Maintaining healthy Access Management Systems after Deployment

With the growing number of applications that are required by users and the secure access to those, it becomes inevitable over time to invest in an Access management solution like Okta, Azure, ForgeRock, among others.

At the time IAM systems are configured they adhere to the initial security roadmap as was defined at the time of implementation. Over time however, they accumulate rules, roles, mappings, users, etc. that may or may not be in line with the current security roadmap. If the access management system is integrated with a Governance system, there are lesser chances of accumulation. In standalone systems they would require timely pruning and audits.

Some of the ways to maintain the health of IAM systems.

1.  Audits: Take at least a yearly audit of the IAM system.

• Applications and environments: Pull reports of all the integrated apps and environments and confirm if all of those are still required and necessary. Usually, defunct systems need to be taken offline as they can as they may be the weakest link for attacks.
• Users: Users who have left the organization or are in a password expired state or in deactivated state can be cleaned out. Sometimes users who have left the organizations still occupy licenses.
• Mappings/Rules:Look at all the mappings or rules that help define how a user is assigned to a group, role, or application and verify if there are sufficient users who get assigned using those rules or can they now be recombined into some of the newer rules that have been created since then.
• Groups: Are all the groups created still relevant? Any groups with no users might be a case for deletion or retrospection.
• Administrators: Find out how many users have superpowers as administrators or even lesser administrator powers and are they needed? This is where usually PAM and Governance systems help streamline privileged access.
• Licenses: Check how many licenses are used to suffice for the remaining year.
• VLDAP / Radius services: If enabled, check for active usage, or disable them.
• Password policies: Ensure that password policies are complex enough if enabled and have not been diluted for exceptions.
• Login Policies:Ensure Login policies that dictate password/less MFA are in line with the security guidelines.
• Identity Providers: If there are Identity Providers configured, enable any checks that validate that users coming in from these connections have the same domain as that of the identity provider.
• Integration with SIEM Logs from the IAM system can be forwarded to SIEM solutions for further analysis. Ensure this feature is enabled.

2. Certificates:  Applications integrated with SAML require certificates for signing and encryption of assertion and in some cases requests and responses as well. If certificates are generated by the organization, then make sure they are renewed at periodic time intervals as mentioned in your security posture.

If certificates are generated by the IAM system, make sure they are periodically updated. This may need an activity to update the new certificates in the corresponding SAML service providers (applications).

Applications integrated with OIDC use a pair of certificates to sign the JWT which is the access and identity token to prove the identity of the sender. The renewal will not require any action on the integrated apps as the public certificate is available at the JWKS endpoint for the IAM provider.  In addition, there are certificates for enabling application communication over the HTTPS. These certificates will usually be provided by the cloud provider for SaaS. For self-hosted applications they will be generated by the organization either using some internal or external certificate authority.

3. Directory integrations: Usually IAM systems are connected to AD or other HRMS systems in absence of a Governance/ Provisioning engine. For these connections either a dedicated connector is available from the IAM system or some custom mechanisms are used. For out of box connectors make sure the versions are the latest or plan to upgrade the connectors if IAM systems do not automatically upgrade them.

4. Passwordless and MFA: Recent advancements in Passwordless and MFA have made available the latest and best phishing proofed mechanisms for login into application. Plan to migrate to these. Some of the older mechanisms like knowledge based secret Q are outdated in this age of AI.

5.  API Integrations: For APIs the authorization engine will add effective scopes to tokens. Make sure the scopes are still relevant.

6.  Latest Updates: Familiarize with the latest features of your IAM product. Since deployment many new features must be added and those could be explored for additional security enhancements.

Along with these general guidelines there may be more product specific ones. Be sure to check with your vendor for those.
As a part of our cybersecurity support practices these audits are a yearly activity which are made available for our clients on demand basis.

To know about our cybersecurity solutions, please visit: https://www.gavstech.com/service/security-services/