In part one of this post, we talked about why identity access management (IAM) is important. In that discussion, we identified three types of IAM:
- Single Sign On
- Multi-Factor Authentication
- Privileged Access Management
We discussed the different types of single sign on and some examples of what can be used to help streamline the user experience. Let’s now discuss how you can pair single sign on with other two types of identity access management.
Multi-Factor Authentication: How It Works
Multi-factor authentication (MFA) is a means to authenticate a user. It grants them access only after presenting two or more pieces of proof (or factors) to an authentication provider. These include the following:
- knowledge (something the user and only the user knows),
- possession (something the user and only the user has), or
- inherence (something the user and only the user is).
As such, multi-factor authentication is different from multi-step verification. While both harden a user’s digital security by making a login process more complex, the latter adds complexity in the form of the same type of authentication category (such as two or more things you might know). Multi-factor authentication asks that users provide pieces of proof from at least two different authentication categories, thereby making it more difficult for an attacker to spoof the user.
Multi-factor authentication is an important part of identity access management. It helps protect against password compromise by requiring at least one more form of identification. In fact, one of the things pointed out in the 2017 Verizon Data Breach Investigations Report is that 81% of all data breaches involved weak or stolen credentials.
In 2019, Google reported in their blog that by enabling MFA with device-based challenges, it was able to stop 100% of automated bot attacks, 99% of bulk fishing attacks, and 90% of targeted attacks. These three types of attacks increased to 100% protection when they used a physical key.
There are numerous types of multi-factor authentications. These include SMS-based authentication (text), voice call authentication, physical security keys and security questions. There are also numerous software authentication providers that include Okta, Google, Duo, Aymantec, RSA, and many others.
Don’t Forget About Privileged Access Management
The last type of primary identity access management is known as privileged access management (PAM). This typically involves the use of some type of secure repository, logging, and administrative account protection. It is used to secure, manage, control, and monitor privileged accounts to different assets.
Information security writer Anastasios Arampatzis clarifies the risks against which privileged access management is meant to protect:
Over the past few years, it’s become evident that attackers are no longer “hacking” in for data breaches; they are taking advantage of weak, stolen or otherwise compromised credentials. Once they are in, they then spread out and move laterally across the network, hunting for privileged accounts and credentials that help them gain privileged access to an organization’s most critical infrastructure and sensitive data.
PAM solutions provide a repository for credentials of privileged accounts which are isolated in order to reduce the risk of the credentials getting compromised. Typically, these tools work by having administrators go through the PAM system and “check out” the account, which will then be authenticated and logged. When the account is checked back into, the credentials will be reset, so the administrator will be forced to check out the account again in order to use it.
There are some other identity access management details to be considered. These include keeping track and monitoring things such as location, device, and network context. This type of behavioral context should be considered when implementing an identity access management solution. Take into consideration where the account login is coming from. What device is being used? What network is it from? Time of day, etc. All of this should be incorporated into a comprehensive IAM strategy.
Beyond Identity Access Management
Once you’ve implemented an identity access management strategy, you are safe. Right?
Unfortunately, you are not. User education is still key. Things such as social engineering and phishing can still trick users to get access. Physical security is also still important; if you don’t control who has physical access to the end device, then someone could compromise it. Finally, there are multiple attack methods such as fake authentication, skim attacks, session hijacking, SIM swap attacks, etc. that can be used to bypass or overcome IAM solutions,
Clearly, IAM should be looked at as just one element of a good security posture and strategy. As with any security plan, you want to set up layers to make it harder to be compromised. Identity access management is one more layer you can add in order to protect the information of your users, customers, and the organization as a whole.
Learn how Tripwire’s solutions can add even more layers to your security posture.