As cybercrime increases, security should be a top priority for businesses. Identity and Access Management (IAM) is crucial in developing cybersecurity strategies and serves as a tool for mitigating risks, such as spear phishing using Machine Learning.
Modern ways of working mean that company systems and data need to be readily accessible to employees across multiple locations and on multiple devices.
But, with the risk of cybercrime growing, it is vital that robust security measures are in place to restrict access to your information to only the right people, at the right time and for the right reasons.
From multi-factor authentication to role-based access control, IAM solutions will help protect your business’s sensitive data.
The correct use of IAM ensures fast and secure access for employees, making the necessary systems and solutions available which are appropriate to their defined roles. This can extend to partners, where IAM guarantees access only to essential services and information for a specified duration.
“The foundation of IT security is to protect business processes and to maintain confidentiality, integrity and accessibility throughout all systems and data sources. In the era of the distributed workforce, IAM has become a cornerstone technology,” says Reidar Boldevin, Consulting Manager at Columbus.
The transition from the office being the primary workplace for many to remote working becoming more prevalent has presented significant system security challenges. IAM recognises the magnitude of change and moves the security focus from perimeter to identity.
“You have two functions in an IAM system, and they are managing authentication (who is signing in), and authorisation (who has permissions),” says Boldevin.
He explains by comparing the process to receiving an invitation to a VIP event. You can show your ID to confirm who you are, but you need to be on the VIP list to get access.
“You can further add Identity and Governance Administration (IGA) management, to make it a bit more advanced,” Boldevin says.
With IGA your business can provide automated access to the right resources at the right time. It reduces manual administration, while streamlining your organisation’s business processes and governing and detecting access risks. This is called the joiner, mover, leaver processes.
Joiner process: Managing the onboarding of new employees, including creating user accounts and granting initial access rights.
Mover process: Handling changes in an employee's role, department or responsibilities, which may require adjustments to their access rights. This also includes work on projects that require temporary or permanent access.
“If there are changes in position, old access rights must be removed, while rights for the new role are granted. A common scenario is the accumulation of privileges throughout an employee's tenure with a company. This makes a long-standing employee a very lucrative target,” says Boldevin.
Leaver process: Managing the offboarding process, including revoking access rights when an employee leaves the organisation.
Depending on the relationship the leaver has with the company, it may be prudent to limit access to the bare minimum throughout the termination period or even revoke access prior to informing the employee in cases of misconduct or gross negligence.
“Controlling the lifecycle of users and automating or controlling access based on business need and risk is an added value provided by an IGA system, says Boldevin.
Targeting specific roles
Phishing and spear phishing are the most typical cyber attacks faced by businesses, says Boldevin.
“Spear phishing targets a specific individual, such as a company's CFO. The difference between the two is that regular phishing can involve sending out hundreds of emails to numerous employees, hoping that some will take the bait. It is like fishing with a net. In contrast, spear phishing requires research. Who is this person? Who is in their circle? What can I write to make the content trustworthy? Although it requires more work, spear phishing is more credible and has a greater chance of success,” Boldevin explains.
AI can be an additional threat.
“If you have gained access to someone’s email address, you can extract hundred of emails sent from that person and feed them into a machine learning model. It will then learn how that person phrases things, and which expressions and words they typically use,” Boldevin says.
This allows emails to be constructed which perfectly mimic the style of the individual, down to punctuation and sentence lengths.
Security addons to IAM systems operate in the background to create risk models for users and logins. By automatically mapping the way each employee works, it becomes possible to detect and respond to deviations from common work patterns.
“Let's say you are based at the office in Oslo and, suddenly, a login-attempt from a different city appears. With Microsoft's Identity Protection, the system looks at where you usually work, which systems you use, and when you typically work. And if there is a significant deviation from that, it flags it as a risk which may require you to approve multifactor authentication,” says Boldevin.
It is also possible to have conditional access, so you can decide on areas where a user should not be logged in.
“If someone tries to log in from another city, you will get a notification on your phone. You must confirm it using the Microsoft Authenticator app. If you are not trying to log in at that moment, you might wonder what is happening. Then, a number appears on the screen, and you must enter it into the Authenticator app. This is called number matching. The hacker cannot see the number, so they cannot confirm unless they know the correct number,” Boldevin explains.
As a security partner, Columbus identifies the benefits of robust IAM solutions. With Microsoft Identity Protection and our expertise, we assist organisations in detecting, investigating and remediating identity-based risks.
“The key benefit for businesses is that IAM enhances security, efficiency, compliance, and user experience,” says Boldevin.
Start with an assessment
The best way to begin the process of increasing your system security is to perform a thorough assessment. Columbus’ assessment was originally developed for Active Directory for Microsoft, but the methodology works well for any system.
Interviews and data collection may contain, but are not limited to, the following Zero Trust and NIS2 areas:
- Identity Management System
- Identity and Access Management
- User Provisioning and Authentication
- Strong Authentication
- Credentials and Authentication
- Trust Determination
- Access to Resources and Least Privilege
- Secure Administration and Adaptive Access Control
The assessment will give your company:
- A high-level executive presentation of the results and recommendations
- Detailed documentation of the findings with technical explanation. These include a tailored discussion about your current implementations and a determination of whether they are in accordance with best practice.
- A clear plan of remediation, accompanied by heatmaps for each area of the IAM implementation, and a breakdown of both quick wins and strategic initiatives.
