People are a major part of any organization, and therefore a critical component of an organization’s security architecture.
What these users have access to, what they do with that access, and how that access is or isn’t managed can be the difference between a secured environment and one full of unlocked doors. Business email compromise (BEC) attacks are on the rise, fueled by compromised credentials, and other forms of attacks often rely on credentials, or access, in their early stages.
This risk is what makes identity and access management (IAM) so important.
What Is Identity and Access Management?
Identity and access management is the governance, control, and monitoring of users’ identities and access within a system or network.
Proper IAM management is a discipline that involves people, processes, and technologies, and is an ongoing journey that follows what is referred to as the access management lifecycle: establishing a user’s identity and granting access, adjusting access as business and security needs dictate, and then ending that access.
Modern tools like Okta have streamlined this management for organizations, allowing them to assign a user a single identity and then manage that user’s access to various applications through a centralized hub.
IAM works to keep those who shouldn’t have access, particularly threat actors, out of systems and applications in addition to limiting their lateral movement potential if they do gain access. This is done by both verifying users’ identities and limiting their internal access. IAM can be utilized for internal users as well as partners and third parties. It’s also important to note that while not identical, strong IAM management follows a Zero Trust framework.
For example, let’s say User A needs access to a SaaS application for data for an upcoming presentation to their department. With IAM, the IT department would verify that it is User A with their known username and password asking for access and approve the reason.
IT would then grant access only for the duration of the project, and then remove it as soon as the timeframe is over. That access would be monitored as well (as all user activity should be monitored through a detection and response solution). All of those moving pieces — governance, control, and monitoring — work together to make up IAM.
Why Is IAM important?
IAM is important from a logistical standpoint — no organization wants users to have unlimited access to who knows what. But it’s also important from a security standpoint. 20% of ticketed incidents from Arctic Wolf Incident Response in 2022 came from observed identity behavior. That could include suspicious logins, or users accessing parts of the environment they shouldn’t or otherwise wouldn’t have access to. These identity issues could quickly spiral into a business email compromise attack, a phishing attack, or a full-blown data breach.
Managing identities and having visibility into those identities can be the difference between an alert before a login happens and a full-scale attack. Benefits of identity visibility include:
- In-depth knowledge of logins and to where they’re authenticating
- Greater centralized control over user access
- Multi-factor authentication (MFA) promotes proactive security and empowers employees
The third point, MFA is a crucial tool in the IAM toolbox. 58% of BEC victims in 2022 didn’t employ MFA on their users. That simple access control makes a major difference, and it’s one not enough organizations are taking advantage of.
IAM’s Role in Holistic Visibility
IAM isn’t the be-all and end-all of user security. It’s often difficult to know what users are doing with their granted access, privilege management is a constant process, and false positives can be a drain on internal resources. Instead, organizations should think of it as one piece of the puzzle or one part of holistic visibility.
User identity and access telemetry can be a key piece of evidence when investigating a potential incident. It could be an unusual login from a foreign location at 3 am, or a user trying over and over to login into an application they’ve never had access to. It’s important evidence that can both inform that bigger picture and tip off security teams that something isn’t right. Holistic visibility relies on the concept that more telemetry, and more visibility, leads to better security, and identity and access are two major sightlines.
Learn more about holistic visibility with our on-demand webinar “Seeing Is Securing: The Case For Holistic Visibility”
Take a deep dive into the various sources of telemetry with our Holistic Visibility blog series.