NEW! Stepping Towards Zero Trust

Identity Access Management, and Why We Use MFA

By Sean Smith

The phrase "Zero Trust" has been trending in the security world for years now. Essentially, a Zero Trust infrastructure would include a network model within the organization that denies access to devices or employees to IT systems unless it is necessary. In a perfect Zero Trust environment, all users, devices, and systems are continuously authenticated, authorized, and validated at every access point, with strict least-privilege controls and monitoring to prevent unauthorized access or data breaches, regardless of their location inside or outside the network. However, in our day and age, individuals need to be able to perform a multitude of tasks quickly to achieve the organization’s goals. This involves employees having varying degrees of access to several applications, websites, and devices to perform their roles properly. Constantly having to verify and authenticate users at every access point is nearly impossible.

Utilizing some principles, like least privilege, we grant the minimum amount of access an employee needs to appropriately fulfill their role. Constant and ongoing verification suggests that there may always be an attacker, either within or outside your network, and that no device or employee should be trusted by default. This is where Multifactor Authentication (MFA) comes in, but we will touch on that topic a little later. These concepts help us get closer to that Zero Trust environment without completely denying employees access to what they need.

Identity Access Management (IAM) is another framework involving the administration and access of accounts within the organization, provisioning and de-provisioning accounts as necessary. Authentication, utilizing passwords and MFA, ensures you are who you say you are. Authorization ensures the correct employees have access to what they need to complete tasks within their respective roles. Of course, auditing those accounts is also essential to ensure no one is over or under-provisioned access.

IT and IS professionals are usually able to give the appropriate amount of access to new hires, ensuring they only receive necessary access. During an employee’s time at an organization, as we know, access begins to grow. For example, if a colleague is out on vacation, someone else may need to perform a critical job function while they're away. No problem—revoke the access later, right? This tends to become a very cumbersome way of handling individual access, leading to IT teams having to constantly review access repeatedly, which usually results in some oversight after enough time passes. IAM is integrated into organizations to help alleviate some of these pain points for IT teams.

This is what threat actors are after: these over-provisioned accounts, so that if they are able to gain access, they can gather as much information as possible about you and the organization for monetary or financial gain. We are currently seeing an uptick in threat actors from around the world attempting to gain access to accounts constantly. I see hundreds, sometimes thousands, of attempts a day. This is why the authentication process is so important. Having a strong password (14-18 characters) that is not easily guessed by others, along with MFA, is essential. Most denied access requests I see revolve around single-factor authentication, usually meaning these threat actors are trying to gain access by only utilizing passwords or PINs. I’m only human, so I too am usually annoyed when I have to open my phone and use an authentication app for the multitude of applications I use daily. But when I see these failed attempts, it honestly gives me a sense of relief—and that is what MFA is for.

Most people recognize that, in no way, do we as security professionals want to completely lock down access to important job functions, even though it would make us sleep easier at night. The point is to utilize some of the concepts from above to ensure we are working our way towards that Zero Trust model. While it may never be perfect, every step taken makes it a little harder to crack, turning our accounts and networks into a fortress rather than an open door.