In the digital age, identity and access management (IAM) remains the basic framework of business processes, policies, and technologies that facilitate the management of electronic or digital identities. This framework allows information technology (IT) managers to control user access to critical information within their organizations.
It also ensures that access is restricted to only specific individuals – at least in theory. The problem is that it was developed to be just one level above an honor system in many ways.
IAM systems can also be deployed on-premises, provided by a third-party vendor through a cloud-based subscription model, or even deployed in a hybrid model. IAM remains only as secure as its weakest link.
To address these issues, this month the Cybersecurity & Infrastructure Security Agency (CISA) and the National Security Agency (NSA) published a new report, titled “Identity and Access Management: Developer and Vendor Challenges.” Authored by the Enduring Security Framework (ESF), a CISA- and NSA-led working panel that includes a public-private cross-sector partnership, its goal was to address risks that threaten critical infrastructure and national security systems.
The publication, which followed ESF’s “Identity and Access Management Recommended Best Practices Guide for Administrators,” was meant to assess and address the challenges developers and technology manufacturers now face in IAM. The guidance specifically addresses technology gaps that limit the adoption and secure employment of multifactor authentication (MFA) and single sign-on (SSO) technologies within organizations.
Key Challenges Ahead
The report laid out the key challenges in IAM, notably multi-factor authentication (MFA), as well as single sign-on (SSO) and federated identity management (FIM).
“MFA is widely recognized as one, if not the most, important preventative security controls available today. It provides a strong defense against various adversarial attack techniques such as password spraying, compromised password reuse, and—in some instances— phishing,” the report noted, while also highlighting that a key challenge is that it is notoriously difficult to deploy and many organizations, small and large, still have not done so even if they recognize the value.
An additional problem that has impeded the adoption of MFA is the lack of clarity regarding the security properties that certain implementations provide, while it can rely on user self-enrollment and some type of “one-time enrollment code” flow that can be a potential target for threat actors.
“There is the issue of ensuring SSO can enable secure MFA across all use cases, including privileged access use cases,” the report further explained, adding, “However, there are often accounts that are not federated through SSO. For example, this is frequently true of high-level admin accounts as these accounts need to configure the setup of SSO itself in relying parties. Such accounts are attractive targets for threat actors and need to be protected with MFA.”
Despite the challenges, the CISA and NSA working panel concluded, “MFA and SSO are both critical security technologies that need to be adopted securely to address key threats all enterprises face, but doing so in a secure manner today is more difficult than in the past. Through public-private partnership, this situation can be improved, and the security of all organizations further enhanced.”
Important First Steps
Admitting the problem as they say is the first step to truly addressing it, a fact noted by cybersecurity experts.
“CISA and NSA’s new guidelines raise concern around the ability for organizations to securely employ Multi-Factor Authentication (MFA) technologies. These guidelines underscore the need for organizations to establish stronger authentication methods,” Eduardo Azanza, CEO of cybersecurity provider Veridas, told ClearanceJobs via an email.
“Considering these guidelines, businesses must pivot toward integrating biometric authentication, such as facial or voice recognition, into their MFA process,” added Azanza. “Facial and voice recognition offer a multifaceted solution that addresses both security and user experience concerns. They are a convenient yet highly secure means for users to verify their identity without the need for external validation codes or passwords, which often lead to frustration among individuals.”
However, MFA and SSO can still be implemented in a way that can add a layer of security without undue burden on employees.
“It is important for businesses to choose vendors that are in alignment with certifications such as NIST, which evaluates the quality and security of their technologies,” Azanza explained. “With the best biometric technology, businesses can significantly improve their MFA methods and overall improve their cybersecurity posture.”
