Not all authentication is created equal – and that’s a good thing

Identity management and access management problems are different and distinct

Sponsored The pandemic has been an arduous time for businesses, but many have learned some important lessons about remote access security along the way.

That’s the gist of the recent 2021 Trends in Securing Digital Identities survey of 500 US security professionals on behalf of the Identity Defined Security Alliance (IDSA), which uncovered a new interest in the fraught topic of identity and access management (IAM).

It’s hard to think of anything more likely to overwhelm an organisation’s remote access systems than an overnight, life-threatening pandemic, starting with large numbers of employees stuck at home, a shortage of suitably secure laptops, and the problem of inadequate VPN capacity. All of this has been well covered. But even when organisations got on top of that chore list, other, harder-to-solve problems quickly raised their heads.

As the survey discovered, the biggest of these was the problem of digital identity, in layman’s terms how organisations know that an account connecting to a network or service is controlled by its legitimate owner. This has been a rising concern for years as phishing attacks and credential theft erode traditional assumptions about identity security, but the provisioning storm of the pandemic has transformed the issue into an urgent concern.

Over eight in ten of respondents said that the number of digital and machine identities they were managing had increased due to the pandemic, with one fifth of those reporting between a 25% and 100% increase. Meanwhile, overall confidence in securing digital identities connected to employees fell from 49% in the 2020 survey to only 32% a year later.

The outcome was that 79% of respondents admitted they’d suffered an identity-related breach in the previous two years, with a range of causes cited including phishing (68%), poorly managed privileges (28%), stolen credentials (27%), brute force attacks (24%), socially engineered password breaches such as bogus account resets (21%), compromised privileged accounts (20%, and man in the middle attacks (9%).

The punchline is that this level of concern is no worse than the previous year, which presumably means that organisations have been tolerating weak digital identity provision even before the pandemic.

IAM what IAM

“Before the pandemic, only a small fraction of people worked from home on a full time basis, but this is the new normal,” agrees Danna Bethlehem, director of product marketing for Thales, one of a select group of IAM vendors marketing cloud and single sign on (SSO) technologies in a rapidly -expanding sector. Even if there is some drift back to the office, in many organisations the elastic connecting employees to their desks has snapped for good.

This new environment has created multiple security issues but it’s important to grasp that the problems associated with identity management and access management are different and distinct, she stresses.

“Identity management is about managing the lifecycle of digital identities in an organisation, for example provisioning new users to access applications such as email through a password. Access management is about ensuring that this identity is validated each time they log on.”

The separate task of access management is to decide whether the user is verified using a given authentication format, a concept that within a decade has gone from nice-to-have to best practice. The IDSA survey revealed both sides of the IAM coin – robust identity controls and authenticated access - now preoccupy security professionals. Asked to assess which measures might have prevented past breaches, 44% of the IDSA respondents agreed that adding multi-factor authentication (MFA) would have helped, with 45% stating this should be applied to privileged users as a top priority.

So far so good, but at the same time the underlying problems of identity management were not far from the surface, with half believing more timely reviews of privileged access could have prevented an attack, ahead of 45% citing more thorough reviews of sensitive data access, and 31% suggesting the continuous discovery of privileged access rights.

Given that the survey suggests most organisations have implemented some but not all elements of the identity and access management puzzle, the question is what else they should do to upgrade their current approach to cope with the extra strain of large-scale remote access.

Mind the authentication gaps

According to Bethlehem, the first problem is that organisations have built up a complex authentication fabric made up of accounts, passwords, and various identity validation methods, often weakly managed in a way that leads to gaps and inconsistencies. How these are being used, and who is using them, ends up being based on risky assumptions, with much taken on trust. The first task, then, is to build an accurate picture of which authentication is being used.

“We recommend analysing the applications users log into, mapping out how different types of users are authenticating to each one. Using this assessment, organisations can quickly identify inconsistencies and gaps,” says Bethlehem. “Many organisations say they want authentication everywhere but when you do an assessment they find that there are big gaps between the ideal and the reality.”

A common inconsistency is a policy that allows users to authenticate in the same way across a range of devices, for instance an insecure home computer as compared to a secure corporate mobile device. This creates risks that organisations shouldn’t tolerate. Another mistake was to base authentication on the status of the user rather than the sensitivity of data or applications being accessed.

More MFA but better

Enforcing multi-factor authentication (MFA) across the board is a minimum these days, but there are a range of issues organisations need to consider when jumping, advises Bethlehem. “The ideal is to achieve maximum authentication without adversely affecting the user’s login experience. It is unrealistic to expect the user to re-authenticate each and every time they access multiple applications.”

This underlines why authentication is often hard to implement. Organisations start with not enough authentication but can end up with so much that it starts to become a productivity barrier. Even when that doesn’t happen, credential management can turn into one of those behind-the-scenes chores that sucks up admin time. As costs rise, every identity check adds to complexity, which leads to workarounds, which leads back to the issue of authentication gaps.

The orthodox solution to this is to implement a single sign on (SSO) service, which hides the complexity of authenticating to different services and applications behind a convenient single authentication process. But SSO doesn’t overcome the need to shape the policies governing it to suit a range of situations.

“You need a smart policy engine that will be able to enforce usable SSO in certain scenarios without compromising security. For example, you might have a user travelling to China, a high-risk scenario. In that instance, you need to be able to enforce a very strong authentication policy.”

A final issue to watch for is that not every user will be able to use only one type of authentication for all their access, no matter how elegant this might seem. “If they live in a zone with spotty mobile reception or if they object to using a personal mobile device for work authentication. In this case, the user would need to be provided with an additional authentication mechanism.”

Pesky privileged access

All user rights are potentially risky, but some are riskier than others. At the top of the list are privileged users, broadly speaking anyone with admin rights. It’s often assumed these people are IT staff who should know what they’re doing and who understand the importance of security. But in the world of modern applications, admins can be anyone with the ability to manage a group, often department heads with no technical background.

“You want to identify privileged users and make sure the appropriate level of authentication is enforced,” says Bethlehem. This is where identity management enters the fray. “If a user leaves the organisation, there should be an automatic workflow that notifies the authentication system so that the user’s authentication is revoked.”

Zero trust all round

A decade after Forrester analyst John Kindervag coined the phrase ‘zero trust’, the concept behind it has suddenly become inescapable. Zero trust doesn’t tell organisations which technology to use - only that when implementing security, they should do so on the basis that no device, user account, or connection should automatically be trusted even when connecting from inside the network perimeter. Ideally, that should be under continuous review; just because you’ve been let in doesn’t mean you can’t be thrown out if you break the rules.

The question is what rules are and how trust is established in the first place. Undoubtedly, a mixture of security monitoring, identity management and authentication are the best answers most security designers can come up with today. But other elements of zero trust architectures - micro-segmentation of networks and applications and granular policy enforcement – can make authentication a lot more complex because users must re-authenticate when they cross those boundaries.

Bethlehem is unmoved from her belief that organisations must find a way to overcome such obstacles. “Ultimately, given the number of apps that users need to log into on a daily basis, and the increasing aggressiveness and sophistication of cyberattacks, organisations would do well to adopt an authentication everywhere approach.”

That will never be frictionless, or simple. “Because user authentication needs are complex, this cannot be one size fits all. Organisations need to be able to implement different types of authentication - contextual, push, hardware - so assets are always protected at the point of access while at the same time ensuring a convenient login experience.”

Sponsored by Thales.

Biting the hand that feeds IT © 1998–2021