Strengthening Digital Gatekeepers: An In-depth IAM Analysis
Today, in a joint venture, CISA and the NSA released a report titled "Identity and Access Management: Developer and Vendor Challenges". This publication was crafted by the Enduring Security Framework (ESF), an initiative led by both CISA and NSA, which emphasises a cooperative approach between public and private sectors. ESF's mission is to counter threats that endanger national security and crucial infrastructure.
This new release is a follow-up to ESF's earlier publication which detailed best practices for Identity and Access Management (IAM) targeted at administrators. The current document delves into the challenges encountered by developers and tech producers regarding IAM. It particularly spotlights the technological barriers in implementing Multi-Factor Authentication (MFA) and Single Sign-On (SSO) systems effectively.
While its primary focus is on larger establishments, the advice contained can also benefit smaller entities. CISA urges all cybersecurity professionals to review this guidance and discuss its implementation with their respective software suppliers.
View or download PDFs below:
Executive Summary
User authentication in computing has traditionally been based on usernames and passwords. To enhance this, Multi-Factor Authentication (MFA) uses a combination of different evidence types during an authentication effort. These types encompass something you possess, something you're aware of, and something intrinsic to you. On the other hand, Single Sign-On (SSO) consolidates authentication and access management across varied systems and identity sources. When correctly used, it can boost the initial sign-in's security assurance and monitor the information relayed between systems concerning authentication and permission.
Building on ESF's prior work on IAM best practices, experts from both the government and private sectors reviewed the challenges developers and vendors face in relation to IAM. They recognized the need for a comprehensive approach to MFA and SSO as a significant obstacle due to the current tech constraints.
Effective IAM entails both the right technology and processes. For secure IAM functions, vendors must offer viable solutions. It's imperative for these solutions to be interoperable, as no single provider can cater to all of an organisation's IAM needs. Collaborative efforts are essential for fruitful, secure outcomes. Proper IAM tools should enable organisations to differentiate between genuine users and unauthorised intruders.
Given that cyber adversaries often masquerade as authentic users, it's critical to identify and respond swiftly to any suspicious activities. This report underscores the technological deficiencies related to MFA and SSO adoption. The aim is to encourage developers to enhance their existing tools and even craft new ones to address these issues. The document also touches upon non-technical challenges such as the financial aspects, manpower, and the overall user experience associated with these technologies.
