Identity and Access Management: Recommended Best Practices for Administrators 1
Introduction
Identity and access management (IAM) is a framework of business processes, policies, and
technologies that facilitate the management of digital identities to ensure that users only
gain access to data when they have the appropriate credentials. Beyond the physical users,
service and system accounts are also in scope for IAM and critical for IAM administrators to
manage within their organizations. Inventorying, auditing, and tracking all of these
identities and their access is imperative to ensure that proper IAM, including permissions
and active status, is executed on a regular basis. Managing the growing complexities of
digital identities can be daunting especially with industry’s push toward cloud and hybrid
computing environments; however, the need for IAM is more important today than ever. In
recent years, we have seen various nation state-led cyber operations successfully access
protected data by targeting the trust established within networks or by exploiting
vulnerabilities in IAM products and/or IAM implementations. Specifically, the critical
infrastructure within the U.S. is an attractive target for the adversaries. In fact, according to
the 2022 Verizon Data Breach Investigation Report, 80% of web applications attacks
leveraged stolen credentials, a technique used by both basic cyber criminals and nation-
state bad actors. Additionally, excluding breaches based on user error and insider misuse,
40% of breaches involved stolen credentials and nearly 20% involved phishing. Recent and
notable attacks include:
• In 2021, compromised credentials were used to attack and shut down the Colonial
national gas pipeline in the U.S.
1
• In another 2021 cyberattack, an unknown attacker manipulated computer systems
in a Florida water treatment plant to increase the concentration of sodium
hydroxide in the water supply by a factor of 100.
2
• In 2022, another attack targeted a water treatment plant in South Staffordshire,
U.K.
3
As such, the critical infrastructure organizations have a particular responsibility to
implement, maintain, and monitor secure IAM solutions and processes to protect not only
their own business functions and information but also the organizations and individuals
with whom they interact. It is important to keep in mind that IAM systems implement
credential management, authentication, and authorization functions that are foundational
to security and also very complex and subject to vulnerabilities if not implemented
correctly. Like any kind of software, IAM solutions are subject to software vulnerabilities
and must be patched, updated, and managed. A vulnerable IAM solutions can facilitate
access to multiple systems and data across the organization. Therefore, securing IAM
infrastructure is critical. Ultimately, the goal is that organizations proactively take the
1
https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-
compromised-password.
2
https://arstechnica.com/information-technology/2021/02/breached-water-plant-employees-used-the-
same-teamviewer-password-and-no-firewall/.
3
https://www.zdnet.com/article/confused-cyber-criminals-have-hacked-a-water-company-in-a-bizarre-
case-of-mistaken-identity/.