Our email accounts have become our identity, for better and worse. Hackers exploit this dependency by using more clever phishing lures. Until recently, enterprises have employed very complex and sophisticated mechanisms to manage and protect our corporate identities and control access to our files and other network resources.
These identity and access management tools are costly and difficult to deploy and tune. They require very specialized and skilled staff to maintain and are typically sold by vendors such as RSA, Thales/Safenet, IBM, Ping Identity and others.
What has changed recently are two programs from Microsoft and Google that are designed to help combat phishing. They are aimed at helping higher-risk users who want enterprise-grade identity and access management security without the added extra cost and effort to maintain it. The two programs are called AccountGuard (Microsoft) and Advanced Security (Google).
The two programs — both of which are free by the way — are very different but can be instructive for IT managers who want to improve their own IT security. Let’s take a closer look at both of them.
Microsoft’s AccountGuard is focused mainly on elected officials, including state and local election officials and political party staff members in the US. They also support people working at political think tanks and democracy advocacy organizations along with US-based technology vendors that supply their products to political customers. One issue for AccountGuard is that some states have prohibitions in using it, including Colorado, Delaware, Illinois and Oklahoma.
The program began in 2018 and was designed to protect campaigns from hacking attacks and to help election officials identify and remediate cyber threats and defend elections against disinformation campaigns. To get started, you apply online with the name of your organization, the organization’s primary domain name, and your Microsoft 365 administrator’s email address.
Google’s Advanced Security has a broader scope; basically, anyone who is using its Application Suite and Gmail-related tools. Google’s focus is in doing a continuous security audit of your account and making sure that you have protected your account with various authentication methods, including multi-factor authentication (MFA) as a principle anti-phishing defense.
The additional identity and access management features include showing which mobile devices have accessed your account, whether there are any particular security incidents that Google has seen over the past month, and also verifying the particular methods you will use as additional authentication during account recoveries. This is accomplished by requiring you to use either a physical USB security key, the security key built into your Android 7.0+ phone firmware or your iPhone running iOS 10.0+ with the free Google Smart Lock app installed. Google is also focused on limiting third-party apps to have access to your emails and Drive files. The additional security also limits you to downloading apps just from the Google Play Store. There is an online application to get started with the program. (Note: the online documentation doesn’t mention the iOS app.) You can see an example of the iOS version with the “checkup” results screen shown below. Each item can be explored and resolved quickly with just a few screen taps.
Google provides only real-time security advice via its program.
Even if you don’t qualify or don’t want to participate in either program, there are a few takeaways for IT managers. First off, if you haven’t yet implemented any MFA across your organization, now is the time to do so. This is the single most important action you can take to stop phishing and account compromises, especially if you employ a smartphone authentication app such as Authy or Google Authenticator or use a USB hardware key from Yubico or Google’s Titan.
Second, timely breach notification is critical to mitigation. Numerous reports cite the average time between a typical breach and when IT finally figures it out to be months. The closer in time to the actual breach you can get, the better your chances of minimizing the damage to your data and your reputation. Both of these programs help in this area.
Third, you could use the Microsoft program as a template for designing your own mitigation policies and processes. Take a look at the various resources available on their website and see what makes sense for your particular needs.
Finally, the Google program shows IT managers that linking your Google and social media accounts to allow third-party applications access can be a security sinkhole, and having regular audits of these linked applications is a good idea, even outside of its Advanced Security program. F-Secure has this website that can help you collect your own data that has been collected by the various tech giants (including Facebook and Twitter) over time.
Identity and Access Management Protects Your Organization
By taking advantage of these programs or employing their methods, you’ll enhance your organization’s applications and email security. Make use of them to protect high-profile users and remediate cyber threats promptly.
Google Screenshot Taken by Author