CISA and NSA offer guidance on identity and access management.

On March 21st the US Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) released, as part of their Enduring Security Framework (ESF), Identity and Access Management Recommended Best Practices Guide for Administrators. The best practices cover:

• identity governance,
• environmental hardening,
• identity federation/single sign-on,
• multifactor authentication, and
• identity and access management (IAM) auditing and monitoring.

Background to the ESF IAM best practices: the 2021 Colonial Pipeline incident.

NSA's press release offers some background on the motivation for the document. "In 2021, Colonial Pipeline, a major Southeast oil pipeline system, suffered a major ransomware attack, disrupting the oil/gas distribution system and causing long lines at the gas station and consumer panic. Many people know about the attack and the exploitation of the company for money, but many don’t realize that the attack happened because of a leaked password, an inactive VPN account, and a lack of multifactor authentication – all of which can be summed up as poor IAM." The talking points published in conjunction with the best practices elaborate on lessons learned from the Colonial Pipeline incident.

IAM best practices fall into five categories.

The ESF's IAM best practices are organized into five categories:

1. "Identity Governance - policy-based centralized orchestration of user identity management and access control and helps support enterprise IT security and regulatory compliance;"
2. "Environmental Hardening - makes it harder for a bad actor to be successful in an attack;"
3. "Identity Federation and Single Sign-On – Identity federation across organizations addresses interoperability and partnership needs centrally. SSO allows centralized management of authentication and access thereby enabling better threat detection and response options;"
4. "Multi-Factor Authentication - uses more than one factor in the authentication process which makes it harder for a bad actor to gain access;"
5. "IAM Monitoring and Auditing - defines acceptable and expected behavior and then generates, collects, and analyzes logs to provide the best means to detect suspicious activity."

Each class of best practice is accompanied by an explanation of what it is, why it matters, and how it's implemented, with notes on the threat landscape interspersed in the discussion. An appendix to the document contains a checklist of actions organizations can take now. Reviewing and implementing these best practices would be a good way way for any organization to stay ahead of coming regulatory moves. The Enduring Security Framework is likely to remain broadly applicable.

Risks of not adopting sound IAM practices.

The recommendations are presented as practices organizations should adopt with all deliberate speed. The consequences of failing to do so are enumerated in the talking points that accompany the release. "What are the risks associated with not adopting a robust IAM program?" NSA asked, and then offered its answer. "There is significant risk in having a poor identity and access management program. Those risks include:

• "Potential fines being levied;
• "The financial cost of having to pay ransom with no guarantees that you won’t suffer a ransomware attack again;
• "The financial cost of remediation;"
• Reputational damage;
• "Uncertainty if cyber insurance will cover the loss.

"In the case of Colonial Pipeline they had to pay $5 million in ransom in order to regain control of its system. On top of that they suffered detrimental damage to their brand as fear of a gas shortage caused panic-buying and long lines at gas stations in many states leading to real shortages in certain areas. Additional cyber insurance coverage may not necessarily cover attacks especially if companies fail to establish basic hygiene controls."

Industry and access management practices: an industry view.

Gregory Webb, CEO of AppViewX, noted that human identities are now swamped by machine identities. "The release of these new best practices for Identity and Access management coming on the heels of the National Cybersecurity Strategy from the Biden-Harris Administration shows the increase in urgency for organizations to deploy a holistic approach to Identity Governance," he wrote. "With the focus on cloud migrations and digital transformations, machine identities now considerably outnumber human identities in many organizations, which leads to significant cybersecurity blind spots and business risk. To properly manage these machine identities at scale across complex hybrid multi-cloud environments, automation is required to ensure security and compliance."

Murali Palanisamy, Chief Solutions Officer and a colleague of Webb's at AppViewX, thinks the timing of the guidance is significant. "CISA and NSA’s guidance for identity and access management (IAM) comes at pivotal time as organizations struggle to implement best practices to better thwart IAM failures and compromises," Palanisamy wrote in emailed comments. "When complex passwords became difficult to remember, single sign on (SSO) was implemented to help ensure weak passwords were not used and access was secure and simplified. Now with exploits in SAML and insecure implementations of SSO, compromised SSO systems in one area can lead to compromises in many other areas that are tied to the same SSO implementation." The problem has grown complicated. "Consequently, multi-factor authentication (MFA) started to become a component of an enterprise SSO solution. And while MFA with biometric, machine identity or certificates is essential for securing access to high assurance systems and business critical applications with credential proxy or controlled access, with all the SSO implementations and MFA, we still cannot fully ensure the protection of critical accounts. This is especially true for crown jewels or critical infrastructure where you would need access using SSH to troubleshoot an SSO access failure. Leveraging PAM and SSH access using SSH certificates instead of passwords or keys enables the out-of-band authentication for admins and security teams. It is essential to track, audit and define workflows for controlling and managing these access points and provide just in time access to these accounts."