The modern workplace’s identity and access management (IAM) needs have radically changed from what they were even a decade ago. We’re discovering that legacy IAM platforms designed for on-premises servers and endpoint-housed applications cannot adequately handle workspaces that include SaaS and web applications, cloud instances and data buckets, unmanaged personal devices and remote workers logging in from anywhere in the world.
The addition of multi-factor authentication (MFA) and single sign-on (SSO) mechanisms has given legacy IAM systems a few extra years of usefulness. But the limits of those protocols, especially those using weaker forms of MFA, are becoming nakedly apparent.
Today’s hybrid, access-from-anywhere workplace requires a modern, cloud-based IAM platform, one that incorporates the “intelligent” controls used only in privileged access management (PAM) systems, such as continuous verification and monitoring, temporary credentials, context-based MFA challenges, role-based access controls and session isolation.
Up-to-date IAM platforms also enforce the principle of least privilege; accept and encourage passwordless authentication using biometrics, hardware tokens or passkeys; and function best in a zero-trust security environment.
“Privileged access management was traditionally geared towards IT departments specifically, and the resources and access they have. That still exists today,” says Brandon McCaffrey, Solutions & Product Strategy, Workforce at CyberArk. “What’s changed is on the workforce side that was the traditional focus of IAM. A lot of those systems have moved to the cloud.”
The limits of legacy IAM in a hybrid environment
Hybrid environments are ripe for identity misconfiguration and confusion because cloud-service protections are more complex than those of on-premises environments. Remote workers, especially those logging in from personal devices, and the presence of unmanaged smartphones hopping on office Wi-Fi networks also tremendously complicate the jobs of defenders.
“If you just take the three [major] cloud providers, there are over 45,000 permissions between these three cloud providers,” says Archit Lohokare, GM of Workforce and Endpoint Security Solutions at CyberArk.
It’s hard to overlay an old paradigm onto a new environment, and a platform that partly determines a user’s access based on whether the user is inside or outside the company’s physical network will not succeed in a hybrid workspace.
Permissions confusion becomes especially likely when administrators assign higher privileges to specific user groups, giving individual users more privileges than even they may be aware of.
“Maybe they didn’t even know that they were a local administrator,” says Ed Moore, AVP of IT Security – Identity and Access Management at Carnival Corporation. “They were put into the administrators’ group or domain admin group. Sometimes people can be nested into particular groups and not even know that they have this set permission until they get in there.”
Cloud computing limits visibility when compared to on-prem assets, especially in a shared public cloud where the client doesn’t control the infrastructure. Cloud misconfigurations can create endless backdoors and access-management failures, although the number of data exposures and leaks created by such misconfigurations may be smaller today than it was just a few years ago.
Clients also have little control over SaaS applications and may have trouble configuring SaaS access. Even in-house web apps can be prone to misconfigurations and access-management failures.
“Sometimes the actual SaaS system itself might give you more privileges than you really should have as an individual user,” notes McCaffrey.
Even multi-factor authentication and single-sign-on schemes, which are still very worthwhile, have their pitfalls. MFA suffers from over-reliance on factors that can easily be phished or stolen, such as texted or generated temporary one-time passcodes, or which can be defeated by exhausting the user’s patience, such as yes/no push notifications.
“The concept of MFA was a really solid one,” says Julian Mihai, Chief Information Security Officer at Penn Medicine. “The way it’s being implemented these days, it’s becoming less and less strong.”
SSO’s protection suffers from gaps because there are often applications and services in an organization’s software suite that aren’t compatible with SSO, rendering those services susceptible to phishing and password cracking.
“Single-sign-on is a necessity in the business we’re in today to improve both security and user productivity access to provision applications,” says Maor Franco, Product Marketer at CyberArk. “However, we’re also seeing from our customers that not all applications are federated access.”
How a modern cloud-based IAM platform protects today’s workplace
Cloud-native IAM platforms are the better solution for modern workspaces, as they can be equally adaptable to cloud, on-prem and hybrid environments. Not being bound to any physical space, they are also adept at handling remote workers and personal devices.
They also often use intelligent privilege controls of the sort that originated in privileged-access-management systems meant to oversee IT administrators and other highly privileged users.
These controls include dynamic risk-based MFA schemes, which use automation and machine learning to frame a user’s access request in the context of the user’s geographic location, device, time of request and other aspects.
If the user is using a new device, of course the MFA scheme will ask for a second factor of authentication. But the same should apply if the user is trying to log in from a new location or at an unusual time of day.
“If you look at traditional IAM systems, they were very focused on just managing identities, managing the access rights. Their whole perspective was reducing operational costs,” says Lohokare.
“What you really need to think about,” he adds, “is how do you then look at identity security as a way of minimizing and reducing and even eliminating cyber risk as one of the foundational business outcomes you want with a new identity security solution?”
Another control ported from PAM is continuous monitoring and logging of user behavior, tracking which assets individual users access to better detect anomalous behavior. PAM forces highly privileged users to log in more frequently, as access tokens expire quickly; modern IAM solutions do the same with all users.
PAM platforms, and increasingly IAM ones as well, practice browser session isolation, which routes sensitive browser traffic — such as that to and from a web application — through a proxy server to insulate user endpoint from web-based attacks.
Along the same lines, but often outside the scope of an IAM or PAM platform, an organization might use secure enterprise browsers that likewise isolate user sessions and mandate constant rotation of browser session cookies to prevent authentication-cookie hijacking.
“Session isolation, session monitoring, protecting the post-authentication data like session cookies — those are ideas that we got from the world of privileged [access management] that you can now apply to the world of the [standard] workforce,” says McCaffrey.
But the most important recent developments in identity and access management are the principle of least privilege and its corollary, role-based access controls (RBAC).
Least privilege ensures that no user, no matter what their rank in an organization, has no more system or access permissions than is absolutely necessary for them to perform their tasks. Role-based access controls map the permissions more directly to the job, giving admin teams a template to work with when determining user privileges.
Both principles are key to the zero-trust security model, which means that no user is ever implicitly trusted and must be challenged to produce verification at least daily, and when moving from one network segment to another or accessing new assets.
However, an organization can implement least privileges and RBAC without zero trust. Doing so will greatly reduce the chances of an attacker successfully using a hijacked account to penetrate far inside a network.
“If you’re not doing least privilege, it’s kind of like a buffet table for hackers,” says Moore. “If you don’t have role-based access, [least privilege is] even harder.”
Best IAM practices for the modern hybrid workplace
Regardless of whether you’ve implemented a zero-trust environment, there are several best practices that you can follow, each of which should also be something to look for if you’re upgrading from a legacy IAM platform.
Least privileges. As stated above, this is the most significant single thing you can do to strengthen your organization’s IAM security posture. You may have to take away permissions that individual users have accumulated as they’ve moved around and moved up in the company, but the complaints will be worth enduring.
Role-based access controls. Make up a list of which permissions each role should have and use that list as a starting position for the permissions an individual user should be granted.
Regular forced logouts. Each user should have to log on at least once per day, regardless of how long they keep their endpoint running.
Short time-to-live (TTL) for browser session cookies. These should last no longer than a day for web and SaaS applications. For access to especially sensitive assets, a session cookie should last only a few hours.
Proper MFA. Move away from texted and generated temporary one-time passcodes and move toward phishing-resistant biometric factors and hardware tokens. A surprisingly robust incremental step is to simply switch push notifications from a simple yes/no verification to one in which the user has to match a number they see on another device’s screen.
“I’m a very big fan of physical access tokens. … the Touch IDs of the world, Yubikeys of the world, Windows Hello, Face ID, all those sorts of things,” says Mark Dorsi, CISO at Netlify. “It’s the thing that you have versus that thing that you know, and that’s an important distinction when it comes to MFA.”
Passwordless solutions. Not every workplace has the appropriate infrastructure in place, but virtually all users have Android or iOS smartphones capable of using the passkey system developed by Apple, Google and Microsoft. Explore whether your company can push passwords to the back burner and have users instead log in using passkeys.
Constant monitoring and constant verification. Users should not be left free to roam about the network, even if they have permissions to do so. Follow where each user goes, keep detailed logs, and challenge users to re-verify themselves when they jump from one area to another — especially if they are highly privileged.
Network segmentation. An open, flat network is not desirable for any but the smallest organizations. Put up barriers and obstacles; segment your network and put up verification gates so that any intruder who gets into the system will face impediments when trying to move around.
Constant user management. You’ll want a system that can smoothly provision new users, track their permissions throughout their tenures with the organization, and then just as smoothly deprovision them when they leave the company. These functions have traditionally been part of identity governance and administration (IGA), but they are being folded into many newer IAM platforms.
Down the road, you may want to consider measures such as just-in-time privileges, which grant elevated permissions for only a short window of time, and zero standing privileges, which grants no user, not even admins, permanent access to sensitive areas. And, of course, you’ll want to implement a zero-trust security infrastructure as soon as it’s feasible.
But until then, the above best practices will go a long way to improving your identity security posture.
