May 24, 2023 By Jonathan Reed 4 min read

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators.

As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today’s world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented and managed effectively.

Identity-related tactics used by threat actors

The CISA and NSA report highlighted real-world examples to illustrate the type and severity of threats targeting IAM. For example, CISA Alert (AA21-321A) revealed that advanced persistent threat (APT) actors sponsored by the Iranian government are actively exploiting IAM vulnerabilities. The alert showed how attackers can compromise credentials, escalate privileges and create new user accounts on critical infrastructure components across various sectors in the United States.

These vulnerabilities allowed actors to gain access to domain controllers, servers, workstations and directories responsible for authenticating and authorizing users and devices. With this level of access, APT actors could conduct follow-on operations like data exfiltration, encryption, ransomware and extortion.

Moreover, cyber groups are increasingly targeting Single Sign-On (SSO) technology, a critical component of IAM. By exploiting SSO functions, actors can potentially bypass traditional access controls and gain access to a broad range of resources across the organization.

IAM threat mitigation techniques

The best practices discussed in the CISA-NSA report revolved around tactics that counter threats to IAM through deterrence, prevention, detection, damage limitation and response. These techniques include:

  • Identity Governance
  • Environmental Hardening
  • Identity Federation and Single Sign-On
  • Multi-Factor Authentication
  • IAM Monitoring and Auditing.

Let’s look at each of these in more detail.

Identity governance

Identity governance is a process that centralizes user and service accounts management based on organizational policies. This provides enhanced visibility and controls to prevent unauthorized access. Identity governance includes segregation of duties, role management, logging, access review, analytics and reporting.

As per CISA / NSA, identity governance focuses on three key user lifecycle moments within an organization:

  • When a user joins: Identity governance collects biographical, position-related and credential data (certifications or clearances) from recruiting, human capital management and personnel security systems to build an identity record for the individual.
  • When a user moves within the organization: If an individual’s role in the organization changes, additional entitlements are automatically granted for their new role as well as the removal of entitlements that are no longer needed.
  • When a user leaves: When users leave an organization for any reason, their accounts and privileges must be promptly terminated. Identity governance can automate the disablement and removal of accounts in response to separation actions in human capital management systems or other personnel systems.

Environmental hardening

The CISA-NSA report points out that hardening the enterprise environment involves ensuring that IAM foundations and implementations are trustworthy and secure. The level of hardening required varies depending on the assets being protected. For instance, credential-issuing systems for cryptographic digital certificates or password stores are more critical since they secure authentication for entire organizations.

Environmental hardening is crucial in securing the hardware and software components surrounding an IAM solution. Some environmental hardening best practices include patching, asset management and network segmentation. Combining these with strong IAM foundations and implementations reduces the chance of a security breach and minimizes damage in the event of a breach.

CISA / NSA recommend the following immediate actions to improve environmental hardening:

  • Take an inventory of all assets within the organization. Determine the cause of missing or additional unrecognized assets.
  • Identify all the local identities on the assets to know who has access to which assets.
  • Understand what security controls are in the enterprise environment now and what security gaps persist.
  • Develop a network traffic baseline to detect network security anomalies.

Identity federation and SSO

Identity federation, which involves SSO within or between organizations, can effectively manage differences in policies and risk levels. A centralized approach to managing identities ensures compliance with organizational policies and reduces the risk of security breaches.

Identity Federation and SSO eliminate the need for users to maintain multiple identities in both internal and external directories, applications and other platforms. It removes the requirement for local identities at every asset, ensuring seamless integration with other security controls such as privileged access management for step-up authentication. This increases the confidence that only active users are allowed access, thereby enhancing security.

SSO makes life easier for users as they only need to remember one complex and hard-to-guess passphrase. It also facilitates the move to strong MFA which can potentially eliminate passwords altogether.

Multi-factor authentication

Authentication systems are a primary target for attackers, who seek out and exploit their vulnerabilities. They are also high-volume user interfaces and are often seen as obstacles to user productivity. As a result, the challenge for engineers is to create seamless and user-friendly authentication systems that are also highly secure against attacks.

MFA strengthens password-based authentication by requiring an additional factor, which mitigates common attacks and misuse practices. Meanwhile, passwordless authentication eliminates passwords as an attack vector.

MFA can be based on:

  • Something you have (smartphone, key fob)
  • Something you know (password, mother’s maiden name, etc.)
  • Something you are (fingerprint or biometric facial scan).

The most secure types of MFA include fast identity online (FIDO) and public key infrastructure (PKI). FIDO stores personally identifiable information, such as biometric authentication data, locally on the user’s device. PKI uses digital certificates to verify the user’s identity and permissions.

App-based MFA solutions are of intermediate strength. App-based solutions include mobile push notifications, one-time passwords (OTPs) or token-based OTP. Meanwhile, SMS and voice messages are the least secure type of MFA.

IAM monitoring and auditing

As per the CISA / NSA report, IAM auditing and monitoring should focus on compliance checks as well as identifying threat indicators and detecting anomalous activities. This involves generating, collecting and analyzing logs, events and other data to provide effective means of identifying compliance breaches and suspicious actions.

Integrating automated tools with auditing and monitoring capabilities can help orchestrate response actions against IAM attacks. Additionally, effective reporting from these processes can provide situational awareness of an organization’s security posture regarding IAM.

Identity matters now more than ever

The new CISA / NSA guidelines build upon the experience and observation of years of IAM implementations. For any enterprise, a well-developed IAM strategy is essential for effective security.

You can read the entire CISA / NSA Best Practices report here.

More from Identity & Access

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today