It's all about SECURITY

Future of Identity and Access Management (IAM)

Full Paper LinkClick Here

I have been working in the Identity and Access Management field for about 18 years, and I can tell you that IAM has changed a lot since I started. When I began, I worked with some security products, and over the time, some of those products have disappeared from the market and replaced by new products. Some organizations are investing a lot in building their own IAM solutions because vendor products do not meet their needs or they do not get the timely support they need for their customers.

The security landscape has evolved dramatically. Organizations are moving to cloud or even multi-clouds environment that introduce new risks to their business. Traditional IAM solution are not sufficient to manage the new risks, so it was important to change IAM strategy as well to support the new business needs. In the past, Identity Management, Single Sign-On (SSO) and Two-Factor Authentication (2FA) were the key focus areas in IAM and only a few organizations were implementing Multi-Factor Authentication (MFA) and Privileged Access Management (PAM) but now these are essential part of any IAM program. 

So, the big question is "What is the future of IAM"?

I believe there are still many areas in IAM that need more attention or require more work. Below, I have highlighted some of these areas:

  • Zero Trust Implementation (Continuous Authentication)
  • Zero Standing Privileges 
  • Passwordless Authentication with Stronger MFA (Biometric/FIDO2)
  • Cloud IAM
  • Effective Approvals and User Access Reviews
  • Privileged Access Management
  • Non-Human Accounts Governance
  • IAM for AI Agent
  • Behavior and AI-Powered Monitoring, Alerting and Remediation  


Apart from above areas, User Education and User Experience will always be our top priority as there's no security with poor user experience (Click Here). IAM is moving towards smarter and more secure models of digital identities and will continue to evolve. 

Keep Learning and Keep Sharing. 





Posted by

Security Principles: Just In Time Access and Zero Standing Privileges


JIT: Just-In-Time Access

ZSP: Zero Standing Privileges


If you work in Cybersecurity IAM Domain, you may be familiar with terms Just-In-Time provisioning and Zero Standing Privileges. Generally these terms are used interchangeably but both are slightly different. ZSP can be considered as the progression of JIT but both have same end goal i.e. to improve the security posture. 


JIT allows users to gain privilege or elevate access in the systems/applications when they need. JIT is associated with a time-frame that means users will gain privileged access for a particular time-period and once the time is over, privileges will be revoked from the user. 

ZSP focuses on no persistent access to users in the systems or applications. Every time users need to request access that they need to perform their job duties and privileges will be revoked immediately after use. 

Difference: Biggest differences between JIT and ZSP are 

  • JIT allows users to gain access for a particular time-period but ZSP allows users to gain access for specific tasks
  • JIT is time-bound and ZSP is task(s) bound


JIT: User requests privileged access for a particular time-frame say 8 hours and once request is approved, user will have the access for 8 hours and access will be revoked when time is over. No additional approval is required in that 8 hours window.

ZSP: User can request privileged access to perform a particular task and access will granted after the approvals. Access will revoked immediately on task completion. If user needs access again to perform another task, new approval will be required before access can be granted. 


Both security principles help prevent accidental misuse and targeted attacks, minimize security risk and reduce attack surface but ZSP is based on Zero Trust implementation requires reauthorization for each task. 
 

Posted by

User Access Review (UAR) – A Closer Look at the Process and Its Challenges

What is User Access Review (UAR)?

User Access Review (UAR) is a process to review users' accesses/permissions and take the corrective action to ensure that they are appropriate. This process is also known as Access Recertification or Access Attestation. Typically, managers conduct the reviews but some organizations prefer to have permissions owners (entitlement/role owners or application owners or data owners) to take on this responsibility. The process, while essential, tends to be quite manual. The burden often falls on those executing the reviews, typically members of the Cybersecurity IAM team, and the reviewers themselves, who are responsible for verifying and confirming user access.

How Often Should UAR Be Conducted?

Organizations run UAR campaigns periodically as per their business needs - Quarterly, Semi Annually or Annually. Quarterly and Semi Annually are very common. While access reviews are important, it’s important to balance the frequency of these campaigns with the organization’s resources and needs.

Why Do Organizations Continue to Run UAR Campaigns Despite the Manual Work? 

Reasoning: Simplest answer is "Privilege Creep". Whenever someone joins an organization, they are granted certain accesses/permissions. They request additional accesses that are needed to do their job duties. Users keep on requesting new accesses while working for the organization but never requests to remove accesses that they do not need anymore. Over time, these accesses get accumulated which is known as Privilege Creep. Over assigned privileges result into security risk (insider threats) for the organization, that's why it is important to revoke/remove unnecessary accesses from the users time to time. User Access Review process not only reduces the security risk but also saves money by releasing the costly licenses. It is also a mandatory regulatory requirement to review everyone's access periodically. Without regular reviews, an organization loses visibility over who has access to what resources, making it difficult to assess and manage risks effectively.


Challenges and Solutions in User Access Reviews

Though UAR is an essential process, it comes with its fair share of challenges. Let’s explore the most common obstacles organizations face and potential solutions to address them:

Manual Work Overload: UAR campaigns require a lot of manual effort by IT team and reviewers. While some of the automation tools are available in the market to support IT team, they do not provide full automation. Reviewers need to review users' accesses manually. Again, we have some additional tools to help the reviewers while making the decision like access recommendation feature of SailPoint, not all organizations have invested in tools to support the review process. 
Solution: Automation is the key to alleviating this problem. Organizations should consider investing in automation tools to handle as much of the manual work as possible. Solutions like time-bound access, or Just-in-Time (JIT) access, can also help streamline the process by limiting the amount of access granted in the first place.

Lack of Awareness  and User Resistance: One of the biggest hurdles is user resistance. Employees often see UAR campaigns as an inconvenience, particularly when asked to review hundreds of access permissions every few months. Resistance is also because of lack of awareness about the security risk associated with over assigned privileges.                                                                               
Solution: User education is very important. User must be made aware of the security risks posed by privilege creep and understand how their participation in the review process contributes to the organization’s overall security and success.

Complexity in Scalability: There are often thousands of users across multiple systems and applications in large organizations. Reviewing access for every user, especially in environments with complex, multi-tiered access, can be time-consuming and overwhelming. This also leads to "rubber-stamping" problem where reviewers just approves everything without genuinely reviewing them. 
Solution: Implementing frameworks like RBAC, ABAC, JIT, Time-bound can significantly reduce the no of items that need to be reviewed in each UAR campaign. These frameworks can also solve the problem of "rubber-stamping" to a great extent. 

Time Constraints: Generally, UAR campaigns must be completed within a strict timelines else it can create issue during the audits. If entire campaign is for 4 weeks, 30% of reviews get completed within first week of campaign itself but the last 30% can be much harder to finish, especially, when reviewers go on leave without taking any action. 
Solution: Educating users about the importance of timely reviews, along with implementing strict follow-up actions for those who fail to complete their tasks, can help address this issue. Users must be communicated clearly about the deadlines and consequences for not taking action on time. 

Data Collection: Organizations use hundreds of systems and applications that means data comes from variety of sources. Sometimes data is extracted from these systems/applications with the help of automation tools and sometimes manually. Given that each system stores data in different formats, transforming and standardizing this data for UAR campaigns can be time-consuming and tedious. 
Solution: To ease this burden, organizations should invest in automating the data collection and validation processes as this will not only simplify the processes but reduce errors and save repeated manual efforts.


User Access Review is an essential part of maintaining security and compliance. While it is a time-consuming and complex process, implementing the access control frameworks correctly, investing and prioritizing automation and user education can help in mitigating som of these challenges. 






Posted by

Cybersecurity World: Security vs User Experience

I want to ask this question to all the security professionals, What is more important between security and user experience?

I have been working in a security domain for almost 15 years and I have noticed one thing that people keep emphasizing to the security and completely neglect the user experience part, but I think that security and user experience are two sides of the same coin. They are different but cannot be neglected. Both should be given the equal importance. Let me try to explain the same with following simple example:

Example:  

Note: This example is just to explain the point and I understand that we are in 2022 and passwords are considered as the weakest solution in Cybersecurity today. 😊

Suppose we have 5 applications and we want to implement authentication solution for all these apps. To improve the security posture, what if we define below password policy:

  • Minimum Password Length = 15
  • Minimum Numbers = 2
  • Minimum Uppercase Characters = 2
  • Minimum Lowercase Characters = 2
  • Minimum Special Characters = 2
  • No consecutive numbers or alphabets are allowed
  • Last n password cannot be used = 25
  • Password Expiry= 15 days or 30 days
  • Applications cannot share passwords
  • Passwords cannot have user attributes like first name, last name, userid, email etc.
  • Passwords cannot have dictionary words – Custom Dictionary  

This password policy will enforce users to come-up with a complex and unique password for each application every 15 days or 30 days.

From security point of you it may be good  because each application will have its own unique password but is it easy for an end user to remember such complex passwords? Even for one time, users can remember but is it possible for users to come up with new passwords every 15 days or 30 days for each application.

Answer is No, so What’s wrong in this solution?

In this solution we completely ignored the user experience and providing very poor user experience to our customers. If we implement this kind of password policy, end users will end up writing the password in a notebook, in a notepad in laptop or in sticky notes which will impact our same security posture which we wanted to improve. Final outcome is poor security.

Being a security professional, we keep our entire focus on security and less on user experience, but I think it’s our responsibility to come-up with a solution which is not only secured but also provide a better user experience to our customers so that our aim to improve security posture remains intact. We cannot have a ratio of 60-40 between security and user experience, it must be a 50-50 which means we need to start giving equal importance to user experience which we give to security. Only by doing this, we would be able to improve the security posture of the organization in real.

Again, these are just my thoughts. 

 

 

 

 

 

Disclaimer

All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information

 

Posted by

Authention App for 2FA - TOTP

Nowadays using authentication mobile apps for 2FA is very common. I was always wondered how does it work in the background. How mobile app generates code which can be validated by the application to grant access.

I was reading about it, did some research on Google and developed an eclipse client to test also.

  1. When we create account in application, application generates "Secret Key"
  2. Application keeps this Secret Key for each user
  3. User register this Secret Key in Authentication App as well
  4. Authentication App generated 6 digit code every 30 seconds using this Secret Key
  5. When user tries to login, user is asked to enter the 6 digit code from the Authentication App. At the same time application also generates the 6 digit code using the Secret Key which is stored with the application. Both the codes, application and authentication app generated codes, are compared, if they match, user will be granted the access to application.

 I validated this flow from eclipse client.

 Here are the libraries which will be used for this Java client:


Code to generate Secret Key, this will return the Secret Key which you need to store and register in Authentication App like Google Authentication App.

Sample Secret Key: RDOVRBFZFT54DZ7E3LWTJPUNTRQINUJO

You can also generate the QR code using this Secret Key which can be used by App for registration

Code to Generate 6 Digit Code (TOTP), you need to pass the same Secret Key. This method will be there at application end.

main method to test:


You will be asked to enter the 6 digit code from authentication app which will be validated against the 6 digit code generated by application.

Important things:

  • Time must be in sync 
  • Secret Key is the main thing, if you setup your eclipse client, you don't even need the authentication app for 2FA

Good Resources:

  • https://www.protectimus.com/blog/time-drift-in-totp-hardware-tokens/




 

Posted by
Subscribe to: Posts (Atom)