Falcon Shield
Falcon Shield
Use Case Series: Identity and Access Management Governance
Every SaaS application user and login is a potential threat. Whether a user is an attacker or a disgruntled ex-colleague, identity management and access control are essential to prevent unwanted or misleading access to company data and systems.
With thousands or tens of thousands of users and hundreds or thousands of different applications in an enterprise, ensuring that each entry point and user privilege is secure is no easy task. Security teams must monitor all identities to ensure that user activity complies with the organization's security guidelines.
Identity and Access Management (IAM) solutions manage user identities and control access to corporate resources and applications. Identity has become the new perimeter, so it's essential that security teams ensure they have control over this space.
Gartner has dubbed this new set of security controls "Identity Threat Detection and Response (ITDR)," which incorporates detection mechanisms that investigate suspicious posture changes and activity to respond to attacks and restore the integrity of the identity infrastructure.
ITDR, which incorporates a strong SaaS security IAM governance methodology and best practices found in SaaS Security Posture Management (SSPM), enables security teams to have continuous and integrated visibility into user accounts, permissions, and privileged activity across their SaaS deployments, including:
- See who is accessing what, when, and with what privilege level
- Forensics related to user actions, with a focus on privileged users
- Continuous, automatic visibility and integration of permissions
- Optimizing permissions by removing unnecessary or unwanted access rights
Relevant to CISOs, IT professionals, and members of governance, risk, and compliance (GRC) teams, this article discusses the role of identity and access management governance as part of an enterprise SaaS security program.
What is IAM Governance?
IAM governance constantly monitors an organization's SaaS security posture and access control implementation, enabling security teams to address issues as they arise.
Key prevention areas where SSPM can manage identity and access management governance include (1) misconfigurations, (2) vulnerabilities, and (3) data leakage.
Incorrect settings
IAM controls must be configured continuously and appropriately, and IAM configurations should be monitored for suspicious changes to ensure that when configuration issues arise, proper procedures are followed to investigate and remediate the issues.
For example, a company may not require MFA even though it has enabled it across the organization - these gaps in policy enforcement could put the company at risk, and SSPM can alert security teams to these gaps.
Vulnerability
SSPM solutions can address vulnerabilities that exist and are often exploited within the identity infrastructure, including SaaS users' devices, through patching and compensating controls. For example, privileged CRM application users may pose a high risk to the company if their devices are vulnerable. To remediate potential threats that originate from devices, security teams must map SaaS application users, permissions, and access permissions to the hygiene of their associated devices. Such end-to-end tactics enable a holistic zero trust approach to SaaS security.
Additionally, significant vulnerabilities arise from authentication protocols, including legacy protocols such as IMAP, POP, SMTP, and Messaging API (MAPI), where access to passwords is limited to single-factor authentication methods. SSPM can provide visibility into where these types of protocols are implemented in your SaaS deployments.
Information leakage
SSPM helps reduce the attack surface by identifying and mitigating leaks, for example by removing unnecessary or excessive privileges or allowing external administrators for business-critical applications (see Figure 1).
Figure 1. Falcon Shield security check for external administrators
Additionally, access to third-party applications, also known as cross-SaaS access, can also leave organizations vulnerable. Users connect one application to another to provide enhanced functionality or user information (contacts, files, calendar, etc.). As these connections streamline workflows, employee workspaces end up connected to many different applications. Yet security teams often don't know which applications are connected to an organization's ecosystem, meaning they can't monitor and mitigate threats.
Summary
IAM is a methodology for enforcing access control, but SSPM's IAM Governance provides continuous access monitoring to ensure security teams have full visibility and control of what's happening within their domain.
Inquiry/Document request
Macnica Falcon Shield
- TEL:045-476-2010
- E-mail:crowdstrike_info@macnica.co.jp
Weekdays: 9:00-17:00