Investigations Report, 74% of all breaches involve the human element, with people involved either through error, privilege misuse, social engineering, or stolen credentials — the latter three of which directly involve the management (and mismanagement) of user identities.

Moreover, this percentage stands poised to grow. In 2023, Microsoft Threat Intelligence identified a ten-fold increase year-over-year in password-based attacks, from 3 billion to 30 billion — or 4,000 attacks every single second.

People are a major part of any organisation, and therefore a critical component of an organization’s security architecture and attack surface. What these users have access to, what they do with that access, and how that access is or isn’t controlled can be the difference between a secured environment and one full of unlocked doors.

Three Common Types of Identity-Based Attacks

Attackers have a large variety of tactics, techniques, and procedures (TTPs) they can leverage to conduct cyber attacks. However, when it comes to gaining unauthorised access to sensitive information and resources, they often turn to identity-based attacks.

By compromising an identity, a threat actor can essentially impersonate a user to access resources, compromise systems, move laterally, and compromise further identities to gain privileged access to valuable applications and assets.

Threat actors typically conduct identity-based attacks through one of three ways.

Breaching Identity Infrastructure

Identity infrastructure is the collection of tools, technologies, and processes that helps an organization’s security team verify that only authorised users have access to data and environments — things like Okta Verify, Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory. The constant management of identity infrastructure, however, is a monumental task for already taxed security teams. When the attack surface extends across both on-premises and cloud-based environments in a hybrid deployment, the amount of complexity is increased further, which in turn increases the opportunities for exploitation by threat actors.

Social Engineering Attacks

Malicious actors employ multiple tactics to trick individuals into divulging credentials, which in turn gives them access to various systems and networks, where they escalate their attacks to deploy malware, exfiltrate data, or conduct ransomware attacks. Here are a few of the most common social engineering attacks threat actors use to steal or compromise valid user credentials:

Leveraging Already Stolen Credentials

There’s an entire dark web marketplace dedicated to the selling and trading of identities. Threat actors can purchase them from initial access brokers — experienced cybercriminals who have already gained access to environments and collected valid credentials — or they can find them on any number of dark web hacking forums where cybercriminals have posted valid credentials either as punishment for non-payment of ransom or just to help other threat actors.

It’s clear that identity-based attacks are here to stay and growing in frequency and severity. The question is: how can organisations protect against identity-based attacks? The answer lies in proper identity and access management (IAM).

What Is Identity and Access Management?

Identity and access management (IAM) is the governance, control, and monitoring of users’ identities and access within a system or network.

Proper IAM management is a discipline that involves people, processes, and technologies, and is an ongoing journey that follows what is referred to as the access management lifecycle: establishing a user’s identity and granting access, adjusting access as business and security needs dictate, and then ending that access.

Modern tools like Okta have streamlined this management for organisations, allowing them to assign a user a single identity and then manage that user’s access to various applications through a centralised hub.

IAM works to keep those who shouldn’t have access, including threat actors, out of systems and applications, in addition to limiting their lateral movement potential if they do gain access. This is done by both verifying users’ identities and limiting their internal access. IAM can be utilised for internal users as well as partners and third parties. It’s also important to note that, while not identical, strong IAM management often follows a zero-trust framework, which can eliminate privilege creep and prevent lateral movement during a cyber attack.

For example, let’s say User A needs access to a SaaS application for data to use in an upcoming presentation to their department. IAM in action would be the IT department verifying that it is User A with their known username and password asking for access and approving the reason.

IT would then grant access only for the project’s duration and remove it as soon as the timeframe is over. That access would be monitored too (as all user activity should be monitored through a detection and response solution). All those moving pieces — governance, control, and monitoring — work together to make up IAM.

Why Is IAM important in access control and security?

IAM is important from a logistical standpoint — no organisation wants users to have unlimited access to anything and everything. But it’s also important from a security standpoint. 39% of non-BEC (business email compromise) incidents Arctic Wolf responded to in 202 3 came from compromised credentials — and most of the BEC cases did, as well.

Managing identities and having visibility into those identities can be the difference between an alert before a login happens and a full-scale attack. Benefits of identity visibility include:

  • In-depth knowledge of logins and to where they’re authenticating
  • Greater centralised control over user access
  • Earlier detection of identity-based incidents as well as suspicious identity activity
  • Better compliance management

Organisations achieve the best protection when identity security data generated by their IAM solution is ingested centrally and analysed holistically. This provides greater context and cross-telemetry correlations, offers deeper threat intelligence and risk context to drive faster threat detection, simplifies incident response, and helps eliminate alert fatigue. Organisations should seek vendor-neutral solutions providers, meaning that they can “speak to” and work with the existing tools in your tech stack.

IAM’s Role in Regulatory Compliance and Cyber Insurance

IAM has a large role to play in protecting your organization’s environment. But it also is a crucial element in meeting compliance obligations, as well as obtaining and maintaining a cyber insurance policy.

Annual Audits
IAM techniques makes the logging and tracking of user identities a much simpler process which, in turn, streamlines the annual audits and reporting processes required in many industries.

Industry-specific Regulations
Robust IAM processes can make complying with industry-specific regulations, like those found in the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX) an easier, more automated task.

Cyber Insurance
IAM maturity, such as the implementation of access tools like MFA, is quickly becoming a required security structure organisations need to have in place to obtain a cyber insurance policy from a major carrier.

IAM Solutions Are One Piece of the Cybersecurity Puzzle

While IAM is a powerful component in proactive cybersecurity, identities are only one part of an attack surface. Organisations should work to constantly mature their identity management, but also understand it’s just one piece of the larger cybersecurity puzzle.

User identity and access telemetry can be a key piece of evidence when investigating a potential incident. It could be an unusual login from a foreign location at 3 a.m., or a user trying over and over to login into an application they’ve never had access to. It’s important evidence that can both inform that bigger picture and tip off security teams that something isn’t right, allowing for swifter, more comprehensive and informed responses.

Discover the role zero trust plays in identity and access management.
See how Arctic Wolf integrates with two major identity solution providers — Okta and ZScaler.

Arctic Wolf

Arctic Wolf

Arctic Wolf provides your team with 24x7 coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
Share :
Table of Contents
Categories