Lately, we have been focused on the keys for a modern directory service. Over the last four posts, we have talked about critical requirements such as being cloud-based, ubiquitous, and capable of management. The fourth requirement of any directory service in the modern era is security.
As we all know, compromised credentials are the number one attack vector for organizations around the world. There are numerous ways attackers focus on credentials, including vectors such as phishing and brute force attacks. Hackers focus on user credentials because they’re the easiest way into an environment. If attackers can grab a user’s credentials, they can then access an IT asset easily, and take it over. If the attacker obtains administrator credentials, the risks are great. They’ll be able to install software, exfiltrate data, and use that asset as a potential base to go elsewhere in the organization’s network. And that’s all because they were able to compromise credentials.
From a security perspective, a modern identity management system has three core functions:
Ensure the Right People Have the Right Access
Access in well-managed organizations is done on a least-privilege basis. As a result, a directory service needs to support and enforce that model. Ensuring that as employees are terminated their personal access is terminated to all IT resources is a critical function of an identity provider. This functionality needs to be tamper resistant to ensure that a disgruntled employee cannot subvert this control. In addition, a directory should provide for granularity at a level that is appropriate for each organization, thus ensuring that proper access can be provided.
Protect User Credentials
Not only should a directory enforce the access control matrix tightly, it also needs to be secured itself. A secure directory service has multiple layers of protection, including: hashing/salting of user accounts, secure communication between endpoints or applications and the directory, and network security controls including activities such as firewalling, vulnerability scanning, and log file reviews. Protecting user credentials is not only a function of the IT team, but end users as well. Organizations need to encourage employees to use strong passwords that are varied across various sites / tools, and use password managers, if possible.
Detect Compromised Credentials
Of course, even with the most rigorous security programs in place, user credentials can still be compromised. A user may re-use their username/password credentials for their company to another website. That third-party site may be compromised and as a result, the new organization is now vulnerable, too. A critical part of a modern directory service is providing telemetry that can detect when credentials have been compromised. A new age directory will understand where, when, and how users are logging in and what they are doing.
Directory services are the core of any organization. They are effectively a matrix of users and their access to IT resources. A modern user management system needs to help IT admins ensure that the right connections are made between users and IT resource. Those user credentials need to be protected through rigorous security approaches and then consistently monitored for potential compromises. Credentials are the gateway to IT assets and a modern directory service needs to be built around keeping that connection secure.