Funnel overlay image

Blog | 6-minute Read

The expert’s guide to improving identity and access security

Gareth Hill

Content Manager

Published: 12 March 2024

We asked our industry experts their tips for quick and simple improvements to identity and access security. Here’s what they had to say. 

If you’re in any doubt as to the importance of identity and access security then consider the following:

  • 40% of all attacks in 2023 were identity-based.

  • 156,000 business email compromise (BEC) attacks per day.

  • 4,000 password attacks per second.

[Source: Microsoft Digital Defence Report, 2023]

Identity and access security is not just an important part of your cyber security strategy, it’s the foundation for everything you do.

But it’s not all bad news.

As Microsoft’s Chief Security Advisor, Sarah Armstrong-Smith, said at our recent Security Roadshow, getting the basics right means protecting yourself against over 99% of ALL attacks.

But what does that mean?

We asked three of our leading identity and security experts, Mat Richards (Head of Secure Digital Transformation), Marcus Idle (Head of External Identity), and Dave Guest (Solutions Architect and Technology Evangelist).

Here’s what they had to say.

Stop relying on passwords for authentication

When asked what organisations could do for an identity security ‘quick win,’ the response was unanimous.

Use strong authentication methods and move away from reliance on passwords.

It’s not a new message, but it is one that still needs to be shouted from the rooftops.

Indeed, at Kocho’s recent Identity Roadshow, Microsoft’s Principle Product Manager for Identity, Rohit Gulati, expressed concern that only 40% of Entra ID users had applied multi-factor authentication (MFA).

quote icon

If I can give you one takeaway from today, it would be: enable MFA.

Rohit Gulati, Principal Product Manager for Identity and Network Access Engineering, Microsoft

Mat Richards echoed this view: “As an absolute minimum, organisations should adopt MFA or passwordless options. Ideally, phishing resistant methods like Windows Hello for Business or a FIDO2 key.”

Head of External Identity, Marcus Idle, agreed. “Phishing attacks lead to password capture which is one of the biggest cyber security risks any organisation can face. By turning on MFA, you can dramatically mitigate this risk.”

Attackers aren’t targeting passwords at such extraordinary volume and velocity for no reason. They’re seen as weak spots in security and prone to exploitation.

Of course, like any security policy introduced, its effectiveness will be dependent on how well it’s adopted across the organisation.

tag icon

Free Guide

The Complete Guide to Microsoft Entra [New for 2024]

The most comprehensive guide to Microsoft Entra. Over 40 pages. Plus, Microsoft licensing simplified.

Discover how you can:

  • Cut costs by removing 50% management effort
  • Elevate security – reduce breach chances by 45%
  • Automate provisioning to ensure compliance

Take a risk-based approach to MFA application

There’s little debate about how effective MFA can be in providing a protective barrier to unauthorised access.

But only if applied correctly, and when using a reputable solution.

quote icon

A common mistake made by organisations is the application of non-standard authentication methods. This may lead to compatibility issues, user confusion, and weakened security posture.

Marcus Idle, Head of External Identity, Kocho

The pervading view being that you need to ensure the MFA solution you implement is credible, compatible, and reliable.

And applied in a way that enhances your security, without causing unnecessary friction for your users.

Solutions Architect and Technology Evangelist, Dave Guest, offered this advice:

“Don’t overdo it.

If you ask your users for MFA all the time, on everything they do, then you risk fatigue and frustration setting in. This can quickly lead to policies being ignored or abandoned.”

Which in turn can increase the risk of credential breach. Especially when it comes to members of the C-Suite. Accounts that are typically high-value and prime targets for credential theft.

“C-Suite members are often the most vulnerable people in the business,” Dave added “Particularly when you consider how much information might already be publicly available online or via Companies House.”

A vulnerability highlighted further by Mat, saying “It’s common for senior directors to switch off MFA on their accounts as they don’t like the friction. Yet these are the most targeted accounts in the business and should really have the strongest protection.”

There simply shouldn’t be gaps in your MFA policy and should apply across all accounts. But you can minimise the friction and improve usability considerably if applied strategically. Ensuring you only ask for MFA periodically, or if unusual activity is detected.

For instance:

  • Multiple login attempts

  • A new device asking for access

  • The location of the login attempt

quote icon

We advise organisations to take a risk-based approach for measuring credentials or sign-ins using tools like Microsoft Entra ID’s Identity Protection.

Mat Richards, Head of Secure Digital Transformation, Kocho

Conditional Access is your digital bouncer

Further reinforcing this idea of risk-based authentication and access, our identity and security experts are united in advocating the use of Conditional Access.

Like a bouncer at the local nightclub, Conditional Access is the enforcer on the door to your digital estate. Allowing access only to those who meet the rules and regulations.

But, instead of looking at your dress code, reviewing the guest list, or checking your age, Conditional Access is monitoring access based on a series of prescribed who, what, where, when, and how questions.

  • Who is trying to access?

  • What are they trying to access?

  • Where are they trying to access from?

  • When is the access attempt being made?

  • How are they trying to access?

Meet the conditions and in you come. Anything that’s not quite right will bring the barrier to entry down.

In an environment where users are looking to access resources from different devices and multiple locations, Conditional Access plays a big role in that maintenance of security and user experience.

And its importance in maintaining a strong IAM security posture continues to grow.

For instance, it’s a vital component for strong endpoint management and mobile threat defence. And, as Mat pointed out, recent integration with Privileged Identity Manager (PIM) offers protection against the growing trend of token theft.

quote icon

Microsoft has very recently announced some new CA capabilities that can also help with authentication token theft.

Mat Richards, Head of Secure Digital Transformation, Kocho

Good identity governance is too often overlooked

We talk a lot about identity lifecycle governance across our web pages, webinars, and roadshows. And it’s certainly a big topic across the industry. Yet each of our experts were at pains to reinforce the message.

Why?

Because too many organisations still come up short in this most essential area.

“One of the biggest failings we see across organisations is not having good governance controls to manage identity lifecycles,” Mat told us.

This is the driving tool that ensures the right people have access to the right resources while mitigating the risk of access abuse.

Now, there’ a lot of different personas who might need access to your digital estate.

Such as:

  • Employees and administrators

  • Third-party partners and collaborators

  • Customers or similar external accounts

All of whom offer risk of breach through error, oversight, ignorance, or malice. Meaning all require strong yet unobtrusive governance.

“We regularly find organisations having poor governance controls,” Mat added, “As people leave or change roles they end up having access to things they don’t need or shouldn’t have.

This is where Entra ID’s governance controls can help with tools like attestation and Access Packages in Entitlement Management.”

It’s a similar story when it comes to third-parties and customers.

Marcus said “It’s common to find organisations create guest accounts or add users to groups and then forget all about them. It leaves them completely exposed and vulnerable to exploitation.

Something that can be mitigated through Microsoft Entra External ID. This not only makes it easy to apply strong authentication but it simplifies guest ID management. Giving you more control over third-party access.”

quote icon

We’ve seen cases where organisations have lost millions of pounds to unmanaged guest accounts.

Marcus Idle, Head of External Identity, Kocho

And while we often ‘big-up’ the importance of smooth, swift onboarding of new starters to drive productivity, Dave was keen to remind us of why off-boarding is vital for security.

“It’s amazing how many organisation’s still slip up when it comes to effective off-boarding,” he told us, “Especially when you consider the risk of a disgruntled leaver having access to sensitive data after they’ve left.”

It’s an issue that industry data endorses. An article in Business Reporter suggested that, of 1000 people interviewed, 47% admitted accessing company data after they’d left their job. Another report found that a third of all employers had suffered a cyber incident because of negligent off-boarding processes.

quote icon

Providing user access on day one is important. Removing it on the last day is essential.

Dave Guest, Solutions Architect and Technology Evangelist, Kocho

Beware the insider threat and ‘privilege creep’

As we’ve discussed previously, insider threats account for around 20% of all data breaches. So it’s no surprise that our experts were in full agreement about why it should be taken seriously.

Especially in relation to privilege management, and the pervading threat of ‘privilege creep.’

“Excessive privileges are a big risk and one we see a lot,” said Marcus.

Dave agreed, stressing the importance of being vigilant against ‘Bad behaviour.’

“We strongly advocate utilising the End User Behaviour Analytics available in Microsoft Entra ID Protection.”

Available in Entra ID P2, it helps organisations better identify insider threats by analysing high-risk user accounts and detecting unusual behaviours.

Dave added his thoughts on why a zero trust mindset goes a long way to mitigating the threat of malicious or accidental insider activity.

Simply put this means:

Ebony fingerprint icon on transparent background

Verify explicitly

Always authenticate and authorise based on all available data points, including user identity, location, device health, data classification, and anomalies.

Ebony and green key icon on transparent background

Least privilege

Minimise user access with Just-In-Time and Just-Enough Access (JIT/JEA), risk-based adaptive polices, and data protection which protects data and productivity.

Ebony and green hacker breach icon on transparent background

Assume breach

Minimise the scope of breach damage and prevent lateral movement by segmenting access via network, user, devices and applications. Verify all sessions are encrypted end to end. Use analytics to get visibility and drive threat detection.

Conclusion: IAM must be at the heart of a unified security strategy

It comes down to having a joined up approach to security. Making sure that every part of your strategy is working in unison rather than in silos.

This means managing and provisioning identity and access through Entra ID. Utilising the tools available for authentication, conditional access, user privileges, and identity protection. All while plugging into modern tools for threat intelligence, detection, and response.

Identity security that’s informed by trillions of daily signals from Microsoft’s vast ecosystem. That offers protection at every touchpoint and across every device through the combined SIEM and XDR efforts of Microsoft Sentinel and the Defender security suite.

“Modern IT security is complex,” Dave said “We must factor in many devices, users, and connections. And, as assets increasingly leave the network, attackers are targeting identities through phishing and credential theft.”

But as Mat told us, and each of our experts were keen to stress, “This can all be effectively countered through modern security technologies, strategy, and expertise.

And by getting your basics right.”

Key takeaways

  • IAM security should be the foundation for your whole security posture.

  • Getting the basics right can protect against more than 99% of attacks.

  • If you haven’t deployed strong authentication, then do so – NOW.

  • A risk-based approach to MFA avoids fatigue and improves effectiveness.

  • Conditional access is your digital enforcer that keeps your data protected.

  • Strong identity governance is essential for a strong security posture.

  • Remain ever vigilant against privilege creep and insider threats.

tag icon

Free Guide

The Complete Guide to Microsoft Entra [New for 2024]

The most comprehensive guide to Microsoft Entra. Over 40 pages. Plus, Microsoft licensing simplified.

Discover how you can:

  • Cut costs by removing 50% management effort
  • Elevate security – reduce breach chances by 45%
  • Automate provisioning to ensure compliance
tag icon

Great emails start here

Sign up for free resources and exclusive invites

Subscribe to the Kocho mailing list if you want:

  • Demos of the latest Microsoft tech
  • Invites to exclusive events and webinars
  • Resources that make your job easier
Butterfly overlay image

Our contributing experts

""

Mat Richards

Mat has more than 25 years experience in security and IT strategies. Coupled to vast knowledge of ever-evolving Microsoft technologies, Mat has been a leading name in professional services over the past 15 years. He now leads a team of consultants and architects, overseeing secure transformation projects that drive efficiencies and growth.

Marcus Idle

Marcus Idle brings nearly 30 years of experience as an IT Developer, Architect, and Consultant to his leadership role in External Identity. Passionate about helping organisations improve security, productivity, and user experience, Marcus has played pivotal roles in delivering large-scale external identity projects for major global brands.

Dave Guest

A regular presenter and panellist at technology events, Dave has developed vast knowledge and experience in identity and security over the past 25 years. With in-depth understanding of technologies including Microsoft, Unix, Linux, IBM and others, he’s helped design and implement business-developing solutions for many clients.

 

Butterfly overlay image

Got a question? Need more information?

Our expert team is here to help.