Skip to main content
close search
site logo

5 steps organizations can take to counter IAM threats

Many organizations lean on identity and access management tools to perform credential management and authentication. But these systems aren’t foolproof.

Published March 24, 2023
Matt Kapko's headshot
Senior Reporter
Man using facial recognition technology on city street
LeoPatrizi via Getty Images

Access to data and systems is critical to business operations and resiliency, but it also presents tremendous risk.

Most organizations perform credential management, authentication and authorization functions with identity and access management tools, but these systems aren’t foolproof.

IAM presents organizations with a host of potential problems. They are subject to software vulnerabilities, and exploits can facilitate access to multiple systems and data across the organization.

The National Security Agency and the Cybersecurity and Infrastructure Security Agency released IAM guidelines Tuesday to help administrators hinder unauthorized access into their systems.

IAM systems are “foundational to security and also very complex and subject to vulnerabilities if not implemented correctly,” the agencies said in the paper. “Securing IAM infrastructure is critical.”

Password managers, single sign-on services and multifactor authentication are all part of the IAM collective, and all were compromised multiple times last year.

A sustained attack against LastPass went undetected for months and became one of the most alarming security incidents of 2022 when most of the data held by the password manager was compromised.

Okta last year got hit by a phishing attack, a breach and had its GitHub source code stolen. And Twilio’s widely-used two-factor authentication service was compromised after multiple employees were duped into providing their credentials to threat actors.

Detecting malicious activity via IAM is difficult for organizations because access often appears legitimate. “This provides the bad actor more time to gain access to resources and elevate privileges to gain persistent access,” the agencies said.

Focus on prevalent IAM threats

The guidelines focus on threats deemed highly likely, highly impactful, or both, and authorities shared mitigations for techniques threat actors use most frequently to exploit or bypass IAM controls.

The most common methods threat actors use against IAM include:

  • New account creation
  • Control of former employee accounts
  • Exploitation of vulnerabilities to forge authentication
  • The creation or use alternative access points
  • Exploit legitimate user access
  • Access systems and exploit stored credentials
  • Compromise passwords via phishing, MFA bypass, credential stuffing or social engineering

Federal authorities and other members of the working group concentrated guidance around five IAM threat mitigation techniques.

Administrators are encouraged to:

Govern identity

Centralize policies for users and assign appropriate access to support the principle of least privilege, which only gives users access to systems required for their job.

Pair these policies with a privileged access management tool to mitigate the impacts of phishing, social engineering, insider threats and unauthorized account creation designed to maintain persistence.

Harden your infrastructure

Take inventory of all assets and identify who has access. Discern what controls already exist in the enterprise environment to pinpoint persistent security gaps and develop a network traffic baseline to detect anomalous activity.

Align identity and single sign-on

Take stock of on-premises resources, including applications, devices and platforms, and your cloud providers’ ability to connect to those assets via single sign-on.

Verify if your organization’s single sign-on integration can collect the location, device and behavior of user logins.

Use multifactor authentication

Identify and implement an MFA solution as part of your organization’s single-sign on solution. Consistently test and patch MFA infrastructure and keep inventory of the MFA authenticators deployed across the organization.

Monitor and audit IAM

Establish baseline expectations for activity and monitor user behavior to understand acceptable and suspicious behavior. This should include monitoring of users' successful and unsuccessful login attempts, typical hours worked, systems accessed and amounts of data downloaded.

To detect a potential threat actor moving laterally within your network, monitor activity between applications and systems, including unusual changes in connectivity, activity and data access.

“Remember that data exfiltration attacks may be low and slow so a change may be small, but ongoing,” authorities said in the paper. “Be careful not to include this in an accepted baseline of activity.”

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell