New Year, New IAM: A reasonable approach to Identity and Access Management in 2025
As 2024 ends, it’s the perfect time to reflect on what 2025 might bring for Identity and Access Management (IAM). This article offers practical New Year’s resolutions to enhance your company’s IAM security with achievable goals.
New Year, New IAM: A reasonable approach to Identity and Access Management in 2025
Here we are, approaching the end of 2024. Although the mark of year’s end is purely arbitrary, it’s only natural to reflect on what changes 2025 might bring.
As a consultant, I get a front-row seat to our clients’ journeys. Many return to us every year for their annual or even quarterly penetration tests, so I get to see firsthand what recurring changes and issues they face. This inspired me to take a different approach with this article. Instead of just talking about broad trends, I want to share New Year’s resolutions that can boost your company’s IAM security. Some are big, some are small, but all are about setting achievable goals!
Connect with the author on LinkedIn!
New Year’s resolutions for enhancing your enterprise IAM
While many are preoccupied with the potential threats posed by AI, we must not overlook the persistent dangers of traditional attacks like phishing and password spraying. Forget Skynet—outdated software and lack of MFA are often more than enough to compromise our security.
While it’s great to stay up-to-date with current trends, they might not accurately represent the immediate challenges your organization struggles with now and will face in 2025. You need practical ideas for steps bringing you closer to the ultimate goal. I started wondering: what measures can you actually take in 2025 (since you probably won’t make a Zero Trust revolution overnight)? Let’s explore some IAM New Year’s resolutions.
Take a look at Shadow IT—In general, Shadow IT refers to applications and systems used without the knowledge and oversight of the central IT department. Since IT doesn’t manage these tools, they often lack essential security features like Single Sign-On (SSO) or even Multi-Factor Authentication (MFA), leaving sensitive data and systems vulnerable.
This year, I strongly encourage you to address Shadow IT within your organization. Start by following the money—examine transactions made with corporate credit cards and look for payments that lack clear ownership or justification.
You might discover that some apps require a paid subscription to unlock Single Sign-On capabilities (also known as the SSO tax), which might be out of your budget. Though, simply identifying such applications can be beneficial—you can at least make sure that everybody uses strong passwords and enables MFA, whenever possible.
Review social media accounts—Social media is now inevitable for companies, with platforms like Facebook, LinkedIn, or X playing crucial roles in marketing strategies. However, these platforms often encourage marketing departments to use personal accounts, which may be less secure due to weak passwords or a lack of MFA.
The last thing you want is a malicious attacker hijacking your company’s social media accounts. This could seriously damage your public image, or even worse, drain your funds on ads—recovering them later can be a real headache. We’ve seen it happen, and it’s not pretty.
A similar risk exists with employee benefits applications and pre-paid lunch card systems, especially around the holiday season. These systems are often managed by just one or two people, making them attractive targets for malicious actors. Due to limited oversight, they might not be properly secured, increasing the risk of unauthorized access and potential misuse.
Monitor password breaches—Password breaches are quite common, so it’s crucial to stay vigilant. Thankfully, it’s easy to keep track of them with services like Have I Been Pwned’s Domain Search. Once you verify ownership of your company domain, you can search for past breaches and get notified about any future ones. Over half of the Fortune 500 companies use this feature, and you should too.
Additionally, encourage your employees to enable breach notifications for their personal emails to further enhance security.
Review your service accounts and restrict excessive privileges—At the beginning of 2024, Midnight Blizzard showed us the importance of protecting all environments when attackers managed to infiltrate Microsoft. They gained initial access through a password spray on a non-production test tenant and then escalated their privileges via a test OAuth application with excessive permissions.
The Midnight Blizzard case shows how much of a lucrative target are service accounts, which allow adversaries to elevate their privileges and often operate undetected under the disguise of a service principal. Designed for non-interactive logins, service accounts typically do not use Multi-Factor Authentication. However, they can be protected in other ways:
- For services hosted in Azure, use managed identities. These identities are automatically managed by Azure and don’t require credentials.
- If managed identities are not an option, use service principals with client certificates for authentication, since they are more secure than passwords. If you must use passwords, ensure they are long, complex, and stored securely.
- Apply conditional access policies to restrict where and how service accounts can be used. For example, you can limit access to specific IP addresses or require that the service account can only be used from certain devices.
- Always enforce the Principle of Least Privilege by granting service accounts only the minimum permissions necessary to perform their specific tasks.
- Continuously monitor and audit the use of service accounts. Set up alerts for any unusual activity to detect and respond to potential security threats quickly.
References
- Microsoft Breach: What Happened? What Should Azure Admins Do?
- Introduction to securing Microsoft Entra service accounts – Microsoft Entra
Perform threat modeling of your company’s core identity processes—Identity management has evolved significantly over the years. What was once a straightforward username-and-password process, has now transformed into a complex web of dependencies. We have onboarding processes here, provisioning workflows there… And what about offboarding? Afterall, it is especially important to effectively restrict a former employee’s access to sensitive data and systems.
It’s easy to overlook some intricacies while focusing on the bigger picture. There’s always a but—yes, we have Single Sign-On (SSO) implemented across most systems… but not this one. Yes, we have automated account provisioning… but this particular app doesn’t support it, so we still create accounts manually. If not properly documented, these exceptions can create security gaps and operational inefficiencies.
This year, consider conducting a threat modeling session of your company’s core identity processes and access management. Here are some questions you can use as a starting point:
- Which applications and services are integrated with your SSO? Has the security of these integrations ever been externally verified? Which applications aren’t integrated with your SSO?
- What parts of the onboarding process are automated? Are there any manual steps that could introduce potential security risks? How are roles and permissions assigned to new users?
- Does your organization maintain sufficient audit trails for all authentication attempts and access grants? How are these logs monitored and reviewed?
- What steps are involved in the password recovery process? How are temporary credentials managed and secured?
- Are users notified of password recovery attempts? How is this notification handled to ensure it reaches the legitimate user?
If any of these questions left you wondering, definitely take a look at Sebastian’s article about a light Threat Modeling methodology.
Connect with the author on LinkedIn!
Getting ready for 2025
As we wrap up 2024, it’s a great time to reflect on how we can stay secure, especially in areas like Identity and Access Management. Remember—regular penetration tests remain the key to maintaining a good security posture!
This year brought some exciting developments, including the publication of nine OpenID Connect specifications as ISO/IEC standards. Fortunately, Multi-Factor Authentication is also no longer just an option—it’s becoming an enforced necessity. Azure and Google Cloud have started migrating to mandatory MFA, and I believe this approach will grow in popularity in 2025.
I expect to see a continued rise in the adoption of passwordless authentication and passkeys, both for enterprises and personal users. Almost two years ago, when passkeys were gaining momentum, I wrote an article about how they would impact app security and set us free. I must admit, I’m still far from being completely password-free. However, the world is gradually moving in that direction, with more and more major websites supporting passkey authentication.
Looking ahead, I’m particularly excited about the upcoming OWASP Application Security Verification Standard (ASVS) 5.0, which will feature an extensive section on OAuth and OpenID Connect. This will provide even more guidance and best practices for securing your systems.
Honestly, I suspect that most of the tips and resolutions shared in this article will likely remain relevant next year. But don’t worry, I’ll be spending the entire year preparing new insights and updates to keep you informed and ahead of the curve!
