Access management: security best practices part 1

Why is Access management in IAM so important to secure your infra?

IAM is a cornerstone of a robust cybersecurity strategy, providing the means to manage, monitor, and control user access to critical resources. It plays a central role in safeguarding infrastructure, preventing unauthorized access, and ensuring security policies are consistently enforced.

Users (Dev, DevOps, …) working on your infra represent a major attack surface as they can introduce vulnerabilities through different factors. Among them are human error, susceptibility to phishing, weak passwords, insider threats, unauthorized access, use of unsecured devices, lack of security awareness, unpatched software, and challenges associated with remote work.

To mitigate these risks, we will share with you in this article some of the most important best practices regarding Identity and Access (IAM) management. This article will be followed by a second part focusing on IAM rights and permissions, giving specific recommendations to achieve the least privilege principle.

How to secure your Access management?

In short, you need to:

• Use an Identity Provider with Single Sign-On (SSO) to centralize and secure the users’ identities and authorizations.
• Use Multi-Factor Authentication (MFA) to secure users’ access.
• Define a lifecycle that includes a rigorous offboarding process to manage users’ identities.
• Have a frequent review of your users’s rights.

Here are more details on each best practice.

My services and infra are accessible through an IdP with an SSO service

Our Recommendation

An Identity Provider (IdP) is a system that manages and stores users’ identities.

Single Sign-On (SSO) is a security mechanism that allows users to access multiple applications or services with a single set of login credentials. An SSO service uses an IDP to check the user's identity and authorizations; it does not actually store the user's identity. SSO offers a centralized authentication mechanism that enhances user experience and significantly mitigates various security risks.

You can use an SSO service of an IdP at your company and cloud provider levels.

For example, the AWS Identity Center will enable you to manage your users’ accesses (IdP) for all accounts of your AWS organization. Users will have a single sign-in page for all the accounts to which they have permission (SSO).

The Identity Platform, which is GCP’s authentication service, also enables you to achieve this best practice.

Risks addressed by the recommendation

Managing access permissions individually for each service increases the likelihood of oversight and errors. An IdP provides a centralized point for access control, minimizing the risk of unauthorized access and reducing the attack surface.

The SSO minimizes the risk of password-related vulnerabilities, such as weak passwords, password reuse, and password sharing, by providing users a single, secure authentication point.

SSO helps combat phishing attacks by reducing the number of login prompts. Users are less likely to fall victim to fake login pages as they become accustomed to a consistent and centralized authentication process.

Many regulatory frameworks and compliance standards recommend or require strong authentication measures. An IdP associated with an SSO service aids in achieving and maintaining compliance by providing a robust and centrally managed authentication solution.

MFA is enforced to access the infrastructure

Our Recommendation

MFA (Multi-Factor Authentication) is a robust security best practice that significantly enhances the protection of your infrastructure and sensitive data.

There are three factors for authentication: what you are (a fingerprint, Face ID), what you know (a password), or what you have (a phone to receive a code). Traditional authentication systems typically use only one of these factors, often a password.

When we talk about MFA (multi-factor authentication), we combine at least two factors for authentication. For example, to authenticate yourself to a system, you first enter a password, and then enter a code you received on your phone (for example, on the Google Authenticator app or the Microsoft Authenticator app…).

Another way is to use a hardware authentication device, such as a YubiKey, as a second factor.

You can enforce MFA for users either at a certain frequency, each time a new device tries to connect, or at each connection. These options depend on the system managing the MFA. Be aware of which frequency to choose to best compromise security and ease of use.

Risks addressed by the recommendation

MFA significantly reduces the risk of unauthorized access to critical infrastructure. Even if an attacker can acquire valid credentials, they would still need the additional authentication factor to prevent unauthorized entry.

Phishing attacks often aim to trick users into revealing their credentials. MFA acts as a defense against such attacks, as even if users unknowingly disclose their passwords, the second factor remains a hurdle for attackers.

MFA helps mitigate risks associated with insider threats. Even if an employee's credentials are misused, the additional authentication layer provides an extra level of security against malicious activities.

Credential stuffing attacks become a significant concern in scenarios where users reuse passwords across multiple accounts. MFA prevents these attacks by requiring an additional form of authentication, reducing the impact of compromised passwords.

Many regulatory standards and frameworks, such as PCI DSS, HIPAA, and GDPR, mandate the use of MFA as part of security best practices. Enforcing MFA not only helps in meeting compliance requirements but also ensures a higher level of security and trustworthiness.

I have defined a lifecycle including a rigorous offboarding process to manage user’s identities

Our Recommendation

A well-defined identity lifecycle facilitates seamless onboarding of new users of your infra, ensuring they have the necessary access to perform their roles. Similarly, it streamlines the offboarding process, promptly revoking access when users leave the organization and reducing the risk of unauthorized access.

The identity lifecycles can be defined at your enterprise or cloud provider levels. It can be done through human processes (e.g., IT team managing users), script automation (e.g., pipeline adding access to a service…), or even on dedicated software (e.g., AAD, Google Workspace, Sailpoint…), depending on your context.

The recommendation is to use a centralized and automated IAM reference associated with an SSO tool. This facilitates seamless onboarding and offboarding processes through automation. When a user joins or leaves the organization, their access to all connected services can be managed centrally, reducing the risk of persistent access for former employees.

Risks addressed by the recommendation

Timely and accurate management of user identities helps prevent unauthorized access by ensuring that only authorized individuals have the necessary permissions. A former employee could access sensitive information and systems if the offboarding process is not rigorous.

A clear identity lifecycle reduces the risk of data breaches by ensuring access privileges align with business needs. This mitigates the risk of data exposure due to inadvertent or malicious actions by users.

Many regulatory frameworks require organizations to control user access and regularly review and update access permissions. Identity lifecycle management helps organizations comply with such regulations, avoiding legal and financial consequences.

Without a defined identity lifecycle, organizations may face operational challenges, such as delays in providing access to new employees or the risk of overlooking revoked access for departing individuals. This can lead to inefficiencies and potential security gaps.

I frequently review my users’s rights

Our Recommendation

Implementing the principle of least privilege is a core principle of security best practices. (The following article, “IAM 2/2 - rights & permissions,” will address this central question of implementing the least privilege principle).

Business needs and employee roles are subject to change over time, therefore frequent reviews in addition to the correct lifecycle enable organizations to fine-tune access rights, ensuring that users have the minimum permissions necessary to perform their duties. Cloud providers offer services to help you review and adapt user’s rights. The IAM Analyzer of AWS or the Role recommendation of GCP services, for example, will help you through the implementation of this recommendation.

Risks addressed by the recommendation

Users may accumulate unnecessary access rights over time, known as access creep. Regular reviews help identify and mitigate this risk by removing unnecessary permissions, reducing the attack surface, and minimizing the potential impact of a security incident.

Frequent reviews help identify and rectify instances of unauthorized access promptly. This is crucial in preventing security breaches and protecting sensitive data from access by individuals who no longer require those permissions.

Regular reviews are instrumental in identifying potential insider threats, where employees may misuse their access privileges. Organizations can reduce the risk of intentional or unintentional harm from within by promptly revoking unnecessary permissions.

Many regulatory frameworks require organizations to review and update user access permissions regularly. Conducting these reviews ensures compliance with industry regulations and standards and avoids legal and financial consequences.

The following articles (IAM 2/2 - rights & permissions) will enable you to investigate what rights should contain users to achieve the least privileges on your infra!

Conclusion

By following the best practices presented in this article, you can significantly reduce the risk of having a compromised identity and improve the overall security of your infrastructure accesses.

The next article will address the security best practices for IAM rights and permissions.