Top 10 identity and access management risks (original) (raw)

In the realm of identity and access management, or IAM, there is an enormous range of controls and processes that security and IT operations teams need to consider to help secure users and other accounts both on-premises and in the cloud. As the scope of IAM has grown over the years and the number of controls and technologies has expanded, it's increasingly common to find that organizations are still missing some of the most fundamental best practices. While this is a rapidly changing and evolving area, there are a number of well-known identity and access management risks that commonly affect organizations.

What follows here is a list of the most prevalent identity and access management risks. They're given in no particular order, along with a discussion of why many teams often fall short in managing these IAM risks and how they can improve the situation.

1. Inadequate role-based access control policies

Roles not properly defined can create a security risk. Users might receive inappropriate access, for instance, which leads to excessive permissions and other potential security risks. But setting appropriate role-based access control (RBAC) policies is a challenge for many organizations, which often struggle to create and maintain an effective RBAC model due to complex organizational structures and role inflation. One cause is that they have too many granular roles that were created without clear oversight. This is especially common for nonhuman roles in cloud environments.

But there are ways to improve this situation. One is to regularly review and refine roles to ensure they align with actual job responsibilities, reducing excessive privileges. Consider simplifying role hierarchies by consolidating overlapping roles and implementing attribute-based access control where possible to further fine-tune access where needed. For cloud environments, new tools such as cloud infrastructure entitlements management can help to map out what identities have access to and what the possible attack paths related to this might look like.

2. Failure to deprovision access promptly

This risk arises when employees change roles or leave the organization altogether. If the organization fails to deprovision access, that leaves accounts active, which can be exploited by insider threat actors or external attackers. Also in this risk category are nonhuman identities that are part of cloud infrastructure deployments that change or are decommissioned.

The challenge here occurs when communications between HR and IT aren't consistent. Or, it can be caused by a lack of automated processes. Decentralized systems also make deprovisioning difficult, which means deprovisioning can be delayed or overlooked altogether.

Deprovisioning can be easy with IAM systems integrated with HR platforms that automate the deprovisioning process immediately upon employee departure or role change. But the right system alone is not enough: Be sure to conduct periodic audits to identify orphaned accounts and RBAC roles and enforce account cleanup.

3. Lack of multifactor authentication enforcement

The risk here comes from reliance on passwords alone, which leaves accounts vulnerable to phishing, brute-force attacks and credential theft. Many organizations don't fully enforce MFA across accounts, which potentially leaves them exposed to account takeover. Some organizations implement MFA inconsistently for reasons that include a lack of visibility into account policies, perceived inconvenience, cost concerns or a lack of employee buy-in. Implementing mandatory MFA across all critical systems can help mitigate the danger, though providing user education on MFA's importance is also essential. Organizations should then use adaptive or risk-based MFA that requires additional authentication only for high-risk activities; this balances security and user convenience.

4. Lack of regular access reviews, certifications and accreditations

When access rights are not regularly reviewed, it leads to creation and persistence of excessive privileges or outdated permissions -- both of which increase the risk of abuse or attacks. But access reviews are often time-consuming and difficult to manage, especially in large organizations. Many organizations also lack the tools for efficient permissions discovery, reporting and ongoing monitoring. How can they fight back? Automate discovery of accounts and permissions as well as access reviews and certification processes to notify managers periodically to review team access. Use IAM tools with built-in reporting features to streamline the review process and provide clear audit trails.

5. Poor identity lifecycle management

Inconsistent or delayed management of user identities -- including creation, modification, suspension and deletion -- can create security gaps, especially with new and different IAM scenarios, such as cloud, IoT and other nonhuman identities. Those organizations that lack standardized onboarding and offboarding processes typically struggle to manage user identities across systems, especially with nonhuman accounts, contractors and temporary workers. Thus, it's essential organizations develop a standardized identity lifecycle policy that defines clear onboarding and offboarding processes. Use identity governance tools to ensure consistent application of these policies across all users and systems.

6. Weak password policies and credential management

Weak and/or reused passwords and inadequate credential management create another sort of identity and access management risk, one attackers can exploit through methods such as credential harvesting and credential stuffing -- leveraging credentials leaked in breaches and exposure scenarios. The culprits here are outdated password policies or lack of credential vaults for managing privileged accounts. Also, end users often resist complex password requirements, leading to weak security. The key to organizations closing this security gap is threefold:

Any one of these alone will improve security, but to truly cut down on the risk associated with passwords and credentials, organizations must implement all three.

7. Ineffective privileged access management

Uncontrolled privileged accounts are at risk of misuse, which can lead to significant damage in the event of an insider threat or external breach. Where many organizations falter is by failing to adequately monitor and restrict privileged access. Privileged users often have excessive permissions, and logging and monitoring privileged activity is sometimes overlooked. The solution is to implement privileged access management tools that enable fine-grained control and monitoring of privileged accounts. Enforce just-in-time access, where privileged access is granted only for specific time frames and activities, reducing the risk window for abuse.

Illustration of the four components of privileged access management.

8. Limited user awareness and training on IAM best practices

Users unaware of security practices -- such as recognizing phishing attempts or securing their credentials in fraud scenarios -- are more susceptible to attacks. Too often, user training is deprioritized due to time and resource constraints; another issue is training programs that don't cover IAM-specific security practices. With the advent of zero-trust tools and concepts, as well as new authentication tools and controls such as passwordless and phishing-resistant options for MFA, it's more important than ever to help educate end users on IAM best practices. The answer is to implement periodic training on IAM best practices and identity security awareness. Make that training specific to user roles and emphasize how access management and secure practices affect overall security. The initial education efforts can be reinforced with simulated phishing exercises and practical, scenario-based training.

9. Poor integration of IAM across multiple systems and clouds

When IAM tools are not integrated across all applications and platforms, gaps in visibility arise along with inconsistent access control and increased administrative overhead. The situation grows even more critical with federation and cloud-based services. This arises from various factors, such as organizations' legacy systems or organizations using a mix of on-premises and cloud systems that often struggle with IAM integration, leading to siloed access management. Tackle this issue by standardizing IAM products across environments or using identity-as-a-service tools to unify access management for cloud and on-premises applications. Be sure to implement single sign-on to centralize user authentication and streamline access control across platforms.

10. Insufficient logging, monitoring and incident response for IAM activities

Without monitoring and logging IAM activities, organizations might miss signs of unauthorized access or attacks, leading to delayed responses. This happens because many organizations overlook or lack the resources for adequate IAM monitoring, often due to insufficient budget for security information and event management (SIEM) systems or a lack of trained personnel. Many security teams are not trained on cloud IAM events of interest either, making correlation and incident playbook development challenging. To tackle this risk, implement logging for critical IAM activities, such as account creation, access changes and privilege escalation. Also, integrate IAM in both on-premises and cloud environments with SIEM systems and services for centralized monitoring. Be sure alerts are configured to promptly notify the security team of suspicious activity. Then, regularly review IAM logs as part of an ongoing incident response strategy.

For organizations of all sizes and types, addressing these 10 identity and access management risks should be a priority. Security and IAM teams should focus on a combination of automation, policy refinement, periodic audits and user education to help work toward a mature IAM program that aligns with best practices and mitigates access-related risks effectively.

Dave Shackleford is the founder and principal consultant at Voodoo Security, as well as a SANS analyst, instructor and course author and GIAC technical director.