How can IAM improve an organization's cybersecurity?

Most organizations do not adhere to the true principle of least privilege. Most human and vendor identities in your environment are massively over permissioned. For your human identities, start by analyzing permissions and access granted vs used and continuously calibrate towards least privilege. For your vendors identities, analyze permissions granted vs used and have the candid conversation with your vendors on why they require X permission. Like human identities, most vendor identities are massively over permissioned, creating unnecessary risk. Unobstructed runtime visibility across your identity control plane is required to baseline access and behaviour. From your baseline, incrementally tune down

The principle of least privilege is one of the most important preventive measures that will improve an organization's cybersecurity standing. Here are the 2 main reasons: 1. you will be able to control what a user can do. The more access, the more damage a user can do intentionally or by mistake. 2. you will limit the options an attacker has if the user account is compromised. IAM is the main instrument for implementing the least privilege principle. It enables the definition of access policies and roles.

In 2024 there should be no authentication without MFA mechanisms. Compromising user accounts is one of the most important attack vectors and weak/reused passwords are the biggest culprit. MFA significantly reduces the risk of compromising user accounts (even if weak or reused passwords are used).

In addition to implementing MFA, which done in isolation is rarely the final solution, a periodic access review process is required. There are times when enabling MFA is not an option (service accounts), so knowing the lifespan and permissions for each identity within your organization is important.

Monitoring users has a bad reputation (people don't like to be supervised). But monitoring is more than checking what websites are visited and when. Monitoring user activities will allow you to detect scenarios like this one: you get an authentication attempt using the credentials of a user who currently is in the office. That is not something that should happen and is an indicator of a compromised user account.

Most security teams lack visibility into attacks wagered against the identity control plane. Logs and events from your cloud identity provider need to be correlated with logins and activity in other cloud environments. Activity in one environment may not appear suspicious at first glance, but by multi-threading other activity is could present a malicious event. IAM and Security Teams must bridge the visibility divide between the IdP and other environments as threat actors are exploiting these blind spots. Most apply impossible travel rules, but this is insufficient threat detection for the modern threat actor that is increasingly targeting the identity layer of cloud

The absolute basics - enforcing password policies, training users, limiting use cases of shared accounts. Consider endpoints an extension of IAM and limit the endpoints that an account can be used - not just which ones, but how many. Extend asset inventory practices to IAM. Be able to easily identify owners of accounts - teams, not just individuals. Individuals move and leave. Track ownership of policy exceptions and decisions. Treat EVERYTHING as a physical asset.