The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators.
As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today’s world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented and managed effectively.
Identity-related tactics used by threat actors
The CISA and NSA report highlighted real-world examples to illustrate the type and severity of threats targeting IAM. For example, CISA Alert (AA21-321A) revealed that advanced persistent threat (APT) actors sponsored by the Iranian government are actively exploiting IAM vulnerabilities. The alert showed how attackers can compromise credentials, escalate privileges and create new user accounts on critical infrastructure components across various sectors in the United States.
These vulnerabilities allowed actors to gain access to domain controllers, servers, workstations and directories responsible for authenticating and authorizing users and devices. With this level of access, APT actors could conduct follow-on operations like data exfiltration, encryption, ransomware and extortion.
Moreover, cyber groups are increasingly targeting Single Sign-On (SSO) technology, a critical component of IAM. By exploiting SSO functions, actors can potentially bypass traditional access controls and gain access to a broad range of resources across the organization.
IAM threat mitigation techniques
The best practices discussed in the CISA-NSA report revolved around tactics that counter threats to IAM through deterrence, prevention, detection, damage limitation and response. These techniques include:
- Identity Governance
- Environmental Hardening
- Identity Federation and Single Sign-On
- Multi-Factor Authentication
- IAM Monitoring and Auditing.
Let’s look at each of these in more detail.
Identity governance is a process that centralizes user and service accounts management based on organizational policies. This provides enhanced visibility and controls to prevent unauthorized access. Identity governance includes segregation of duties, role management, logging, access review, analytics and reporting.
As per CISA / NSA, identity governance focuses on three key user lifecycle moments within an organization:
- When a user joins: Identity governance collects biographical, position-related and credential data (certifications or clearances) from recruiting, human capital management and personnel security systems to build an identity record for the individual.
- When a user moves within the organization: If an individual’s role in the organization changes, additional entitlements are automatically granted for their new role as well as the removal of entitlements that are no longer needed.
- When a user leaves: When users leave an organization for any reason, their accounts and privileges must be promptly terminated. Identity governance can automate the disablement and removal of accounts in response to separation actions in human capital management systems or other personnel systems.
The CISA-NSA report points out that hardening the enterprise environment involves ensuring that IAM foundations and implementations are trustworthy and secure. The level of hardening required varies depending on the assets being protected. For instance, credential-issuing systems for cryptographic digital certificates or password stores are more critical since they secure authentication for entire organizations.
Environmental hardening is crucial in securing the hardware and software components surrounding an IAM solution. Some environmental hardening best practices include patching, asset management and network segmentation. Combining these with strong IAM foundations and implementations reduces the chance of a security breach and minimizes damage in the event of a breach.
CISA / NSA recommend the following immediate actions to improve environmental hardening:
- Take an inventory of all assets within the organization. Determine the cause of missing or additional unrecognized assets.
- Identify all the local identities on the assets to know who has access to which assets.
- Understand what security controls are in the enterprise environment now and what security gaps persist.
- Develop a network traffic baseline to detect network security anomalies.
Identity federation and SSO
Identity federation, which involves SSO within or between organizations, can effectively manage differences in policies and risk levels. A centralized approach to managing identities ensures compliance with organizational policies and reduces the risk of security breaches.
Identity Federation and SSO eliminate the need for users to maintain multiple identities in both internal and external directories, applications and other platforms. It removes the requirement for local identities at every asset, ensuring seamless integration with other security controls such as privileged access management for step-up authentication. This increases the confidence that only active users are allowed access, thereby enhancing security.
SSO makes life easier for users as they only need to remember one complex and hard-to-guess passphrase. It also facilitates the move to strong MFA which can potentially eliminate passwords altogether.
Authentication systems are a primary target for attackers, who seek out and exploit their vulnerabilities. They are also high-volume user interfaces and are often seen as obstacles to user productivity. As a result, the challenge for engineers is to create seamless and user-friendly authentication systems that are also highly secure against attacks.
MFA strengthens password-based authentication by requiring an additional factor, which mitigates common attacks and misuse practices. Meanwhile, passwordless authentication eliminates passwords as an attack vector.
MFA can be based on:
- Something you have (smartphone, key fob)
- Something you know (password, mother’s maiden name, etc.)
- Something you are (fingerprint or biometric facial scan).
The most secure types of MFA include fast identity online (FIDO) and public key infrastructure (PKI). FIDO stores personally identifiable information, such as biometric authentication data, locally on the user’s device. PKI uses digital certificates to verify the user’s identity and permissions.
App-based MFA solutions are of intermediate strength. App-based solutions include mobile push notifications, one-time passwords (OTPs) or token-based OTP. Meanwhile, SMS and voice messages are the least secure type of MFA.
IAM monitoring and auditing
As per the CISA / NSA report, IAM auditing and monitoring should focus on compliance checks as well as identifying threat indicators and detecting anomalous activities. This involves generating, collecting and analyzing logs, events and other data to provide effective means of identifying compliance breaches and suspicious actions.
Integrating automated tools with auditing and monitoring capabilities can help orchestrate response actions against IAM attacks. Additionally, effective reporting from these processes can provide situational awareness of an organization’s security posture regarding IAM.
Identity matters now more than ever
The new CISA / NSA guidelines build upon the experience and observation of years of IAM implementations. For any enterprise, a well-developed IAM strategy is essential for effective security.
You can read the entire CISA / NSA Best Practices report here.