Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • ISPM: Taking a Proactive Approach to Identity Security
  • Common Identity Security Posture Issues: Seven Deadly Sins
  • Dormant Accounts
  • Guest Accounts
  • Orphaned Accounts
  • Permission Creep
  • Strong Multi-Factor Authentication
  • Session Length
  • Service Accounts
  • Conclusion
  1. Blogs

Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters

PreviousIntroducing The 2023 State of Identity Security ReportNextManaging Machine Identities: A Comprehensive Guide

Last updated 5 months ago

Identity Security Posture Management (ISPM) is an essential aspect of an identity security program that enables organizations to manage and protect their identities proactively. It involves monitoring and analyzing an organization's identity security posture to detect weaknesses and misconfigurations. It provides a holistic approach to identity security when combined with robust Identity Threat Detection and Response (ITDR) capabilities.

explains that “good preventive controls assist identity security posture management in order to avoid:

  • Misconfiguration, by ensuring IAM controls are properly configured, that the IAM configuration is continuously monitored for suspicious changes, and that appropriate steps are taken to investigate and, if necessary, resolve issues.

  • Vulnerabilities, by addressing commonly exploited vulnerabilities in the identity infrastructure via patching or compensating controls.

  • Exposure, by reducing the attack surface by removing unnecessary or excessive privileges, for example.”

In this blog, we will delve deeper into ISPM, explore the key areas, and discuss some best practices for implementing an effective ISPM strategy. By the end of this blog, you will better understand ISPM and how it can help your organization mitigate identity-related risks and enhance its overall security posture.

ISPM: Taking a Proactive Approach to Identity Security

The defining characteristic of good Identity Security Posture Management is that it is proactive in nature. Unlike SaaS Security Posture Management (SSPM), which focuses on SaaS, or Cloud Security Posture Management (CSPM), which focuses on cloud resources, ISPM is focused on Identity Access and Management.

ISPM aims to reduce the opportunities an attacker has to target your identities. Without it, you don’t know the former finance manager who still has access to accounting software, the salesperson who disabled their MFA, or the IT contractor who still has admin rights. Without good hygiene, an organization is making it easier for attackers to take over accounts.

It’s essential to be able to react quickly to identity threats, which is where Identity Threat Detection and Response (ITDR) is gaining popularity as part of an identity security program. We have proactive approaches for other areas of security, so why not identity?

Amid increasing threats, the NSA and CISA have been educating security professionals on the importance of good identity security posture. In a paper released last week, , the NSA noted that “IAM weaknesses are frequently exploited in the most insidious threats, APTs, which have led to catastrophic data breaches.”

Common Identity Security Posture Issues: Seven Deadly Sins

This blog will outline seven deadly sins of IAM hygiene:

1. Unknown dormant accounts 2. Unknown guest accounts 3. Unknown orphaned accounts 4. Permission issues 5. Multi-factor authentication weaknesses 6. Session length configuration 7. Service accounts

Dormant Accounts

Dormant accounts are accounts that have had a long period of inactivity and are often no longer in use. These can be employee or guest accounts and can mean that the individual no longer works for the company, but the account has remained.

Dormant accounts typically fall under the radar and undergo less scrutiny, which makes them appealing to attackers. In August 2022, APT29 launched brute-force password attacks on dormant accounts. According to Mandiant, APT29 conducted a password-guessing attack against a list of mailboxes and successfully guessed the password to an account that had been set up but never used. The group knew that these inactive, dormant accounts did not have the same scrutiny as others. Furthermore, they could enroll any compromised account with their own MFA.

In addition to the risk of unauthorized access, dormant accounts can also pose a risk to compliance with regulatory requirements. Many regulations require organizations to implement strict controls for managing user access to sensitive data and systems. Dormant accounts can indicate that an organization is not enforcing these controls and can lead to fines and other penalties. Furthermore, dormant accounts can create additional management overhead and increase the risk of human error. As the number of dormant accounts in the directory grows, it becomes more difficult to track and manage user access, which can lead to inconsistencies and errors in access control policies.

To mitigate the risk of dormant accounts, organizations should implement policies and procedures for managing user accounts and access. This can include regularly reviewing and auditing user accounts to identify and disable dormant accounts, implementing automated tools to detect and disable inactive accounts, and enforcing strong password policies and multi-factor authentication. By taking these steps, organizations can reduce the risk of unauthorized access and improve compliance with regulatory requirements.

Guest Accounts

Guest accounts are external user accounts that are granted access to resources, typically to collaborate with internal users or to access external applications. These are often contractor accounts that are hard to track. Guest accounts are often created by internal users who may not be aware of the potential security risks associated with granting access to external users. Additionally, guest accounts may remain active even after the external user no longer needs access, creating a potential security gap that could be exploited by attackers.

To mitigate the risks associated with guest accounts, organizations should implement policies and procedures for managing guest accounts and access. This can include regularly reviewing and auditing guest accounts to identify and disable those that are no longer needed. You should also enforce strong authentication methods, such as multi-factor authentication.

Finally, organizations should educate their users about the potential risks associated with guest accounts and the importance of granting access only to trusted external users.

Orphaned Accounts

Orphaned accounts in a directory refer to user accounts that are no longer associated with an active employee or user. These accounts may have been created to grant access to specific resources or applications but were not properly deprovisioned when the user's employment or access ended. Just like inactive or guest accounts, these are prime targets for attackers.

The issue of discrepancies between HR systems, SSO, and directories can exacerbate the risk of orphaned accounts. When user access is managed by multiple systems, it can create inconsistencies in access control policies and make it difficult to ensure that all user accounts are properly deprovisioned when needed. For example, if an employee leaves the organization, but their account is not properly deprovisioned in all systems, they may still be able to access sensitive data or systems through an orphaned account.

Ensuring that each identity correlates with one another can help to avoid problems later down the line, such as orphaned accounts.

To mitigate the risks associated with orphaned accounts and discrepancies between systems, organizations should implement policies and procedures for managing user accounts and access that are integrated across all relevant systems. This can include implementing automated tools to detect and disable orphaned accounts, regular reviews of access control policies and access rights, and ensuring that all systems are properly synchronized with HR records to deprovision accounts when needed.

Permission Creep

Increased groups and permissions can create a problem for IAM (Identity and Access Management) hygiene by creating a larger attack surface for cyber attackers to target. When an organization has multiple groups and roles with numerous permissions, it becomes increasingly difficult to keep track of who has access to what resources. If an employee's role or access level changes, it can be difficult to ensure that they no longer have access to resources that are no longer relevant to their new role.

Attackers can exploit this problem by targeting accounts that have excessive or unnecessary permissions. For example, if an attacker gains access to a user account with high-level privileges, they can use that account to access sensitive data, launch attacks on other accounts, or even take control of the entire system.

To mitigate the problem of increased groups and permissions, organizations can take several steps. First, they can implement a principle of least privilege (POLP), which involves granting users the minimum level of access required to perform their job functions. This approach limits the potential damage that an attacker can do if they gain access to a user account.

Secondly, organizations can regularly review user permissions to ensure that users have access to only those resources that are necessary for their roles. Any excessive permissions should be promptly revoked.

Thirdly, organizations can implement strict access controls to limit the number of users who have access to sensitive data. They can also use multi-factor authentication and password management policies to further strengthen the security of user accounts.

Strong Multi-Factor Authentication

Organizations use MFA to enhance the security of their systems and protect sensitive information from unauthorized access. MFA adds an extra layer of security beyond just a password, reducing the risk of data breaches and identity theft. Accounts that do not have MFA (or only have weak forms) can further weaken the identity security posture.

Examples of authentication factors include something a user knows (e.g., password), something a user has (e.g., a smart phone), or something a user is (e.g., biometric data). By requiring multiple factors, MFA helps ensure that only authorized users can access the system.

While any second factor is better than none, organizations are increasingly focusing on implementing phishing-resistant second factors to combat MFA bypass techniques. Examples of this include Touch ID, physical keys, and passwordless solutions.

Organizations should focus on MFA usage as well as enrollment. Even if an employee has registered a strong second factor, they may still be using a weaker, SMS-based authentication as a fallback.

Session Length

Logging into Okta multiple times a day can be annoying – why not just log in once and keep it open? Well, attackers can “hijack” these sessions. Session hijacking is an attack where an attacker takes over an active session between a user and a website or application. The attacker can then use the session to access the user's sensitive information or perform unauthorized actions. Crucially, this is a way for attackers to bypass MFA.

Long sessions can also enable terminated users to continue to have access to their inbox after termination or even for regular users to evade enforcement when you roll out new MFA policies until the next time they need to reauthenticate (maybe never).

To reduce this risk, ensure you do not have a maximum session lifetime or if it seems unusually high.

Service Accounts

Good hygiene extends beyond human identities - service accounts should also be a consideration. Service accounts are often created with high privileges and are designed to automate tasks, which means they may have access to sensitive data and systems. Allowing interactive logins from these accounts can increase the risk of unauthorized access, as it opens up the possibility of an attacker gaining access to the system through the service account.

Interactive logins from service accounts also make it challenging to track who is accessing the system and what they are doing. This can lead to a lack of accountability, making identifying the root cause of security incidents or compliance issues difficult.

Conclusion

It’s evident that IAM hygiene is becoming increasingly important for a company's security posture. In the same way as software and hardware can be vulnerable, so can identities.

By taking a proactive approach to identity security, organizations can reduce their attack surface and make life harder for attackers.

You can do plenty for yourself to improve your identity security posture, but Oort can help. If you’re interested in learning more about how Oort can help to identify identity security posture issues, get in touch!

According to the , the average organization has a large number of inactive accounts - more than 24% of its total identities. These accounts experience more than 500 attacks every month.

If a guest account is compromised, an attacker can use it to access sensitive data, applications, or systems. The risk is increased if the guest account has elevated permissions or access to critical resources. According to the , more than 3.24% of all identities are guest accounts.

Over any employee’s work history, it’s easy to accumulate a myriad of permissions. Research by Unit42 found that 99% of cloud users, roles, services, and resources are granted excessive permissions. Permissions are typically granted by groups, and we often see poor hygiene when it comes to group management. In the , Oort discovered that the average company has 7,740 groups. While groups are typically used to grant permissions, sometimes applications are directly assigned. Teams should monitor for these instances to ensure good hygiene.

To learn more about best practices, check out this awesome blog from Crowdstrike, ‘.

Gartner
Identity and Access Management: Recommended Best Practices for Administrators
State of Identity Security Report 2023
State of Identity Security Report 2023
State of Identity Security Report 2023
Red Flag Alert: Service Accounts Performing Interactive Logins