New CISA and NSA Identity and Access Management Guidance Puts Vendors on Notice
The National Security Agency and the Cybersecurity and Infrastructure Security Agency published on October 4, 2023, a document titled Identity and Access Management: Developer and Vendor Challenges. This new IAM CISA-NSA guidance focuses on the challenges and tech gaps that are limiting the adoption and secure employment of multifactor authentication and Single Sign-On technologies within organizations.
The document was authored by a panel of public-private cross-sector partnerships working under the CISA-NSA-led Enduring Security Framework. The ESF is tasked with investigating critical infrastructure risks and national security systems. The guidance builds on their previous report, Identity and Access Management Recommended Best Practices Guide for Administrators.
SEE: 8 Best Identity and Access Management (IAM) Solutions for 2023
In an email interview with TechRepublic, Jake Williams, faculty member at IANS Research and former NSA offensive hacker, said, “The publication (it’s hard to call it guidance) highlights the challenges with comparing the features provided by vendors. CISA seems to be putting vendors on notice that they want vendors to be clear about what standards they do and don’t support in their products, especially when a vendor only supports portions of a given standard.”
Jump to:
The CISA-NSA document detailed the technical challenges related to IAM affecting developers and vendors. Specifically looking into the deployment of multifactor authentication and Single-Sign-On, the report highlights different gaps.
Definitions and policy
According to CISA and the NSA, the definitions and policies of the different variations of MFAs are unclear and confusing. The report notes there is a need for clarity to drive interoperability and standardization of different types of MFA systems. This is impacting the abilities of companies and developers to make better-informed decisions on which IAM solutions they should integrate into their environments.
Lack of clarity regarding MFA security properties
The CISA-NSA report notes that vendors are not offering clear definitions when it comes to the level of security that different types of MFAs provide, as not all MFAs offer the same security.
For example, SMS MFA are more vulnerable than hardware storage MFA technologies, while some MFA are resistant to phishing — such as those based on public key infrastructure or FIDO — while others are not.
SEE: The 10 Universal Truths of Identity and Access Management (One Identity white paper)
Lack of understanding leading to integration deficits
The CISA and NSA say that the architectures for leveraging open standard-based SSO together with legacy applications are not always widely understood. The report calls for the creation of a shared, open-source repository of open standards-based modules and patterns to solve these integration challenges to aid in adoption.
SSO features and pricing plans
SSO capabilities are often bundled with other high-end enterprise features, making them inaccessible to small and medium organizations. The solution to this challenge would require vendors to include organizational SSOs in pricing plans that include all types of businesses, regardless of size.
MFA governance and workers
Another main gap area identified is MFA governance integrity over time as workers join or leave organizations. The process known as “credential lifecycle management” often lacks available MFA solutions, the CISA-NSA report stated.
The overall confusion regarding MFA and SSO, lack of specifics and standards and gaps in support and available technologies, are all affecting the security of companies that have to deploy IAM systems with the information and services that are available to them.
“An often-bewildering list of options is available to be combined in complicated ways to support diverse requirements,” the report noted. “Vendors could offer a set of predefined default configurations, that are pre-validated end to end for defined use cases.”
Key takeaways from the CISA-NSA’s IAM report
Williams told TechRepublic that the biggest takeaway from this new publication is that IAM is extremely complex.
“There’s little for most organizations to do themselves,” Williams said, referring to the new CISA-NSA guidance. “This (document) is targeted at vendors and will certainly be a welcome change for CISOs trying to perform apples-to-apples comparisons of products.”
Deploying hardware security modules
Williams said another key takeaway is the acknowledgment that some applications will require users to implement hardware security modules to achieve acceptable security. HSMs are usually plug-in cards or external devices that connect to computers or other devices. These security devices protect cryptographic keys, perform encryption and decryption and create and verify digital signatures. HSMs are considered a robust authentication technology, typically used by banks, financial institutions, healthcare providers, government agencies and online retailers.
“In many deployment contexts, HSMs can protect the keys from disclosure in a system memory dump,” Williams said. “This is what led to highly sensitive keys being stolen from Microsoft by Chinese threat actors, ultimately leading to the compromise of State Department email.”
“CISA raises this in the context of usability vs. security, but it’s worth noting that nothing short of an HSM will adequately meet many high-security requirements for key management,” Williams warns.
Conclusions and key recommendations for vendors
The CISA-NSA document ends with a detailed section of key recommendations for vendors, which as Williams says, “puts them on notice” as to what issues they need to address. Williams highlighted the need for standardizing the terminology used so it’s clear what a vendor supports.
Chad McDonald, chief information security officer of Radiant Logic, also talked to TechRepublic via email and agreed with Williams. Radiant Logic is a U.S.-based company that focuses on solutions for identity data unification and integration, helping organizations manage, use and govern identity data.
“Modern-day workforce authentication can no longer fit one certain mold,” McDonald said. “Enterprises, especially those with employees coming from various networks and locations, require tools that allow for complex provisioning and do not limit users in their access to needed resources.”
For this to happen, a collaborative approach amongst all solutions is essential, added McDonald. “Several of CISA’s recommendations for vendors and developers not only push for a collaborative approach but are incredibly feasible and actionable.”
McDonald said the industry would welcome standard MFA terminology to allow equitable comparison of products, the prioritization of user-friendly MFA solutions for both mobile and desktop platforms to drive wider adoption and the implementation of broader support for and development of identity standards in the enterprise ecosystem.
Recommendations for vendors
Create standard MFA terminology
Regarding the use of ambiguous MFA terminology, the report recommended creating standard MFA terminology that provides clear, interoperable and standardized definitions and policies allowing organizations to make value comparisons and integrate these solutions into their environment.
Create phishing-resistant authenticators and then standardize their adoption
In response to the lack of clarity on the security properties that certain MFA implementations provide, CISA and NSA recommended additional investment by the vendor community to create phishing-resistant authenticators to provide greater defense against sophisticated attacks.
The report also concludes that simplifying and standardizing the security properties of MFA and phishing-resistant authenticators, including their form factors embedded into operating systems, “would greatly enhance the market.” CISA and NSA called for more investment to support high-assurance MFA implementations for enterprise use. These investments should be designed in a user-friendly flow, on both mobile and desktop platforms, to promote higher MFA adoption.
Develop more secure enrollment tooling
Regarding governance and self-enrollment, the report said it’s necessary to develop more secure enrollment tooling to support the complex provisioning needs of large organizations. These tools should also automatically discover and purge enrollment MFA authenticators that have not been used in a particular period of time or whose usage is not normal.
“Vendors have a real opportunity to lead the industry and build trust with product consumers with additional investments to bring such phishing-resistant authenticators to more use cases, as well as simplifying and further standardizing their adoption, including in form factors embedded into operating systems, would greatly enhance the market,” stated the CISA and the NSA.
