It’s no shock to most organizations that identity provides the keys to the kingdom when it comes to data systems, sensitive information, and everything else that needs proper defenses in place.
Recent news stories have brought the question of monitoring and control of cloud-based identity and access management platforms (CIAM) into sharp relief. With the news that both LastPass and Okta had recent security incidents, many customers of not only those products but many other CIAM platforms have been asking how they can continue to keep the organization safe – while still allowing for the flexibility that users need.
Okta’s case was a very near-miss situation. While some source code was stolen, Okta has disclosed that the materials taken from them will not give an attacker the ability to directly impact any customers. This is good news for the current situation but highlights why control over CIAM systems and their operations is definitely critical for any business.
The issue is that, when these systems are operating correctly, they can become nearly invisible. Users with appropriate credentials, MFA tokens, and no anomalous behavior are allowed in – while anyone without one or more of those objects is denied access.
However, what about the keys to those keys to the kingdom?
When an administrator makes changes to users, MFA requirements, groups, access, etc., knowing if that operation was authentic and authorized or not can pose a significant challenge to cybersecurity staff. After all, if the user successfully authenticates as an administrator, the CIAM will allow them to make sweeping and broad changes to the organization’s users and policies. Had the recent events at Okta been more significant and allowed an attacker to access the system as an administrator, this very situation may have been the result.
Because of this, administrative action within CIAM platforms must be closely monitored, and all activity – anomalous or not – must be audited regularly. This solves some problems with the security of CIAM operations, but not all of them. Auditing may only happen weekly, monthly, or more infrequently. Critical changes, such as the removal of MFA from privileged accounts, may not be discovered until well after any damage has been done. Therefore, it becomes critical to ensure that any administrative activity in these platforms generates alerts for proper checks and balances. Was MFA removed from an account unexpectedly? Alerting can allow operations to confirm that the change was warranted and valid. Did someone create a new user or group within the CIAM? Alerting should trigger a review of why that user or group was created without going through the appropriate process so that the organization was expecting the change to be made.
Monitoring and alerting on administrative activity can be challenging. Not all CIAM solutions offer the same reporting on these changes, and not every SIEM comes with out-of-the-box correlation rules to alert the organization when unexpected administrative CIAM actions occur. If the next incident with a CIAM were to lead to the ability to perform unauthorized administrative changes, the organization must be sure that those changes will trigger the necessary alerts to contain and control the situation.
Cymulate supports the testing of these detection rules within the SIEM for many CIAM platforms, including AWS IAM, AzureAD, and yes even Okta. These simulations can create, manipulate, and delete users, groups, and functionality like MFA restrictions. By running these simulations on a regular basis, an organization can confirm that each time an unexpected administrative change is made, the SIEM and those monitoring it are alerted quickly, and accurately. If the alert process is not occurring as expected, then corrective action can be taken quickly and the simulation re-run to confirm that the remediation solved the problem.
The Advanced Scenarios module within Cymulate has not only pre-built example templates for running these simulations, but also individual executions that assist in customizing templates to fit specific environments. This is important, as CIAM platforms, SIEM solutions, and SOC operations can change over time – requiring a toolset that can also change and adapt to the environments where it is needed most.
Cloud-based identity and access management have become a standard methodology for ensuring that the right users have access to the right systems at the right time. Because of this, those platforms must be run with a heightened accountability level – and all monitoring systems that keep watch over them must also know what to look for. Regular, automatable testing of the entire environment for proper detection of events and alerting of anomalies is a critical component of ensuring that nothing falls through the cracks.