ipopba - stock.adobe.com

Why IAM is central to cyber security

BeyondTrust’s chief security strategist talks up the importance of identity and access management, and the role of cyber insurance in driving security improvements

Identity and access management (IAM) remains central to cyber security, with phishing and compromised credentials often being exploited by cyber criminals to gain access to an organisation’s IT environment, according to BeyondTrust’s chief security strategist, Christopher Hills.

Speaking to Computer Weekly during the Go Beyond conference in Sydney, he said that with remote work on the rise, and workers using on-premise and cloud-based systems, the best way for organisations to secure their IT environment is to protect the identities of people, services and machines.

Security awareness training to make sure employees are cognisant of cyber security issues is particularly crucial, so that they understand they are being targeted and know the procedures they should follow to protect their credentials from being compromised, given the use of social engineering in phishing campaigns, said Hills.

In the US, attackers have been known to hide behind fake “active shooter” alerts, because if a parent sees a message about a purported incident at a local school their child attends, they are likely to instantly click on the malicious link based on emotion.

One way this can be addressed is to establish and enforce a policy about the personal use of corporate IT assets, such as disallowing the private use of corporate email. And so, if such phishing messages arrive at a corporate address, the recipient can confidently ignore them, said Hills.

He noted that part of the problem in identity security lies with the challenge of managing hundreds of passwords, driving people to reuse them, which makes life easier for attackers. One answer is to use a password manager, as opposed to allowing a browser to store passwords, which can be insecure.

“The password is never going to go away,” Hills predicted, though it will be increasingly combined with additional factors such as biometric authentication using facial features or fingerprints.

Read more about IAM in APAC

That said, he noted that malware such as Gold Pickaxe, which tricks iOS and Android users into scanning their faces and identity documents, have already emerged. Organisations can mitigate such threats by using behavioural data such as the location of the putative user seeking access – if they aren’t where they should be, then the attempt can be blocked.

Closely tied to identity security is access management. Hills said organisations need to control supplier and third-party access to their systems, which is especially true in an environment where software-as-a-service (SaaS) applications are interconnected by one or more third parties, in which case, they need to be sure that all of the suppliers involved have appropriate controls.

Besides ensuring that only authorised individuals can access an organisation’s systems, Hills said users should only be granted the privileges they need – and only for the time they are needed. For example, someone migrating an on-premise system to SaaS may require additional privileges to complete that task, but those privileges should be revoked once the job is done.

Excessive privileges granted to users are only part of the problem. Machine and service privileges, and those of humans, should be audited and monitored to ensure they are appropriate as well.

Cyber insurance driving improvements

Among the considerations driving efforts to improve security are the increasingly rigorous demands of cyber insurance underwriters since criminals took advantage of the Covid-19 pandemic to attack a much wider range of organisations.

Hills said the underwriters had no basis to deny the resulting claims, so their immediate reaction was to stop writing policies in some cases, and in others, to increase premiums – at least until they had reformulated their wording to make the insured organisations’ responsibilities clearer. This, he added, saw five-page policy documents expand to 60 pages as underwriters sought to ensure their customers were doing security properly.

For example, if a customer said it was using multi-factor authentication (MFA) across the entire enterprise, but it turned out that the compromised account used to gain access wasn’t protected by MFA after all, the insurer could deny the claim. Hills added that organisations should also be aware that threat actors may attempt to insert themselves into the MFA process and urged them to train their staff accordingly.

Similar considerations apply to patch and vulnerability management, said Hills. For instance, if a cyber insurance policy allows 90 days grace to apply updates but an obscure system that was overlooked or too old to be updated was used by an attacker to gain access, any claims following a breach could be denied.

He also underscored the importance of having an incident response plan, without which it could be hard to obtain cyber insurance. When preparing the plan, he advised organisations to allow for the possibility that a breach or other compromise may prevent people from logging into their systems. 

He also stressed the need to test processes, such as restoring data from backups or failing over to a secondary location, to make sure they work in the event of a cyber incident.

Read more on Identity and access management products