What is Identity and Access Management (IAM)?
Identity and access management (IAM) is a framework that allows the IT team to control access to systems, networks and assets based on each user’s identity. IAM consists of two main components:
1. Identity management: Verifies the identity of the user based on existing information in an identity management database.
2. Access management: Uses the requestor’s identity to confirm their access rights to different systems, applications, data, devices and other resources.
An IAM tool’s core functions are to:
- Assign a single digital identity to each user
- Authenticate the user
- Authorize appropriate access to relevant resources
- Monitor and manage identities to align with changes within the organization
Why is IAM important?
In the digital landscape, organizations are under significant pressure to ensure their corporate infrastructure and assets, including data, are secure. At the same time, they must also provide a frictionless user experience to authorized users who need access to a wide variety of digital resources, including those in the cloud and on premises, without the need for separate authentication systems and identity stores to perform their jobs.
As the IT environment becomes more complex due to a proliferation of connected devices and the acceleration of the “work from anywhere” trend, organizations must ensure they are providing the right level of access to all users in a seamless and efficient way.
IAM helps organizations streamline and automate identity and access management tasks and enable more granular access controls and privileges. With an IAM solution, IT teams no longer need to manually assign access controls, monitor and update privileges, or deprovision accounts. Organizations can also enable a single sign-on (SSO) to authenticate the user’s identity and allow access to multiple applications and websites with just one set of credentials.
How is IAM different from identity security?
Technically speaking, IAM is a management solution — not a security solution. While IAM can help restrict access to resources by managing digital identities, IAM policies, programs and technologies typically are not designed primarily as a security solution.
For example, IAM technologies that store and manage identities to provide SSO or multifactor authentication (MFA) capabilities cannot detect and prevent identity-driven attacks in real-time. Likewise, IAM solutions are an important part of the overall identity strategy, but they typically lack deep visibility into endpoints, devices and workloads in addition to identities and user behavior.
At the same time, identity security does not replace IAM policies, programs and technologies. Rather, identity security serves to complement and enhance IAM with advanced threat detection and prevention capabilities. It adds the much needed security around every user — be it a human, service account or privileged account — to help negate security risks within the AD, which is widely considered to be the weakest link in an organization’s cyber defense.
Finally, while identity security and IAM are critical capabilities within the security architecture, it is important to remember these are just two components within a broader security platform. To ensure the strongest protection, organizations must develop a comprehensive cyber defense strategy that includes endpoint security, IT security, cloud workload protection and container security. The identity security solution and IAM tool should also integrate with the organization’s Zero Trust architecture.
IAM systems leverage a variety of methods to authenticate a user’s identity, one of which is single sign-on (SSO).
The SSO authentication method establishes a single digital identity for every user. Credentials for this account can be used to access any approved system, software, device or asset within the active directory without reentering a username and password specific to that asset.
Active Directory Federation Service (AD FS) is the most well-known SSO feature. Developed by Microsoft, AD FS provides safe, authenticated, secure access to any domain, device, web application or system within the organization’s Active Directory (AD), as well as approved third-party systems.
While many organizations develop an SSO capability internally, others have turned to identity as a service (IDaaS), which is a cloud-based subscription model for IAM offered by a vendor. As with any as-a-service model, IDaaS is often a viable option because outsourcing IAM services can be more cost-effective, easier to implement and more efficient to operate than doing so in-house.
In addition to confirming the user’s identity, the IAM system also needs to grant access to users at the appropriate level. There are several secure access strategies organizations can take, including:
Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized and continuously validated for security configuration and posture before being granted or keeping access to applications and data.
Execution of this framework combines advanced technologies such as risk-based multifactor authentication, identity protection, next-generation endpoint security and robust cloud workload technology to verify a user or systems identity, consideration of access at that moment in time, and the maintenance of system security. Zero Trust also requires consideration of encryption of data, securing email and verifying the hygiene of assets and endpoints before they connect to applications.
Principle of Least Privilege (POLP)
The principle of least privilege (POLP) is a computer security concept and practice that gives users limited access rights based on the tasks necessary to their job. POLP ensures only authorized users whose identity has been verified have the necessary permissions to execute jobs within certain systems, applications, data and other assets.
POLP is widely considered to be one of the most effective practices for strengthening the organization’s cybersecurity posture, because it allows organizations to control and monitor network and data access.
Privileged Access Management (PAM)
Privileged access management (PAM) is a cybersecurity strategy that focuses on maintaining the security of administrative accounts.
Identity segmentation is a method to restrict user access to applications or resources based on identities.
Multifactor Authentication (MFA)
Multifactor authentication (MFA) is a security feature that grants access to the user only after confirming their identity with one or more credentials in addition to their username and password. This may include a security code delivered via text or email, a security token from an authenticator app, or even a biometric identifier.
Risk-Based Authentication (RBA)
Sometimes referred to as adaptive authentication, risk-based authentication (RBA) is a security protocol that only asks a user to confirm their identity via MFA in high-risk or unusual circumstances, such as when logging in from a new device or from a different location.
Role-based access management (RBAC)
RBAC entails assigning access privileges automatically based on the user’s role within the organization, their level, or their alignment to a certain team or function.
Protecting Your IAM Implementation
IAM is part of the organization’s broader IT environment and cybersecurity architecture. For that reason, implementation must be integrated with other systems and solutions, including the identity security solution and Zero Trust architecture.
One of the most critical aspects of IAM implementation is Active Directory security, or AD security. AD security is uniquely important in a business’s overall security posture because the organization’s Active Directory controls all system access. Effective Active Directory management helps protect your business’s credentials, applications and confidential data from unauthorized access. It’s important to have strong security to prevent malicious users from breaching your network and causing damage.
The best way to monitor for compromises in your Active Directory is to use an event log monitoring system. By monitoring the activity in these logs, organizations can catch any compromises before more damage occurs.
When monitoring your event logs, look for signs of suspicious activity, including the following events:
- Privileged account activity: Attackers commonly exploit a privilege vulnerability and attempt privilege escalation, increasing the privileges of a compromised user account. Alternatively, you might notice after-hours activity on a privileged user account or a sudden increase in the amount of data accessed by the user account.
- Login failures: Repeated failures to log in to an account can be a sign that a threat actor is trying to gain access.
- Remote logins: Malicious users often attempt to access your system remotely. If you notice a login from an Internet Protocol (IP) address in a different country or locale, it could be a sign that your Active Directory is compromised.
Basic implementation steps are as follows:
- Establish the core set of objectives for the IAM solution
- Audit existing and legacy systems to identify gaps within the existing architecture
- Identify core stakeholders to help with identity mapping and defining user access rules
- Capture all user groups; include as much granularity as necessary
- Identify all user access scenarios and define corresponding rules; take into account cloud assets and how access within the cloud environment differs from on-premises access
- Consider any integration points with other security systems or protocols including the Zero Trust solution or identity security system
The Future of IAM
Analysis from the CrowdStrike Overwatch™ threat hunting team indicates that 80% of breaches are identity-driven. These modern attacks often bypass the traditional cyber kill chain by directly leveraging compromised credentials to accomplish lateral movements and launch bigger, more catastrophic attacks.
This weakness, coupled with the rapid expansion of a digital workforce, puts organizations at heightened risk for identity-driven attacks, amplifying the need for organizations to activate a strong, flexible identity security solution that includes IAM. Taken together, these solutions are intended to stop adversaries that have managed to circumvent other security measures, such as endpoint detection and response (EDR) tools.
Shrink the Identity Attack Surface with CrowdStrike Falcon IDP
A security compromise of AD exposes the identity infrastructure and creates a very large attack surface that may lead to ransomware, data breaches and eventually damage to the business and reputation. The security team and the IAM team try to secure the AD identity store, but they need to be sure that legacy and deprecated protocols (e.g., versions like NTLMv1) are not being used. And they need to know in real time if a specific service account or a stale account is executing a Remote Desktop Protocol (RDP) to the Domain Controller (DC), or trying to move laterally to critical servers by escalating privileges or using stolen credentials.
The limitations of traditional and siloed AD security tools increase the overall attack surface for identity-based attacks. These challenges are a few of the reasons why 80% of the attacks are credential-based. Though AD and IAM teams may use several tools to secure AD, the real need is to secure both AD and Azure AD from a unified console to enable them to holistically understand the who, where, when and why for every authentication and authorization request, and the risks facing the organization, and also enable them to extend risk-based MFA/conditional access to legacy applications to significantly reduce the attack surface.
Since a majority of modern attacks are based on credentials, identity is not only the most important element in Zero Trust — identity is the new perimeter. CrowdStrike Falcon Identity Protection (IDP) wraps security around every identity, whether on on-premises AD, cloud AD or Azure AD.
Falcon Identity Protection, part of the CrowdStrike Falcon® platform, is built around a continuous risk scoring engine that analyzes security indicators present in authentication traffic in real time. Adhering to Zero Trust principles, the risk scores are developed inside-out — around user roles, user-defined authentication policies and identity stores — instead of the traditional outside-in sources. Falcon Identity Protection is the only cloud-native Zero Trust solution to protect AD — the weakest link in your cyber defense.
CrowdStrike Identity Protection consists of two main components:
Falcon Identity Threat Detection
Falcon Identity Threat Detection helps organizations achieve deeper visibility for identity-based attacks and anomalies in real time without requiring ingestion of log files. Falcon Identity Threat Detection is ideal for organizations that want only identity-based threat incident alerts and threat hunting, but not automated prevention of threats.
Falcon Identity Threat Protection
Falcon Identity Threat Protection enables hyper accurate threat detection and real time prevention of identity-based attacks by combining the power of advanced artificial intelligence (AI), behavioral analytics and a flexible policy engine to enforce risk-based conditional access.
To learn more about CrowdStrike Falcon Identity Protection, download our data sheet or watch our demo:
Falcon Identity Protection Demo
Watch this two-part demo as experts show how CrowdStrike Falcon Identity Protection offers organizations the “defense in depth” they require!Watch Demo