Hand on keyboard with virtual login screen showing identity and access management

CISA/NSA Identity and Access Management Guidelines Provide Cybersecurity Guidance for Administrators

CISA’s ongoing mission to shore up critical infrastructure cybersecurity continues with the publication of identity and access management best practices for administrators, but the information is something that potentially any security program could benefit from.

Created in partnership with the NSA, the 30-page guide covers network segmentation, hardening and management of critical IAM assets among other topics. The report notes that identity and access management vulnerabilities are a particular recent focus for certain state-backed threat groups, and that 40% of data breaches not involving user error or an insider are now facilitated by stolen credentials.

Identity and access management recommendations include environmental hardening, securing network segments with multiple layers

The identity and access management paper covers a broad range of strategies and techniques that attackers employ: takeovers of the accounts of former employees that have not been removed, forged authentication assertions, alternative access points, social engineering of employees, and probing for default passwords among them.

Defensive tactics are broken down into five core areas: identity governance, environmental hardening, identity federation/single sign-on, multi-factor authentication methods, and identity and access management auditing and regular monitoring practices. Some of this advice, such as the identity governance material, is fairly basic and is often more a matter of organizations keeping on top of accounts and privileges, something that was the key component of two different breaches involving water treatment systems in recent years.

There is some more specific advice that will likely be welcomed by smaller organizations having to think seriously about cybersecurity for the first time, however. For example, specific points of environmental hardening to defend identity and access management systems. Some of these techniques include security risk assessments for prioritizing patching, “3-2-1” backup systems, physical and network isolation in tandem with identity and access management components, and developing network traffic baselines to determine what should be flagged as anomalous behavior.

And though it is meant to simplify logins and security, identity federation and SSO can be confusing to implement for the first time. The identity and access management guidance covers the common protocols that are available, what to look for in service provider security features, and implementation best practices.

MFA is another topic that has been hammered away at, but that some organizations are still lagging behind on. The identity and access management guidance goes over the available options in a little more technical detail than usual, and documents both its strengths and limitations in terms of defending against various types of attacks (such as phishing and credential spraying).

Identity and access management monitoring is also covered, breaking down best practices to cover both insider threats and attacks from the outside. This is another area in which smaller organizations may find themselves struggling with unfamiliar material; the guidance suggests using the DARPA Anomaly Detection at Multiple Scales (ADAMS) Project and the Anomaly Detection Engine for Networks (ADEN) as starting points.

This sort of access management is not just about human activity, however; so-called “machine identities,” or the assortment of cryptographic keys and digital credentials that allow network components to securely interface, are at least as big of an element.

As Gregory Webb, CEO of AppViewX, observes: “The release of these new best practices for Identity and Access management coming on the heels of the National Cybersecurity Strategy from the Biden-Harris Administration shows the increase in urgency for organizations to deploy a holistic approach to Identity Governance. With the focus on cloud migrations and digital transformations, machine identities now considerably outnumber human identities in many organizations, which leads to significant cybersecurity blind spots and business risk. To properly manage these machine identities at scale across complex hybrid multi-cloud environments, automation is required to ensure security and compliance.”

Some critical infrastructure entities forced to modernize rapidly amidst national security focus

Critical infrastructure organizations are being peppered with both new requirements and new federal assistance as the Biden administration has made national cybersecurity one of its central issues. In some cases these are both badly needed, as small water utilities and similar entities that have never had much of a budget for cybersecurity find themselves a potential target of advanced nation-state hackers.

The identity and access management guidance is part of the NSA’s Enduring Security Framework initiative, which is essentially releasing modules of this nature on various cybersecurity areas to ensure that critical infrastructure companies have at least some sense of direction. Many of these entities need the assistance as they are also facing new security and reporting requirements, either now or in the near future as the Biden administration proceeds with a combination of executive orders and instructions via regulating agencies (such as the EPA). The recently released National Cybersecurity Strategy makes clear that more regulations are on the way for the 16 industries that CISA oversees as components of the country’s critical infrastructure.

The identity and access management guidance makes note of this in its assessment of the risks of not adhering to best practices: in addition to the costs of ransoms and remediation, critical infrastructure organizations are now looking at fines that they did not face before.

Murali Palanisamy, Chief Solutions Officer at AppViewX, notes that these organizations are now being pushed to catch up as the examples of Colonial Pipeline and JBS made clear that there can no longer be any sort of lax attitude toward cyber defense: “CISA and NSA’s guidance for identity and access management (IAM) comes at a pivotal time as organizations struggle to implement best practices to better thwart IAM failures and compromises.”

“When complex passwords became difficult to remember, single sign on (SSO) was implemented to help ensure weak passwords were not used and access was secure and simplified. Now with exploits in SAML and insecure implementations of SSO, compromised SSO systems in one area can lead to compromises in many other areas that are tied to the same SSO implementation. Consequently, multi-factor authentication (MFA) started to become a component of an enterprise SSO solution. And while MFA with biometric, machine identity or certificates is essential for securing access to high assurance systems and business critical applications with credential proxy or controlled access, with all the SSO implementations and MFA, we still cannot fully ensure the protection of critical accounts. This is especially true for crown jewels or critical infrastructure where you would need access using SSH to troubleshoot an SSO access failure. Leveraging PAM and SSH access using SSH certificates instead of passwords or keys enables the out-of-band authentication for admins and security teams. It is essential to track, audit and define workflows for controlling and managing these access points and provide just in time access to these accounts,” observed Palanisamy.