Are All Accounts now Privileged? A Guide to Modern IAM
How the challenges facing the modern enterprise can be a catalyst to redevelop the identity and security architecture they invest in. By providing all identity types with greater access to PAM-esque capabilities, can not only reduce risk exposure, but also provide the organisation with a foundation for business agility and improved performance.
“The future is already here – it’s just not evenly distributed” – is an often (sometimes miss-) quoted statement by William Gibson1. If viewed exclusively via the lens of technology it can be used to potentially see both the problems of tomorrow as well as the potential solutions.
Why is this relevant when it comes to identity and access management?
Evolution of IAM Platforms
Identity has evolved significantly over the past decade. The origins of IAM were within the workforce B2E space, where productivity, employee efficiency and cost control were often the main drivers for adoption. High risk was identified and managed via standard risk management frameworks such as ISO27001/2 or NIST RMF. This often resulted in controls such as multi-factor authentication, automated processes for the joiner-mover-leaver workflows, perhaps the use of role based access control and the treatment of shared or powerful privileged service accounts with vaulting and monitoring controls. Essentially controls that were not evenly distributed across the more modern enterprise. They were selective (and at the time, probably quite correctly so).
The tools and products delivering these identity controls were often specialist in their nature, siloed in their deployment and focused on targeted identities, applications or scenarios. Whilst this provided some point protection, the identity landscape evolved rapidly – to include not only different identity types (consumers, partners, devices, workloads..) but also how risk and threat intelligence needed to be integrated to help support more agile and adaptive approaches to security such as zero trust. Products with such limited adoption and focus could now no longer provide either a reduced risk posture or return on investment for the future landscape.
Let’s take a step back and focus an example specifically on privileged access management. The standard requirements here are typically features such as password vaulting and rotation (especially for shared accounts), session monitoring (providing a way to proactively and retrospectively analyse behaviours of users at a point in time), the use of multi-factor authentication during privileged credential issuance time and the use of risk analysis probably based on device, location and activity data.
The coverage and selection of PAM based solutions was often restricted to system accounts, shared accounts or administrative accounts. The issue today, of course, is that privilege abuse and escalation can occur for any identity within the estate requiring a change in mindset not just from a risk perspective but also controls countermeasure view too.
Hackers login typically, they don’t break in and once in are often able to either re-use existing (and correctly assigned) permissions or seek to elevate – either on a singular account or using multiple accounts in a distributed fashion – the classic create an operation with one account and remove with another to avoid suspicious behaviour flags.
Applying PAM to Different Identity Types
So not only do organisations need to see the concept of every user potentially being a “privileged user”, they also need to do so with a broader lens – across an array of new identity types. Employees, contractors, business partner accounts, workload identities and services, devices and also identities working within the operational technology (OT) and industrial control system (ICS) sectors too.
Not only have we seen a broader array of identity types, the assets and transactions these identities are accessing and completing has also increased. From a standard B2E ecosystem that was often on-premises, highly controlled and understood, to one which contains hybrid cloud components, SaaS, customer applications, industrial equipment, files, data and APIs – which reduces visibility and centralization of control.
Drivers - Increased Identity Risk
As the array of identities and assets being accessed has broadened, so too has risk associated with identity. The IAM infrastructure has become a new attack surface – it is often distributed, siloed and lacking visibility and response capabilities. It is perhaps easier for an adversary to steal a web cookie as it is to attempt to social engineer an end user for their login details. It is possibly easier to chain together three “standard” user accounts to complete a more complex transaction. It is possibly easier to leverage a weakness in a third party mobile application in order to steal an access token for impersonation. The IAM attack surface contains a broader array of entry points, as identity is now so foundational to both security and business success.
Benefits - Security & Business Performance
But applying a higher set of security controls to the entire IAM landscape is not just about reducing risk. By providing a more agile and adaptive set of identity security capabilities, allows the business to be successful in a range of different ways.
Improved data sharing and collaboration helps solve business problems faster. By providing access in a more just in time and responsive way can reduce the time to market for new services and projects. Opening up access to trusted third parties can help launch new applications quicker.
The identity and access management landscape has changed hugely over the past 5 years. Not only has IAM become the foundation for agile security concepts such as zero trust, it can also enable customer engagement and increase revenue, modernise operational technology and ICS environments as well as empower the next generation of smart cities and automation. Unfortunately this too can bring risk.
Siloed solutions for PAM, MFA and access management are no longer able to cope with the array of identities and assets being protected. It is important to consider applying what were once specialist and futurist technologies and controls to the entire spectrum of the IAM landscape.