TIPS #22: The IGA-IAM-UEBA Triad for Identity-First Security

Issue: Identity is the new perimeter and many companies have shifted from a network security approach to an identity security-first strategy. However, most still lack balance between the foundational triad of IAM, IGA, and UEBA, leaving gaps which threat actors can exploit.   

As cloud computing, SaaS, and PaaS have changed the shape of the digital landscape, identity has become the new perimeter. Identity is the means of legitimate access to organizational information and communication resources including systems, data, and applications- and the abuse of these assets. A single compromised identity can threaten an entire corporate system when there aren’t sufficient controls in place.  

Correspondingly, companies have shifted from a network security approach to identity-first security to address the risks of identity-based threats and their impacts- such as data breaches, operational disruptions, and regulatory non-compliance. However, in doing so, many have missed the forest for the trees- overlooking foundational steps while searching for the latest and greatest solutions.  

The Identity-First Triad: IAM, IGA, and UEBA 

At its most basic level, an identity-first security program should include three capabilities: Identity and Access Management (IAM), Identity Governance and Administration (IGA), and User Entity Behavior Analytics (UEBA).  

IAM is focused on who has access to which resources in what conditions. It includes access controls which are applied to user credentials. IAM capabilities tend to take the form of point solutions.  

IGA encompasses policy definition and administration, process oversight, and observability around user rights. It governs IAM point solutions through the use of policies and technology to ensure strong security and compliance.  

UEBA is a detection methodology (often an automation) used to identify approved use and locate anomalous user behavioral patterns which require Just-In-Time Access (JITA) and authorization controls. It is focused on a user’s history and behavior when interacting with systems and applications, and leverages intelligence from both IAM and IGA. UEBA overlaps with Identity Threat Detection and Response (ITDR)- which is discussed in detail throughout TIPS #13– given that both include aspects of user behavioral monitoring and identity threat detection.  

The Three A’s: Authorization, Authentication, and Access 

To understand the IAM-IGA-UEBA triad in practice, consider the key concepts of authorization, authentication, and access.  

Authorization is an approval (permission) to access and use a resource under defined constraints. Security teams define and manage user authorizations (permissions).  

Authentication is the verification of a user’s identity when they attempt to access a resource. It is a go/no-go (approval or denial) control. Passwords, biometric data, and Multi-Factor Authentication (MFA) are common authentication controls.  

Both authentication and authorization are managed through IAM controls which are governed by IGA and inform UEBA capabilities.  

Misaligned Access Controls and Policies 

The root of the problem for most companies comes down to the difference between access and authorized use, the gap that exists between access controls and policies, and the subsequent lack of sufficient behavioral detection.  

For example, a user might be authorized to access a resource and may pass an authentication control which verifies their identity. However, they might then be able to use resources in an unauthorized fashion if authorization controls are not properly defined or managed. This leaves companies vulnerable to insider threats (like an employee seeking to sell IP to a competitor), social engineering (like the company comptroller being duped into making a payment to a fictional entity), and human error (an employee accidentally damaging the company by misusing a resource or system).  

This dynamic applies to external threats like account takeovers (ATO) as well. If an attacker has compromised a user’s credentials to access a system and the authorization controls over-privilege the user, they will be able to access more data and systems, potentially doing more damage- especially if there aren’t behavioral detection capabilities (like UEBA) in place to identify and stop the incident.  

Impact: Misaligned identity security and a greater risk of and impacts from identity incidents. 

When the IAM-IGA-UEBA triad is misaligned, companies are at a higher risk of unauthorized resource access, data exfiltration, and costly breaches. These incidents can disrupt operations, increase operating expenses, and reduce revenue. In addition, companies may violate data security and privacy requirements (such as GDPR) and face fines, penalties, and lawsuits. There’s also a heightened risk of reputational damage and brand degradation.  

Here are two case studies which exemplify the wide-ranging effects of misaligned identity security:  

Trader’s Overcommitted Orders CostsMF Global $141 Million 

On February 26, 2008, MF Global bank trader Evan Dooley placed a large number of unauthorized, speculative commodities orders overnight. The orders were well beyond regulatory limits and far exceeded his ability to repay potential losses. Dooley made the trades using a home computer with his own trading account on behalf of the company and its clients. When futures contracts rose in price, he attempted to liquidate his short position. MF Global eventually deactivated his account and liquidated all outstanding contracts, losing just over $141 million and seeing its stock price fall over 90%. Dooley was eventually convicted of two counts of violating the Commodity Exchange Act by speculative position limits. He was sentenced to five years in federal prison and ordered to repay the firm $141 million.  

In this case, MF Global’s IAM access controls and authorization policies were not aligned or properly governed by IGA. The firm did not sufficiently control user rights, creating a risky situation in which a trader was allowed to execute orders on their own computer without controls or detection. As a result, the rogue trader’s actions caused catastrophic losses.  

Operation Cloud Hopper Compromises MSPs to Steal Sensitive Data 

Starting in late 2016, threat actor APT10 began perpetrating what is now known as the Cloud Hopper incident, exploiting Managed Service Providers’ (MSPs’) cloud-hosted web, email, and Active Directory (AD) access. The attackers compromised MSP user accounts and escalated their privileges to move laterally within MSP environments, target victim organizations (clients of the MSPs), and steal the victims’ sensitive data.  

In this case, attackers were able to gain access to networks via compromised credentials and move laterally because the credentials were overprivileged. The MSPs’ account authorizations were not sufficiently limited via IAM and IGA coordination.  

Action: Focus on the triad of IGA, IAM, and UEBA, and build out active and passive capabilities from this foundation.   

1) Assess and establish a strong identity security posture 

Start by assessing your current identity security posture and identify areas for improvement. AKA Identity observes and visualizes the use of organizational resources to efficiently manage user rights to systems, data, and applications. Their Clarity Insights platform uncovers redundant controls, cuts costs, drives operational efficiencies, and lowers risk by maintaining a least-privilege posture. 

SolCyber is an identity-first managed services provider that approaches organizational security posture, monitoring, and protection from an identity perspective.  

2) Implement Comprehensive IGA 

Next, ensure your company has a clear view of user rights and access policies. SPHERE assesses and manages the identity hygiene of an organization’s security posture, monitoring individual and group rights to access and utilize organizational information and communications resources.  

3) Utilize Advanced IAM 

Make sure the right users have access to the right resources at the right time. 1Kosmos provides just-in-time controls to verified identities accessing restricted organizational resources. 

Strata Identity observes and monitors user and group resource access and use, enabling identity policy definition and orchestration. 

4) Leverage UEBA and ITDR 

Develop capabilities to detect and respond to identity threats based on user behaviors. UEBA and Identity Threat Detection and Response (ITDR) are critical to monitor user behavior, detect anomalies, assess risk, and respond to identity threats. Uptycs ITDR for Cloud detects and remediates identity-based threats in cloud environments, helping companies pinpoint compromised credentials and shut down malicious sessions by revoking user permissions.