Reflections on new IAM Guidelines from NSA and CISA

I enjoy listening to podcasts of all sorts, and the CyberWire Daily has always been one of my favorites for coverage of what is happening in our industry. On Friday, October 6th, the CyberWire podcast covered a new publication from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) on “Developer and Vendor Challenges: Identity and Access Management.” This report is a valuable read for IAM professionals.

Here are some key takeaways that stood out to me as a professional who has worked in cybersecurity from my start in the Israeli Navy to my time working on the vendor side for over 20 years, most of that time in the IAM realm.

1-Vendors need to do more to get MFA adopted

The report highlights some critical challenges organizations face as they aim to deploy MFA. One notable challenge is the lack of clarity and standardization in vendor terminology, which leads to confusion when implementing MFA solutions. Secondly, there is a lack of understanding of the security properties of different MFA implementations. While all forms of MFA offer some protection against password reuse and compromise, their levels of security vary. For instance, SMS-based MFA is considered among the least secure options as it is vulnerable to attacks that may expose the one-time code to threat actors.

Another significant challenge is the governance of MFA over time, especially as employees join and leave the organization. This includes managing the “credential lifecycle,” often lacking in MFA solutions, and dealing with potential security risks during user self-enrollment. There’s a need for more secure enrollment tools to support the complex provisioning needs of large organizations, enhance tools for automatically discovering and purging unused MFA authenticators, and improve user behavior analysis for better governance of MFA authenticators.

2-Changes to identity configurations need to be better managed

Single sign on (SSO) and federated identity management are significant steps forward from the early days of my career when organizations used a system known as “same sign-on.” This was a big hassle for end users and an even bigger security risk for organizations. However, the report rightfully points out that single sign on (SSO) concentrates “risk into the identity provider (IdP) as the source of trust.”

Improvements are needed in tooling for understanding trust relationships and the effects of configuration changes, which often have organization-wide impact. Careful control and management are required, especially since an attacker who can gain privileged access to an IdP can then move on to make configuration changes to the IdP with devastating consequences. A good case in point is the recent breach of MGM and Caesar’s Palace, where threat actors used social engineering to attain a highly privileged IdP role to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization.

3-Ecosystem issues need to be addressed

The report points out that many SaaS applications bundle SSO with other high-end “enterprise” features, making them inaccessible to small and medium organizations. This business approach denies these organizations the security enhancements of MFA and the essential features that come with the implementation of SSO. It’s based on the incorrect belief that SSO is a feature exclusive to “enterprises.”

Additionally, as the report details, a larger number of SSO vendors must support more secure federation protocols. When single sign-on (SSO) is used, SAML is often the sole protocol option available. However, SAML has its own security challenges requiring careful configuration. I agree with the report’s recommendation that supporting OAuth2 and OpenID Connect (OIDC) as alternative federation protocols would be beneficial. OIDC was designed to address several technical issues with SAML, and its broader adoption could help reduce security issues related to SAML.

One last point in the report that I agree with is the conclusion that “No single vendor can solve all IAM challenges an organization can face.” My co-founder, Ankur Panchbudhe, and I have kept that idea front and center in founding AuthMind.

When we started, we were initially working on some innovations in the areas of MFA, but in talking to CISOs, we realized that this wasn’t the most significant pain point IAM teams needed to address. Instead, they needed help addressing many of the challenges covered in the report from the NSA and CISA, such as identifying users who have bypassed MFA and surfacing misconfigurations of their IdP that could put their organizations at risk.

That is why AuthMind has built an identity SecOps platform that delivers identity security posture management (ISPM) and identity threat detection and response (ITDR), enabling organizations to analyze and deliver actionable identity risk information to improve the resiliency of their IAM operations.

Interested in sharing your thoughts on the report or learning more about AuthMind? Don’t hesitate to reach out!