The New Context for User Identity Management

In a world where Digital Transformation – through remote teams, Cloud, and Bring-Your-Own-Device (BYOD) – is increasingly impacting business and people’s lives, new cyber threats are emerging as challenges to organizations. One such threat is theft of user identities, which can be obtained through phishing or Social Engineering attacks, for example. 

According to Verizon Data Breach Investigations Report 2019, 29% of data leaks involved the use of stolen credentials. By using these credentials to access an organization’s environment, the malicious attacker could stay weeks or even months undetected. That is because, although improper (and even illegal), access through the stolen username and password can be considered legitimate, and 56% of these malicious actions took over a month to detect.

Today, we are experiencing a revolution in the device connectivity approach: people working outside the corporate environment, multiplication of connected devices, and migration of data from on-premises to cloud structures. Given this scenario, Gartner estimates that, by 2020, there will be more than 20 billion devices connected.

In this new reality, can you really trust the identity of users or the integrity of these devices?

Considering the traditional models in which devices are connected within the organizations’ environment, security approaches were based on the “Trust, but verify” models. In these models, it was only necessary to protect the environment’s perimeter of trust from external threats. At times, however, traditional protection means such as username and password will not be able to protect the organization’s infrastructure from potential threats, which may be within the perimeter of the environment itself. Thus, considering the aspects of Digital Transformation, this perimeter of trust no longer exists, and as in the case of trust, all actions must be verified, even if something has been requested or performed by some theoretically reliable user.

In this situation, the goal of a Privileged Access Management or PAM solution is to perform centralized access management through the control, storage, segregation, and tracking of all environment access credentials. From the use of this type of solution, one can ensure that the access is actually being performed by a user and that the user is allowed to do so. Thus, Zero Trust-based approaches have emerged not only to ensure that access is granted to verified individuals but also to verify that user actions comply with the organization’s access policies. 

That said, what aspects and features of user identity verification can be associated with Zero Trust?

The first of these features is Single-Sign-On: In Zero Trust, based environments, users can use only one credential (or an identity provider) to authenticate to any application installed in the environment. senhasegura, as a PAM solution, provides single-sign-on access to a range of devices including Windows servers, VMWare, databases, SSH-based devices such as Unix, Linux, routers and switches, and web applications. One can also perform authentication on senhasegura through the user configured in directory services such as Active Directory and LDAP, in addition to GoogleID.

Another important aspect associated with Zero Trust is the multi-factor authentication or MFA. By using it to authenticate or perform actions on senhasegura, one can add an extra layer of protection for the user. In this case, in addition to the username and password, an access token-generated code is required to verify the user’s identity.

As mentioned, just verifying the user’s identity is not enough. Behavior analysis is required through ongoing assessment and monitoring of actions taken in the environment to identify potential non-compliance. In this context, the verification of abnormal accesses, access time, resources used are some of the aspects that should be considered for decision-making regarding access.  It is worth to mention that Zero Trust-based models do not necessarily involve simply allowing or blocking access. Identity, services, applications, data, and systems policies can be set for own employees, third parties and vendors. 

In practice, access policies may allow “always verify” and “always monitor” actions for third party and vendor identities. Thus, the “always verify” policy may require multi-factor authentication, for example, while an “always monitor” policy may require auditing and monitoring of all activities in the environment. Employee classifications can be adaptive, based on the type of data accessed.

senhasegura allows user session analysis based on behavioral history, as well as the identification of suspicious accesses or queries by a range of criteria, such as the number of accesses, unusual time, unknown source, or atypical duration. One can configure a list of commands and suspicious behaviors in the environment according to risk level and, whenever identified, alerted, and consolidated in a graphical dashboard. Thus, the Information Security team can take immediate action if necessary.

The last aspect of Zero Trust-based identity is the principle of least privilege, which is strongly associated with managing user roles. The principle of least privilege states that users should only have the permissions to access data, applications, and general assets that are required for the tasks they perform. Therefore, user access permissions should be well defined and carefully checked. The Information Security team should identify users with improper access and adjust them. By defining and configuring Access Groups on senhasegura, one can segregate roles and configure pre-approved and emergency access or, access from workflows, with single or multiple approvals, without the user having access to the credential’s password.

With the expansion of mobile devices, remote teams and the use of cloud-based solutions, organizations are facing a new reality: the elimination of the security perimeter and the concept of internal and external threats. Misuse of credential privileges can cause considerable damage to organizations. Taking into account the functionality of a PAM solution, it is possible to grant, manage, monitor, revoke and audit access to critical systems through privileged credentials.