Is your company still using the same identity management system it had in 1998? Does a mere username and password log you into the local network and let you access almost any resource?
Don't laugh. While most enterprises have moved on to modern identity and access management (IAM) platforms, thousands of businesses and other organizations still rely on antiquated username/password systems.
"If you look at traditional IAM systems, they were very focused on just managing identities, managing the access rights," said Archit Lohokare, General Manager of Workforce and Endpoint Security Solutions at CyberArk, in a recent CyberRisk Alliance webcast. "Their whole perspective was reducing operational costs."
But these legacy systems are flat-out inadequate when it comes to managing access in cloud systems, SaaS apps and hybrid work environments. They're cheap and easy to maintain, but they may cost you in the long run because they're more likely to let in attackers and miscreants who could steal data or infect your networks with ransomware.
All organizations, no matter their size, should migrate to modern IAM systems to safeguard their data, reduce their operating risk, improve their regulatory compliance and protect their employees, customers and partners.
"What you really need to think about is: How do you look at identity security as a way of minimizing and reducing and even eliminating cyber risk as one of the foundational business outcomes you want with a new identity-security solution?" asked Lohokare.
The answer is a modern, preferably cloud-based, IAM platform that can be deployed anywhere and managed as a SaaS service.
As organizations embrace remote work and move their assets to the cloud, identity itself is moving to the front line of network defenses. You need an identity solution that is up to the task.
"Identity is the new attack surface going forward," said Tolgay Kizilelma, Director of the MS in Cybersecurity Program at Dominican University of California. "It is at the center of everything."
Where legacy IAM falls short
We all know that passwords are terrible and should be phased out. We've spent nearly 30 years hectoring users to create strong, unique passwords, but on average, passwords aren't getting any better.
Yet even if all passwords were strong and unique, that wouldn't stop phishing attacks and credential theft. So we graft multi-factor authentication (MFA) and single-sign-on (SSO) schemes onto legacy identity-management systems. But those are only temporary solutions.
MFA, for example, is woefully weak in most common iterations. A texted one-time code can be intercepted by a cryptocurrency thief who has "SIM-swapped" a mobile number or phished by a crook who has cloned a popular web service's login page.
Phishing also works on app-generated one-time codes. As for with yes/no push notifications, attackers can bombard a user with them until the user taps "yes" just to make it stop.
"The concept of MFA was a really solid one," said Julian Mihai, CISO at Penn Medicine. "The way it's being implemented these days, it's becoming less and less strong."
Single-sign-on is more technically solid. It reduces the risk of password theft and reuse by having the user log into an intermediary account, which then sends encrypted tokens to other, "federated," accounts to grant access. Yet even the best SSO schemes must leave out incompatible applications and online services, making its coverage only partial.
"Single-sign-on is a necessity in the business we're in today to improve both security and user productivity access to provision applications," noted Maor Franco, Product Marketer at CyberArk. "However, we're also seeing from our customers that not all applications are federated access."
Creeping privilege
Another persistent problem with legacy identity management is privilege or permissions creep. That's when individual users accumulate system permissions that go beyond what's required for their roles or positions.
Sometimes a user will retain old permissions after moving to a new role. Sometimes temporary elevated permissions are granted by administrators but never revoked, such as when a remote user needs to perform a software update. Sometimes individual users obtain group permissions they're not even aware of.
In all cases, permissions creep increases the risk for the organization. A compromised account with high permissions is much more dangerous than one with lower permissions. A high-privileged attacker has more leeway to move around the network, change settings and install malware.
Even riskier are arrangements in which an outside vendor or contractor is granted access to an organization's systems. The organization may have no way of vetting the security posture of the third party, as Target Stores lamentably discovered in 2013 when attackers compromised an account granted to an outside heating and cooling provider.
"We're seeing a lot more organizations that are leveraging third-party contractors," said Lohokare. "I've heard of this term called fractional CXOs and fractional accounting individuals. This extended workforce access creates a significant amount of what we call third-party risk."
With cloud, SaaS and hybrid systems, permissions creep morphs into privilege escalation. Legacy identity systems often can't properly handle the complex permissions structures of cloud instances and web apps. Permissions misconfigurations are common, with individual users gaining more privileges in more areas than may be apparent.
"If you just take the three [major] cloud providers, there are over 45,000 permissions between these three cloud providers," Lohokare pointed out.
For example, software developers working in a test environment may fail to revoke their own permissions when the software is ported to the cloud. Database administrators may fail to implement MFA on cloud instances, leaving them open to brute-force attacks.
"Privilege creep is especially insidious in cloud environments due to their self-service nature and complex permissions," says Ari Harrison, Director of IT at BAMKO. "Misconfigurations or overly generous default permissions can inadvertently grant standard users access to sensitive resources."
Modern IAM to the rescue
A problem shared by both legacy and modern IAM systems is the theft of session cookies from web browsers, which can bypass passwords or even MFA. Session cookies maintain authorization for a set period, sometimes nearly indefinitely. All it takes to steal a cookie is a rogue browser plug-in, a piece of malware installed on the system, or a cross-site scripting attack.
Legacy identity-management systems can try to counter cookie theft by forcing daily logouts from in-house web apps. Modern IAM systems have many more countermeasures, including forcing the use of secure browsers that block unauthorized plug-ins or don't write session cookies to disk where they can be stolen.
IT administrators can also encrypt session cookies and limit their duration, or "time to live." These measures may fall outside the purview of IAM systems but are part of the holistic security culture that accompanies modern IAM.
Along similar lines is session isolation, in which a browser or other cloud-accessing interface is sandboxed, or its traffic fed through a proxy server, so that any compromise is limited to the user's system.
Some of the most effective features of modern IAM systems are those that are borrowed from privileged access management (PAM) systems, which have long been used to control the access of especially privileged users like system administrators. PAM and IAM systems are beginning to merge as identity becomes more central to organizational security.
"Your IAM no longer should live in a silo from your privileged controls," said Brandon McCaffrey, a Solutions & Product Strategist at CyberArk. "You need those same kinds of privileged controls for your IAM system."
For example, PAM systems often force privileged users to re-authenticate, sometimes more than once per day. They also continuously monitor and log user behavior.
Porting these features to IAM and applying them to all users makes an organization much more secure, especially when, as Lohokare put it, "every identity can be privileged under certain circumstances."
Doing the most with least
By far the most important development in both IAM and PAM systems in recent years has been the implementation of the principle of least-privilege access. The thinking is that no user, whether an intern, a systems administrator or the CEO, should have any more system permissions than they absolutely need to do their job.
A corollary principle is that of role-based access controls, where the job itself dictates which permissions a user can have — and which should be taken away.
These both may sound obvious, but in practice it may be difficult to convince a manager switching from one department to another that they need to give up some of their power over the system.
"Once they've had the credentials or permissions, it's hard to take it away from somebody that's had it for 5-10 years," says Ed Moore, AVP of IT Security, Identity and Access Management at Carnival Corporation.
In such cases, the administrator enforcing the rules needs to have the support of higher-ups, and the principles of least privilege and role-based access need to be stated policies that an admin can refer to when necessary.
Least privilege is also one of the bedrocks of zero-trust security, in which no user is granted access without firm authentication and authorization.
"If you're not doing least privilege, it's kind of like a buffet table for hackers," said Moore. "If you don't have role-based access, [least privilege is] even harder."
Other developments in modern IAM include dynamic risk-based MFA, an automated system in which the IAM platform collates "signals" about a user trying to log in. Legacy identity platforms rarely have the kind of automation that's necessary to enforce risk-based MFA.
Signals can include the user's location, the user's computer and how recently the user last logged in. A new user computer triggers an MFA challenge, but so does the same computer appearing to be halfway across the world from where it had been earlier in the day.
Modern IAM systems can also accommodate phishing-resistant forms of authentication, such as hardware tokens like Yubikeys or software-based ones like the passkeys now available in newer iPhones, Android phones and laptops.
Just in time for the future
The cutting edge of modern IAM involves new methods like just-in-time access and zero standing privileges, both of which have grown out of the principles of least privilege and role-based access.
Just-in-time (JIT) access involves granting no one elevated privileges until they need them, such as when an admin needs to reconfigure a database. This is similar in principle to giving an end user temporary admin rights on a laptop, except that this involves the entire organizational network.
Like the admin rights given to the end user, the JIT privileges will not last long. Modern IAM systems often "kill" them after a few hours, or however long it takes the user to finish the task at hand.
Zero standing privileges means that no users, even admins, are granted permanent elevated privileges. Those who need them can temporarily get them when the time is right.
"Over time, as we've had more and more ideas and abilities to reach deeper into the control plane," said McCaffrey, "we have been able to take away those privileges, so the users are just getting them just-in-time for a time-bound period and have no more privileges than they possibly need."
The meshing of IAM and PAM principles lays down the foundation for a modern, zero-trust, identity-first security architecture that prepares an organization for the perimeter-free, AI-assisted, cloud-based future.
"Session isolation, session monitoring, protecting the post-authentication data like session cookies — those are ideas that we got from the world of privileged [access management] that you can now apply to the world of the [standard] workforce," said McCaffrey.
