Identity security is one of the most critical areas for IT admins. With identity breaches skyrocketing and the impact of those breaches more significant than ever, protecting an organization’s digital assets has jumped to the top of the priority list.
Unfortunately, the task is easier said than done. In this best practices guide for identity security, we break down the key areas that can help significantly step-up identity security.
Securing identities is a shared responsibility between the organization and the user. We’ll start with the best practices that the IT organization must follow in order to secure identities and then move on to best practices for users.
Identity Security – IT Organization
The IT organization is responsible for a number of the key infrastructure components to set the stage for great identity security. The following items are key to helping promote excellent security with identities:
MFA where possible –
The authentication process historically has been to enter a username and password which is then validated against the user directory. This worked for a long time, but in the current environment, user identities are getting compromised. Those credentials are being used to access confidential digital assets. Perhaps that strongest step that IT organizations can take to prevent an identity security breach is to enable multi-factor authentication wherever possible. This means that users will enter a pin code in addition to their username/password combination. That pin code is either generated on a smartphone or sent via a text message. In either case, the user now must know the password and have access to the pin code. MFA for systems and applications has been a complete game changer and if utilized, it can dramatically reduce the chances of an identity being compromised.
Identity Storage –
Whether you choose an on-prem directory service or a cloud hosted identity provider, securing the identity is critical. For internal systems like Active Directory® and OpenLDAP, you’ll want to make sure that those systems have a number of layers of security in addition to the directory service itself. Specifically, for on-prem, legacy directory services make sure that the system is behind your firewall and has a number of the state of the art intrusion detection systems around it. The identity of course should be secured to the strongest level possible. With Identity-as-a-Service solutions, you’ll want to ensure that the storage of any identities are done with one-way hashing and salting. Encryption is less secure because there is a decryption key available somewhere.
Data Communication –
When identities are shuttled across the Internet and the internal network, you want to make sure that the communication is done securely. There are a number of methods, but encryption via SSL is often utilized. Mutual TLS is a step-up over SSL and generally desired where possible. It is more complicated to implement because each IT resource communicating with the identity provider is required to have a certificate. Often, for on-prem directory services like Active Directory, remote users end up needing to have a VPN to securely communicate with AD. This, of course, is an added layer of complexity but extremely important if you have AD or choose to leverage it. The best Identity-as-a-Service platforms embed the secure communication into their systems without the need for additional VPNs.
Visibility / Event Logging –
Another important step to identity security is knowing who is logging into what within your IT environment. This is especially difficult when your IT resources are all over the cloud, different platforms, providers, and protocols. When you are able to log all of your authentication events, you have the ability to analyze for anomalies and potential breaches.
Another part of the best practice for identity security is training your end users. Virtually all end users have good intentions. They want to keep their identity secure and also protect their organization. But, even with the best intentions, many end users don’t know exactly what to do. Even if they do know what they should do, they often think, “It will never happen to me.” That’s why you must regularly train on both the “what” and the “why” of identity security with your users. IT organizations should administer a regular training session to discuss how to protect their identities.
There are some excellent training videos and documents available. Take a look at this video presentation from JumpCloud co-founder Topher Marie for a quick but thorough primer on identity security training:
Central Control –
A central, authoritative identity provider is critical. IT organizations need to have the ability to centrally control user access across virtually any IT resource including systems, applications, and networks. That central control should extend across a variety of platforms, providers protocols, and locations. The best way to solve this is to find a central directory service that can enable you to control all of the IT resources that you have.
Identity security – End User
The other half of the equation for identity security is to work closely with end users so that they do their part. There are best practices for end users as well. Encourage your users to participate in protecting their identities. Here are some of the key items that they should be doing:
Unique Passwords –
The risk in today’s environment is password reuse. With so many accounts that end users need to have – both professional and personal – it becomes overwhelming for them and the result is that they end up leveraging the same password for many of their accounts.
But before the end user knows it, their focus on keeping their life simple creates a significant issue for IT organizations. Their passwords in use on personal accounts are now the same as their professional ones. Your IT organization may be extremely focused on staying secure, but a compromised consumer site can easily lead to your organization being compromised.
This is an all too familiar scenario and one that has happened to many significant organizations. The best protection against this vector of attack is to encourage your users to leverage unique passwords. Each one of their accounts regardless of whether it is personal or professional should have a unique password. This can be a daunting request for end users, but offer them a solution such as a password manager to help with the problem. Web applications and sites are going to be compromised, but limit the damage to you and your organization by encouraging unique passwords.
Long, Complex Passwords –
Another critical aspect of identity security is ensuring that each password is as unhackable as possible. That process is to have as long of a password as possible. In addition, if you can add complex characters into the mix that only strengthens the password. Long passwords can be difficult to remember, so we would encourage you to teach your end users to build great password by creating sentences or even a combination of words. Or, better yet, have them leverage a password manager that will create long passwords randomly for you and remember them in your vault.
SSH Keys where Possible –
As more of an organization’s server infrastructure moves to the cloud, you’ll want to leverage SSH keys for access. While it would be great for keys to be the only method of access to systems, that’s impractical. However, for critical servers and cloud infrastructure, access should be controlled via SSH keys. You’ll need to spend some time managing the SSH key infrastructure, but strong cloud identity management platforms exist that can manage a user’s public keys. This obviates the need for IT admins to be in the middle of managing end user keys and increases security.
MFA where Possible –
Your end users should enable MFA on any account their can – whether that is personal or professional. It is important to get them comfortable with the concept of using an app for MFA on their smartphone. Also, it will also help secure their personal accounts so that those aren’t compromised as well.
Identity Security is at the Core of IT Security
A few decades ago, there really wasn’t the concept of identity security. Identity and access management platforms really were just user management systems for the network. Primarily this market was captured in the early 2000s by Microsoft Active Directory®. This made a great deal of sense with virtually all end user devices and applications leveraging the Microsoft Windows platform and all of those resources being hosted on-prem or within private data centers. IT organizations could tightly control access and as a result have visibility into any issues with identities.
This all started to change with the advent of the web and the move to the cloud. IT resources started to be more geographically and logically distributed. Third parties now had control over a user’s identity. That same identity was also likely the one that also logs a user into the internal network. Platforms started to shift from Windows to Mac OS X (now macOS) and Linux. The IT infrastructure was no longer homogeneous and easy to control.
This fundamental shift in the IT landscape wasn’t lost on hackers either.
Identity breaches started to be more frequent as the number of attack vectors increased. IT admins were starting to be on the defensive. Their Active Directory-based strategy was causing them to have a number of adjunct solutions creating more complexity, cost, and even greater vulnerability. A comprehensive identity security strategy is needed to protect an organization.
The payoff for a comprehensive, best-in-class approach to identity security is huge. It means that you will reduce the chances of being breached and being the next hacking victim. Besides the fear that vendors place in IT organizations about front page headlines, the truth is that a breach is messy, time consuming, and expensive. It completely derails an IT organization from their priorities and creates an unwanted and unplanned headache.
By employing the methods listed above, IT organizations can dramatically level up their identity management approach and reduce the risk of a breach.
Recap: Best Practices for Identity Security
Identity security is one of the most important tasks that IT admins have on their plate. Identity management solutions are part of the solution, but strong internal practices are critical as well.
If you would like to learn more about the best practices of identity security, drop us a note. Also, feel free to investigate how our Identity-as-a-Service platform can support your identity security.