Identity management has become more important and more challenging in the age of the cloud and remote work. ManageEngine Senior Technology Consultant Vivin Sathyan’s talk on “The Importance of Identity-Centric Security in 2024” aimed to put the problem and its solutions in perspective for the RSAC audience on Wednesday.
Phishing continues to be a simple yet effective strategy for cybercriminals to obtain credentials and gain access to companies’ systems. Nearly one-third (33.2%) of employees fall for social-engineering tactics in phishing simulations, according to KnowBe4’s 2023 Phishing By Industry Benchmarking report, and one employee with administrative access or “bloated” privileges can be all it takes to cause a major data breach, Sathyan warned.
For more real-time RSAC coverage from SC Media please visit here.
Sathyan demonstrated this by showing how easily an attacker with admin privileges can use living-off-the-land (LOTL) tactics to copy the Windows Active Directory Database file (ntds.dit) and SYSTEM file containing private keys to extract password hashes and use a free online service to obtain the plain text passwords.
The challenge in 2024 is the soft network boundaries and fragmented identities created through the adoption of cloud computing and remote work, which makes managing access less black-and-white, and limits visibility of who’s accessing what.
“You cannot define a safe location for access anymore,” Sathyan said, a problem that must be solved by “defining access policies that are contextual.” Contextual access policies take into account additional parameters such as IP address and device type when verifying identity.
As a component of zero trust, contextual access is just one of the solutions proposed by Sathyan for the current identity security problem. The use of a hybrid active directory system was also highlighted as a way to balance the ID management advantages of contained on-premises systems with the speed and scalability of cloud environments.
5 action steps for security identity in 2024
The second half of Sathyan’s presentation outlined five steps organizations can take to help prevent identity-based attacks given the current challenges of blurred network perimeters and distributed workforces.
Firstly, Sathyan recommends at least semi-yearly active directory risk assessments to check on your AD’s “health,” identity and prioritize AD risks and remediate the highest-risk issues. These assessments should check for problems such as weak admin passwords, inappropriate privilege access or unpatched AD server vulnerabilities, and risk level should be assessed based on both the likelihood and potential impact of a flaw being exploited.
Similarly, organizations should have periodic access certification campaigns to verify users have the right level of access and revoke certain privileges when they are no longer needed, such as when roles change or projects are completed. Such campaigns promote “clean and lean user account systems” where cases of inflated privileges are less likely to fall through the cracks.
A third focus point for securing user identity is consolidation and automation of employee user account creation and removal across departments and platforms. These processes are often siloed across platforms and may be split between HR and IT departments, leading to inconsistent access privileges and difficulty managing fragmented identities. Finding ways to streamline and standardize account creation and removal, and ensuring that HR and IT are on the same page, helps prevent the risk of permission bloat and unused profiles going unaccounted for.
The last two steps Sathyan recommends are implementing role-based access control (RBAC) and strengthening the two layers of user authentication most commonly used today – passwords and multi-factor authentication (MFA).
RBAC is a more efficient way to manage access with precision across many users with many accounts, ensuring permissions are appropriate per role and job responsibility, and makes it easier to minimize the number of accounts with admin or otherwise overly broad permissions.
Finally, while organizations are beginning to consider passwordless solutions, traditional password authentication and MFA are likely here to stay for several more years. Setting robust password strength requirements and finding ways to reduce password and MFA fatigue through option such as self-service password resets and context-based MFA can be positive steps toward optimizing user identity security.