Privileged Identity Management (PIM) is an essential security practice for businesses using the cloud. It focuses on securing and managing privileged accounts and access rights within an organisation. In this blog post, we will explore the importance of PIM for businesses, particularly those using the cloud, and why every business should consider implementing it as part of their comprehensive cybersecurity strategy.
What is PIM?
PIM refers to the processes, policies, and technologies used to manage and secure privileged accounts and access rights within an organisation. Cybercriminals often target privileged accounts as a means of gaining access to sensitive information and systems. PIM aims to reduce the risks associated with privileged accounts by providing a central solution for managing and securing these accounts. It involves identifying, managing, controlling access, and monitoring privileged account activity.
Importance of PIM for Businesses
Privileged accounts are a prime target for cybercriminals, and a breach can result in severe consequences, including data theft, business disruption, and reputational damage. PIM is essential for businesses because it helps to mitigate the risks associated with privileged accounts. By implementing PIM, businesses can control who has access, monitor, detect and respond to suspicious behaviour, and reduce the impact of a breach if one occurs.
Why Every Business Using the Cloud Needs PIM
Cloud computing has transformed the way businesses operate, providing flexibility, scalability, and cost savings. However, the cloud also presents new security challenges, particularly when it comes to privileged accounts. Cloud environments typically have many privileged accounts that can access critical resources, making them attractive targets for cybercriminals. PIM is especially important for businesses using the cloud because it provides a central solution for managing and securing privileged accounts across all cloud services and platforms. With PIM, businesses can identify and manage privileged accounts, enforce access controls, and monitor activity. Implementing PIM in the cloud can also help businesses to meet compliance requirements.
Conclusion
PIM is a critical component of a comprehensive cybersecurity strategy, particularly for businesses using cloud computing. By implementing PIM, businesses can manage and secure privileged accounts, control access to critical resources, and monitor privileged activity. PIM can help to reduce the risk and mitigate the impact of a breach if one occurs. Every business using the cloud should consider implementing PIM as part of their cybersecurity strategy to protect against the growing threat of account breaches.
It’s time to let go of the view that multi-factor authentication (MFA) provides enough security.
Hackers have the means to steal passwords, hijack users’ sign-in sessions and bypass the authentication process entirely, even when MFA is enabled. Adversary-in-the-middle (AiTM) attacks may be nothing new, but the ability of criminals to bypass MFA is.
What’s new?
Attackers can now intercept the legitimate session cookie issued by a real website, along with the authentication token.
The sophistication of these modern AiTM attacks has been highlighted by Microsoft, who explain how AiTM phishing attacks work.
In simple terms:
- An attacker sends a cleverly crafted email (phishing attack) which looks legitimate
- An unsuspecting user clicks on this link, which takes them to the attackers’ ‘spoof’ website
- The attackers’ website silently and transparently forwards on the request to the real site (Office365, Google etc) for authentication
- The user sees the real website and enters their credentials to authenticate
The attacker can now silently intercept this data while it passes through their website
Cookie theft
Ever wondered how you can launch Edge or Chrome and navigate to your Office 365 email without being prompted for authentication? Or launch Outlook or Teams without being prompted for authentication?
This is because you have already done that once and have a safely stored session cookie which is valid for a set number of days. This is what the attacker is after and once they have it, they have easy, instant access to your email or Teams account.
Build multiple layers of protection
A multi-layered approach to security is the key. Relying on a single security mechanism such as MFA is like putting all your eggs in one basket. You need to reduce the possibility of security compromise by adding more control layers.
- Enable MFA if you haven’t done so already. Without this, it’s like having a toy padlock on your front door.
- Raise awareness. This is the most effective and essential step of all. Educate users on how to spot phishing emails and when they should and shouldn’t enter their credentials.
- Implement advanced email filtering. Reduce the chance of attacker emails reaching users’ mailboxes by deploying Content Filtering, Sender Filtering and Safe Links. These are must-haves.
- Implement a Web Proxy. These may be usually considered a mechanism to stop people accessing Facebook or eBay during working hours, but when combined with Deep SSL Inspection, a Web Proxy can inspect all traffic leaving the organisation and track known suspicious or malicious content and sites.
- Implement EDR. Next Generation anti-virus/anti-malware technologies with an Endpoint Detection and Response (EDR) service overlay can detect threats in your networking environment and respond to them appropriately, automatically, and ideally with a human interaction when required.
- Implement Microsoft Conditional Access Security Defaults. Conditional Access policies allow IT admins to create conditions before events, such as authentication, can be accepted. This could include enforcing MFA when logging into any Azure integrated Cloud App, including Office 365, to block sign-ins from untrusted locations or from unknown devices.
- Implement Least Privilege. If an attacker manages to penetrate all these layers you can still limit the damage done. If the end user does not have local admin rights, then there’s a good chance that the attacker will not have these when they compromise that machine. Another, possibly even more important, step is admin account separation
None of these controls are particularly new. They are in essence good practice and should be implemented as a base standard in all sizes of IT estate. The majority shouldn’t even cost significantly to implement if anything.