Cybersecurity Awareness Month: confronting zombie accounts with access management strategies
The month with the spookiest holiday of the year also happens to be Cybersecurity Awareness Month. Last week on this blog we raised an alarm about zombie accounts–identity principals that remain active on your platforms long after their users have moved on. In the spirit of thwarting this zombie horde of former users once and for all, we’re drilling down in this post into specific steps you can take to confront this hideous cloud security menace.
Previously in this blog, we highlighted practices for conquering zombie accounts and offered insights into establishing an identity and access management (IAM) strategy at scale. We spoke broadly about establishing fine-grained permissions and access-based systems designed to ensure the safety of your employees, data, systems, and business.
Now is a great time to take on the challenge of using theoretical principles and best practices to create tangible security practices. The following post focuses on Google Cloud automations, open source tools, and more granular steps to turn access management best practices into entrenched and operational security capabilities.
1. Implement cloud security best practices to confront zombie accounts
Recurring account reviews to manage user access
Regularly reviewing and cleaning up user accounts is a foundational practice in identity management. Here’s how to go about it.
1. Establish a regular cadence
Set up a schedule for access reviews, which could be monthly, quarterly, or annually, depending on your organization’s size, complexity, and compliance requirements. SADA recommends quarterly or semi-annual manual reviews, with monitoring automations in place to continually assess permission congruence.
Holding yourself and your team accountable for regularly updating the rest of your organization on progress reviewing accounts means making this process predictable and routine.
2. Identify resources and principals
Determine the resources and user accounts to be reviewed, prioritizing those that are more critical or higher risk. Syncing with your HR department to identify accounts associated with people who are no longer part of your organization is key. If your organization accommodates remote or hybrid work, make sure to take this into consideration.
Every business is likely going to need to establish a set of permissions for high-stakes, high-risk access to critical systems. We like to call this “firefighter access.” This level of permissions should only be granted to the most technically proficient, specialist user whose job functions are accountable for the overarching security of the company. It is understood that actions taken by those with firefighter access are observable, recorded, and subject to frequent review.
3. Define review criteria
Define criteria for access reviews, which may include examining role assignments, permissions, and usage of sensitive data. Establish a set of policies and expectations to determine whether the existing access aligns with business processes and security standards.
4. Conduct access reviews
Reviewers should assess and document their findings, establishing a clear record that can prove valuable to future reviews. This may involve using IAM audit logs and reports provided by Google Cloud to assess access and permissions.
5. Remediate findings
If you discover over-privileged accounts or unused permissions, make sure to take action to remove or downscope access. Are lower-level employees granted permissions to access sensitive information that lies beyond the scope of their positions? Do user permissions take into account third-party users with unnecessary access or employees who need only temporary access?
6. Track and report
Tracking progress and generating reports helps mitigate against access risks. Not only will this paper trail prove useful during future account reviews, it can be part of onboarding new users who are responsible for assigning user permissions, overseeing regulatory and statutory requirements, managing groups, or have the power to perform user assignments and grant write access.
2. Timely access revocation
Access revocation is crucial to prevent zombie accounts from becoming full-blown security risks. Following are some key steps to consider when you set out to revoke access for a user and avoid potential issues in the process.
1. Identify resources and principals
Determine which resources or user accounts need to have access revoked. This includes resources no longer in use, departing employees, contractors, or security policy violators. It goes without saying that large organizations with multiple levels of system access and many predefined roles require a more detailed strategy for managing user permissions.
2. Determine the best method
Choose the appropriate method for access revocation, depending on the specific situation. Here are some ideas from Google Cloud on how to select the method that works for you.
3. Revoke user access and verify access revocation
Use Google Cloud IAM, the console, or Cloud IAM API to revoke access based on your method. Then ensure that access has been successfully revoked, which you can do by attempting to access the resources.
4. Use IAM groups for simplification
Group users based on their roles and responsibilities to streamline access management and revocation. This means gathering all your authorized users in one place to better manage network access, ensuring a greater degree of data protection.
5. Use IAM policies to grant and revoke access
Grant access to groups rather than individual users and create IAM policies to manage access more efficiently. This makes assigning permissions easier, with role-based security established at the group level. By adjusting permission levels by group, you’ll save yourself future headaches that arise when assigning permissions individual by individual.
3. Uphold strong password policies
To significantly reduce the risk of unauthorized access, you’ll want to establish robust password policies for your employees. Here’s how.
1. Develop a password policy that makes sense for your unique organization
Create a policy with minimum password requirements, complexity, and expiration rules. This is also a good opportunity to review your organization’s compliance obligations.
2. Communicate the policy
Make sure all users are aware of the policy and require their acknowledgment. Communicate your policy through multiple communication channels, including internal comms like group emails, announcements, company- and department-wide meetings, and intranet resources.
3. Implement a password manager
Encourage users to use password managers to create and store strong, unique passwords. Determine the minimal length of passwords, necessary characters, and how often user passwords should be updated.
4. Require MFA
Enforce multi-factor authentication (MFA) programs, like Okta, for all accounts. This provides another layer of protection for your data, by verifying end-user access to the appropriate systems and data.
5. Educate users
Sync with your internal communications department to establish training sessions, write announcements, and roll out continued opportunities to learn about the importance of multi-factor authentication.
4. Establish effective account deactivation workflows
Developing a clear workflow for account deactivation is essential to avoid potential issues. Here’s how:
1. Identify resources and principals
Determine which resources or user accounts need to be deactivated.
2. Define deactivation criteria
Decide when and why end-user accounts should be deactivated, such as in cases of inactivity, contractor end dates, or employee departure.
3. Design the workflow
Outline the steps for deactivation of network access, which may include revoking access, data deletion, and stakeholder notification.
4. Implement the workflow
Use cloud tools like GCP Workflows, Cloud Functions, or Cloud Composer to automate the deactivation process.
5. Monitor and test
Continuously monitor and test your workflow to ensure it remains effective, with regularly scheduled meetings to discuss the results of your tests with key stakeholders.
5. Apply role-based access control (RBAC)
What is role-based access control?
Role-based access control (RBAC) is a widely used access control model. At its core, RBAC simplifies the process of managing and regulating user access to systems, data, and resources within an organization. Instead of individually assigning permissions to each user, RBAC groups users into roles based on their job responsibilities or functions. Each role is associated with a specific set of permissions and access rights, and users inherit these permissions by virtue of their role.
Role-based access control is a powerful tool for managing user access, which can be incredibly useful for the following:
- Groups for management–groups simplify access assignment and management for multiple users.
- Predefined roles–a good starting point for setting up RBAC permissions.
- Custom roles–if predefined roles don’t meet your organization’s needs, create custom roles.
- IAM policies–grant access to resources, allowing fine-grained control over access.
- Audit resource access–regularly audit access to identify unauthorized access.
- Further use of groups–descriptive group names, nested groups, and group filters offer better organization and access control.
- Automate access management–automate role and permission assignment/removal using tools like Cloud Identity and Access Management (IAM) API.
Stay one step ahead of potential threats—vigilance is key
By embedding these practices into your organization’s processes, you can effectively manage zombie accounts, control access, enhance security, and ensure that your cloud environment remains resilient against security threats.
Regularly updating your IAM procedures and automating tasks can help maintain a secure and efficient cloud environment. Zombie accounts may be a real threat, but with the right strategies in place, they won’t haunt your organization for long.
Remember, in the world of cloud security, vigilance is the key to staying one step ahead of potential threats, and managing dormant accounts is a critical aspect of that vigilance. Stay secure, stay vigilant, and keep your cloud environment safe from increasingly sophisticated attacks.
Get a Cloud Security Confidence Assessment
To get started on a comprehensive analysis of your security posture, be sure to sign up for SADA’s Cloud Security Confidence Assessment. This thorough examination of your systems provides you with a security score based on industry best practices, with detailed recommendations for how you can improve your security posture.
