The expert’s guide to improving identity and access security

If you’re in any doubt as to the importance of identity and access security then consider the following:

[Source: Microsoft Digital Defence Report, 2023]

Identity and access security is not just an important part of your cyber security strategy, it’s the foundation for everything you do.

But it’s not all bad news.

As Microsoft’s Chief Security Advisor, Sarah Armstrong-Smith, said at our recent Security Roadshow, getting the basics right means protecting yourself against over 99% of ALL attacks.

But what does that mean?

We asked three of our leading identity and security experts, Mat Richards (Head of Secure Digital Transformation), Marcus Idle (Head of External Identity), and Dave Guest (Solutions Architect and Technology Evangelist).

Here’s what they had to say.

Stop relying on passwords for authentication

When asked what organisations could do for an identity security ‘quick win,’ the response was unanimous.

Use strong authentication methods and move away from reliance on passwords.

It’s not a new message, but it is one that still needs to be shouted from the rooftops.

Indeed, at Kocho’s recent Identity Roadshow, Microsoft’s Principle Product Manager for Identity, Rohit Gulati, expressed concern that only 40% of Entra ID users had applied multi-factor authentication (MFA).

Mat Richards echoed this view: “As an absolute minimum, organisations should adopt MFA or passwordless options. Ideally, phishing resistant methods like Windows Hello for Business or a FIDO2 key.”

Head of External Identity, Marcus Idle, agreed. “Phishing attacks lead to password capture which is one of the biggest cyber security risks any organisation can face. By turning on MFA, you can dramatically mitigate this risk.”

Attackers aren’t targeting passwords at such extraordinary volume and velocity for no reason. They’re seen as weak spots in security and prone to exploitation.

Of course, like any security policy introduced, its effectiveness will be dependent on how well it’s adopted across the organisation.

Take a risk-based approach to MFA application

There’s little debate about how effective MFA can be in providing a protective barrier to unauthorised access.

But only if applied correctly, and when using a reputable solution.

The pervading view being that you need to ensure the MFA solution you implement is credible, compatible, and reliable.

And applied in a way that enhances your security, without causing unnecessary friction for your users.

Solutions Architect and Technology Evangelist, Dave Guest, offered this advice:

“Don’t overdo it.

If you ask your users for MFA all the time, on everything they do, then you risk fatigue and frustration setting in. This can quickly lead to policies being ignored or abandoned.”

Which in turn can increase the risk of credential breach. Especially when it comes to members of the C-Suite. Accounts that are typically high-value and prime targets for credential theft.

“C-Suite members are often the most vulnerable people in the business,” Dave added “Particularly when you consider how much information might already be publicly available online or via Companies House.”

A vulnerability highlighted further by Mat, saying “It’s common for senior directors to switch off MFA on their accounts as they don’t like the friction. Yet these are the most targeted accounts in the business and should really have the strongest protection.”

There simply shouldn’t be gaps in your MFA policy and should apply across all accounts. But you can minimise the friction and improve usability considerably if applied strategically. Ensuring you only ask for MFA periodically, or if unusual activity is detected.

For instance:

Conditional Access is your digital bouncer

Further reinforcing this idea of risk-based authentication and access, our identity and security experts are united in advocating the use of Conditional Access.

Like a bouncer at the local nightclub, Conditional Access is the enforcer on the door to your digital estate. Allowing access only to those who meet the rules and regulations.

But, instead of looking at your dress code, reviewing the guest list, or checking your age, Conditional Access is monitoring access based on a series of prescribed who, what, where, when, and how questions.

Meet the conditions and in you come. Anything that’s not quite right will bring the barrier to entry down.

In an environment where users are looking to access resources from different devices and multiple locations, Conditional Access plays a big role in that maintenance of security and user experience.

And its importance in maintaining a strong IAM security posture continues to grow.

For instance, it’s a vital component for strong endpoint management and mobile threat defence. And, as Mat pointed out, recent integration with Privileged Identity Manager (PIM) offers protection against the growing trend of token theft.

Good identity governance is too often overlooked

We talk a lot about identity lifecycle governance across our web pages, webinars, and roadshows. And it’s certainly a big topic across the industry. Yet each of our experts were at pains to reinforce the message.

Why?

Because too many organisations still come up short in this most essential area.

“One of the biggest failings we see across organisations is not having good governance controls to manage identity lifecycles,” Mat told us.

This is the driving tool that ensures the right people have access to the right resources while mitigating the risk of access abuse.

Now, there’ a lot of different personas who might need access to your digital estate.

Such as:

All of whom offer risk of breach through error, oversight, ignorance, or malice. Meaning all require strong yet unobtrusive governance.

“We regularly find organisations having poor governance controls,” Mat added, “As people leave or change roles they end up having access to things they don’t need or shouldn’t have.

This is where Entra ID’s governance controls can help with tools like attestation and Access Packages in Entitlement Management.”

It’s a similar story when it comes to third-parties and customers.

Marcus said “It’s common to find organisations create guest accounts or add users to groups and then forget all about them. It leaves them completely exposed and vulnerable to exploitation.

Something that can be mitigated through Microsoft Entra External ID. This not only makes it easy to apply strong authentication but it simplifies guest ID management. Giving you more control over third-party access.”

And while we often ‘big-up’ the importance of smooth, swift onboarding of new starters to drive productivity, Dave was keen to remind us of why off-boarding is vital for security.

“It’s amazing how many organisation’s still slip up when it comes to effective off-boarding,” he told us, “Especially when you consider the risk of a disgruntled leaver having access to sensitive data after they’ve left.”

It’s an issue that industry data endorses. An article in Business Reporter suggested that, of 1000 people interviewed, 47% admitted accessing company data after they’d left their job. Another report found that a third of all employers had suffered a cyber incident because of negligent off-boarding processes.

Beware the insider threat and ‘privilege creep’

As we’ve discussed previously, insider threats account for around 20% of all data breaches. So it’s no surprise that our experts were in full agreement about why it should be taken seriously.

Especially in relation to privilege management, and the pervading threat of ‘privilege creep.’

“Excessive privileges are a big risk and one we see a lot,” said Marcus.

Dave agreed, stressing the importance of being vigilant against ‘Bad behaviour.’

“We strongly advocate utilising the End User Behaviour Analytics available in Microsoft Entra ID Protection.”

Available in Entra ID P2, it helps organisations better identify insider threats by analysing high-risk user accounts and detecting unusual behaviours.

Dave added his thoughts on why a zero trust mindset goes a long way to mitigating the threat of malicious or accidental insider activity.

Simply put this means:

Conclusion: IAM must be at the heart of a unified security strategy

It comes down to having a joined up approach to security. Making sure that every part of your strategy is working in unison rather than in silos.

This means managing and provisioning identity and access through Entra ID. Utilising the tools available for authentication, conditional access, user privileges, and identity protection. All while plugging into modern tools for threat intelligence, detection, and response.

Identity security that’s informed by trillions of daily signals from Microsoft’s vast ecosystem. That offers protection at every touchpoint and across every device through the combined SIEM and XDR efforts of Microsoft Sentinel and the Defender security suite.

“Modern IT security is complex,” Dave said “We must factor in many devices, users, and connections. And, as assets increasingly leave the network, attackers are targeting identities through phishing and credential theft.”

But as Mat told us, and each of our experts were keen to stress, “This can all be effectively countered through modern security technologies, strategy, and expertise.

And by getting your basics right.”

Key takeaways

Next steps

Like this? Don’t forget to share.