We recently published a blog titled Defending Your Organization Against Session Cookie Replay Attacks. This blog thoroughly examined the menace of session cookie replay attacks, shedding light on the potential risks and consequences they pose to online security. The post delved into the intricacies of session cookie replay attacks, detailing their working mechanisms and the extensive damage they can inflict and emphasizing the imperative need to comprehend and fortify against such threats.

As a quick recap, session cookie replay attacks involve the malicious use of stored session cookies to impersonate a user on a targeted website, typically acquired through methods like malware, Man-in-the-Middle attacks or the compromise of support systems. The repercussions extend from hijacking user accounts to compromising sensitive data and even potentially taking over an entire access management system.

Given the continuously evolving cyber threat landscape, the urgency to establish robust defense strategies against session cookie replay attacks and other sophisticated security breaches has escalated. It is clear that fortifying cybersecurity defenses for these evolving threats cannot be accomplished fully with access management solutions alone. Organizations should adopt a multi-layered approach that also includes the advanced capabilities found in Privileged Access Management (PAM) and Identity Governance and Administration (IGA) solutions. This blog further explores this integrated approach to countering session cookie replay attacks and similar threats.

Defending against session cookie attacks by integrating access management, PAM and IGA using the Unified Identity Platform

Protecting vulnerable accounts from unauthorized access in the form of session cookie replay attacks may be best handled with a multi-layered approach including access management, Privileged Access Management (PAM), and Identity Governance and Administration (IGA) tools working together. These three layers can be summarized as follows:

Protect privileged accounts

Restrict access to sensitive or high-risk accounts, including admin accounts on your access management system, by requiring access through a Privileged Access Management (PAM) tool. Using a PAM system to control access to these accounts enables session recording and control, real-time monitoring of privileged access, password rotation and just-in-time privilege assignment.

Detect rogue actors

Control access to vaulted privileged accounts protected by the PAM solution by limiting SSO access to only authorized users in your access management system. Users must securely authenticate into the access management system to have access to the PAM tool. A user security policy for these admin and privileged users should be employed to restrict access to only trusted devices and to limit the session inactivity timeout to a small timeframe, such as five minutes. This will reduce the opportunity timeframe for attempted session cookie replay attacks to the shortest possible time.

Since access to these admin accounts are granted only through the PAM tool, the admin account should be deactivated and the session should be closed right after the administrative tasks are complete, so a short inactivity timeout would not cause undue inconvenience to the administrative users. Additionally, an application security policy should be employed to require reauthentication and MFA whenever the PAM application is launched.

Further, a module of the PAM system should apply user behavior analytics, which can distinguish the attacker from the authorized user of the account by analyzing keystrokes and mouse movement patterns. With this capability employed, the session can be terminated automatically when such an attack is detected.

Enforce and remediate

Use Role-Based Access Control (RBAC) from the Identity Governance and Administration (IGA) solution to assign access to the privileged accounts within the PAM system, and to assign access to the PAM application on the user’s access management dashboard to only authorized administrative and privileged users, creating a condition of least privilege. These RBAC policies should reduce the attack surface by revoking unneeded access for users who have been terminated or who have changed job roles, revoking PAM system’s privileged account access and assigning the PAM application in the access management tool.

Use policies to ensure the access control security policies in the access management system are correctly applied to users, admins and the PAM application. Additionally, use policies to detect rogue or orphaned accounts which may be vulnerable to attack. Employ regular access reviews in the form of attestations or certifications to ensure least privilege is maintained.

Conclusion

A successful unified approach uses the whole cybersecurity toolkit in an integrated fashion to create this multilayered approach to identity security. The One Identity Unified Identity Platform provides the necessary framework to most effectively defend against session cookie replay attacks and to ensure the organization remains protected.

Used together within the One Identity Unified Identity Platform, access management, PAM, and IGA can build a layered defense against session cookie replay attacks and other evolving cyber threats. This integrative approach enables the innovation needed to create best practices, empowering organizations to stay ahead in the face of emerging threats.

Call to Action

We urge organizations to consider the adoption of the One Identity Unified Identity Platform, including access management, PAM and IGA working together to fortify their defense mechanisms against emerging cyber threats. Embracing a comprehensive security strategy and adapting to the evolving threat landscape are critical steps toward safeguarding digital assets.

The post Strengthening Cyber Defenses: The Crucial Role of PAM and IGA Solutions appeared first on OneLogin Identity Management Blog.

Identity and Access Management (IAM) in most organizations is typically provided by Access Management, Privileged Access Management (PAM) and Identity Governance and Administration (IGA) solutions. Unfortunately, many of these solutions work independently in silos, and efforts to integrate them to work together can be patchwork at best. Even if each pillar across Access Management, PAM and IGA work flawlessly independently, there’s still plenty of opportunity for bad actors to exploit the gaps between them to gain access to critical systems. Integrating these solutions can result in increased identity security effectiveness.

Let’s talk through an example use case of how gaps in Access Management and IGA tools can manifest.

Example Use Case: Zoom

The transition to work-from-home and remote learning led to an explosion in growth for Zoom. To end users, Zoom is just an application. However, Zoom offers a selection of three user roles that can apply to an account:

• Owner: Has all privileges that include role management
• Admin: Can add, remove or edit users, as well as manage advanced features, such as API, SSO, Billing, Meeting Connector and App Marketplace
• Members: Have no administrative privileges and can only adjust their own user settings, unless locked by an admin at the Account or Group level settings

For organizations that use Access Management solutions, that means users have, at minimum:

• An account with the Access Management system
• The Zoom app assigned to the account, likely via a role (an entitlement)
• A Zoom account
• The correct role assignment for their user type in Zoom (an entitlement)
• A license for the Zoom account

As in-office work and in-person learning have resumed, Zoom usage within many organizations has decreased.

Access Management solutions don’t typically govern the Zoom account, or the entitlements applied, whether it’s roles, group memberships or license status for the account. Typically, this is handled by an IGA solution.

As a result, the Access Management solution will continue doing its job controlling user authentication, while the IGA tool will continue to give users least privilege access based on their role.

However, if a user is no longer using Zoom—or any other application for that matter—they will continue to have access to that application, even if they’re no longer actively using it.

Permissions and continued access to Zoom after it’s no longer used—on the whole—may seem to be low stakes at first. However, at the end of the day, risk is not only represented by that unused Zoom account. It’s also present in that Active Directory account with group memberships associated with that user and the role membership and licensing in an IGA tool. Altogether, 10-12 distinct items associated with a user typically are governed independently by disparate solutions.

The main problem

Your IGA system has done a great job of provisioning access to users according to their specified roles and has maintained that governance with set and required policies. However, how is an IGA team equipped to know if access to a particular application is required at any given point in time? Is the least possible amount of privilege actually assigned to each user role? By itself, an IGA system will not know the last time a user used an application.

This lapse leaves a big gap between the privileges a user is issued versus what they need to perform their job.

What are the implications when applying that assessment of risk and vulnerabilities across an organization? What other applications have fallen out of use by users who still have accounts that are used daily by others? For example, external partners or vendors who have been granted access to a proprietary internal application. What dormant accounts exist on those applications or target systems that could be potentially exploited through their vulnerabilities?

The serious pitfalls that come with siloed Access Management and IGA

It’s clear that the silos that exist between Access Management and IGA solutions result in a few key pitfalls:

• No correlated access
  • Across all of these tools, how will all systems know if a user’s access is actually still required? Is the current level of access assigned in your IGA system the least possible amount of privilege assigned to a user? By itself, an IGA system will not know when a user last logged in to an application, or to revoke access if a user hasn’t logged in in the last 90 days

• Time-consuming application recertification
  • Whether driven by an audit or regular role and privilege evaluations, every organization will need to establish whether or not users have appropriate access levels assigned across applications to adhere to compliance and regulation policies and maintain the integrity of enterprise information. Recertification can be incredibly time consuming and resource intensive

• Increased licensing costs
  • User seats for software and applications aren’t free. Budget is associated with every user and application used. Under-utilized applications with lots of users or applications where users no longer need access increase overall licensing costs

• Exposure to standing user privileges
  • Users with standing privileges—especially those with high-level privileges—can pose a serious risk to a business. If individuals with standing privileges are compromised, bad actors can often use those privileges to quickly move to exploit to other applications

• The information you already have is useless and impractical to apply
  • Access Management and IGA solutions collect and store an abundant amount of data on users. While that information may be useful within the context of each individual tool, trying to cross-reference that data from one tool to another is time consuming and impractical

Using Behavior-Driven Governance to integrate Access Management and IGA

Behavior-Driven Governance (BDG) allows organizations with Access Management and IGA solutions to implement policies to recommend or automatically remove unnecessary entitlements and accounts from users based on how those entitlements and accounts are being used.

For example, event data (like application access frequency) can be correlated to associated accounts and entitlements. From there, attestation can be directed to a user’s manager or other responsible party to give them an opportunity to revoke access that may not be needed due to a lack of application use.

Alternatively, unnecessary access can automatically be revoked if a user fails to meet set criteria.

The benefits of Behavior-Driven Governance

Behavior-Driven Governance combines the power of Access Management and IGA to deliver key benefits:

• Enhanced visibility and governance
  • Rather than governing users and identities through two separate systems, Behavior-Driven Governance allows organizations to monitor application usage and apply policies based on usage behavior. As a result, entitlements are managed through adaptive policies and real-world identity behavior metrics that allow organizations to govern both Access Management and IGA tools as a unit
• Lower costs
  • By having a comprehensive view of usage and activity, it’s a much simpler task to determine which licenses and user seats aren’t being used. Organizations can then recover the cost of unused licenses and lower the overall identity administrative burden
• Stronger compliance
  • Inconsistent governance is a continual red flag for compliance. With Behavior-Driven Governance, the ability to consistently meet audit requirements by ensuring only needed entitlements are granted makes compliance much more attainable across an enterprise
• Increased security
  • Removing unused accounts and entitlements from users reduces the overall risks that standing privileges can pose, and in turn, increase an organization’s overall security posture

Organizations must consider where potential gaps and silos between Access Management and IGA tools may present issues and vulnerabilities. Are there applications in your organizational ecosystem where, even if access permissions are granted to users because of their roles, their usage would indicate that they likely don’t need those permissions anymore?

Enhanced visibility, insight and improved controls with Behavior-Driven Governance is a crucial steppingstone to maintaining least privilege and enhancing an organization’s overall security posture.

View how One Identity’s Behavior Driven Governance works by watching this brief webcast.

The post Breaking Down Silos: Why integrated Access Management and IGA is crucial for modern organizations appeared first on OneLogin Identity Management Blog.