The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators.

As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today’s world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented and managed effectively.

Identity-Related Tactics Used by Threat Actors

The CISA and NSA report highlighted real-world examples to illustrate the type and severity of threats targeting IAM. For example, CISA Alert (AA21-321A) revealed that advanced persistent threat (APT) actors sponsored by the Iranian government are actively exploiting IAM vulnerabilities. The alert showed how attackers can compromise credentials, escalate privileges and create new user accounts on critical infrastructure components across various sectors in the United States.

These vulnerabilities allowed actors to gain access to domain controllers, servers, workstations and directories responsible for authenticating and authorizing users and devices. With this level of access, APT actors could conduct follow-on operations like data exfiltration, encryption, ransomware and extortion.

Moreover, cyber groups are increasingly targeting Single Sign-On (SSO) technology, a critical component of IAM. By exploiting SSO functions, actors can potentially bypass traditional access controls and gain access to a broad range of resources across the organization.

IAM Threat Mitigation Techniques

The best practices discussed in the CISA-NSA report revolved around tactics that counter threats to IAM through deterrence, prevention, detection, damage limitation and response. These techniques include:

  • Identity Governance
  • Environmental Hardening
  • Identity Federation and Single Sign-On
  • Multi-Factor Authentication
  • IAM Monitoring and Auditing.

Let’s look at each of these in more detail.

Identity Governance

Identity governance is a process that centralizes user and service accounts management based on organizational policies. This provides enhanced visibility and controls to prevent unauthorized access. Identity governance includes segregation of duties, role management, logging, access review, analytics and reporting.

As per CISA / NSA, identity governance focuses on three key user lifecycle moments within an organization:

  • When a user joins: Identity governance collects biographical, position-related and credential data (certifications or clearances) from recruiting, human capital management and personnel security systems to build an identity record for the individual.
  • When a user moves within the organization: If an individual’s role in the organization changes, additional entitlements are automatically granted for their new role as well as the removal of entitlements that are no longer needed.
  • When a user leaves: When users leave an organization for any reason, their accounts and privileges must be promptly terminated. Identity governance can automate the disablement and removal of accounts in response to separation actions in human capital management systems or other personnel systems.

Environmental Hardening

The CISA-NSA report points out that hardening the enterprise environment involves ensuring that IAM foundations and implementations are trustworthy and secure. The level of hardening required varies depending on the assets being protected. For instance, credential-issuing systems for cryptographic digital certificates or password stores are more critical since they secure authentication for entire organizations.

Environmental hardening is crucial in securing the hardware and software components surrounding an IAM solution. Some environmental hardening best practices include patching, asset management and network segmentation. Combining these with strong IAM foundations and implementations reduces the chance of a security breach and minimizes damage in the event of a breach.

CISA / NSA recommend the following immediate actions to improve environmental hardening:

  • Take an inventory of all assets within the organization. Determine the cause of missing or additional unrecognized assets.
  • Identify all the local identities on the assets to know who has access to which assets.
  • Understand what security controls are in the enterprise environment now and what security gaps persist.
  • Develop a network traffic baseline to detect network security anomalies.

Identity Federation and SSO

Identity federation, which involves SSO within or between organizations, can effectively manage differences in policies and risk levels. A centralized approach to managing identities ensures compliance with organizational policies and reduces the risk of security breaches.

Identity Federation and SSO eliminate the need for users to maintain multiple identities in both internal and external directories, applications and other platforms. It removes the requirement for local identities at every asset, ensuring seamless integration with other security controls such as privileged access management for step-up authentication. This increases the confidence that only active users are allowed access, thereby enhancing security.

SSO makes life easier for users as they only need to remember one complex and hard-to-guess passphrase. It also facilitates the move to strong MFA which can potentially eliminate passwords altogether.

Multi-Factor Authentication

Authentication systems are a primary target for attackers, who seek out and exploit their vulnerabilities. They are also high-volume user interfaces and are often seen as obstacles to user productivity. As a result, the challenge for engineers is to create seamless and user-friendly authentication systems that are also highly secure against attacks.

MFA strengthens password-based authentication by requiring an additional factor, which mitigates common attacks and misuse practices. Meanwhile, passwordless authentication eliminates passwords as an attack vector.

MFA can be based on:

  • Something you have (smartphone, key fob)
  • Something you know (password, mother’s maiden name, etc.)
  • Something you are (fingerprint or biometric facial scan).

The most secure types of MFA include fast identity online (FIDO) and public key infrastructure (PKI). FIDO stores personally identifiable information, such as biometric authentication data, locally on the user’s device. PKI uses digital certificates to verify the user’s identity and permissions.

App-based MFA solutions are of intermediate strength. App-based solutions include mobile push notifications, one-time passwords (OTPs) or token-based OTP. Meanwhile, SMS and voice messages are the least secure type of MFA.

IAM Monitoring and Auditing

As per the CISA / NSA report, IAM auditing and monitoring should focus on compliance checks as well as identifying threat indicators and detecting anomalous activities. This involves generating, collecting and analyzing logs, events and other data to provide effective means of identifying compliance breaches and suspicious actions.

Integrating automated tools with auditing and monitoring capabilities can help orchestrate response actions against IAM attacks. Additionally, effective reporting from these processes can provide situational awareness of an organization’s security posture regarding IAM.

Identity Matters Now More Than Ever

The new CISA / NSA guidelines build upon the experience and observation of years of IAM implementations. For any enterprise, a well-developed IAM strategy is essential for effective security.

You can read the entire CISA / NSA Best Practices report here.

More from Identity & Access

The Importance of Accessible and Inclusive Cybersecurity

4 min read - As the digital world continues to dominate our personal and work lives, it’s no surprise that cybersecurity has become critical for individuals and organizations. But society is racing toward “digital by default”, which can be a hardship for individuals unable to access digital services. People depend on these digital services for essential online services, including financial, housing, welfare, healthcare and educational services. Inclusive security ensures that such services are as widely accessible as possible and provides digital protections to users…

4 min read

What’s Going On With LastPass, and is it Safe to Use?

4 min read - When it comes to password managers, LastPass has been one of the most prominent players in the market. Since 2008, the company has focused on providing secure and convenient solutions to consumers and businesses. Or so it seemed. LastPass has been in the news recently for all the wrong reasons, with multiple reports of data breaches resulting from failed security measures. To make matters worse, many have viewed LastPass's response to these incidents as less than adequate. The company seemed…

4 min read

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

8 min read - View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

8 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read