The CISA and the National Security Agency (NSA) have published new guidelines in a report called "Identity and Access Management: Developer and Vendor Challenges."
The document, authored by the Enduring Security Framework (ESF), a partnership led by CISA and the NSA, focuses on addressing the challenges facing identity and access management (IAM) in cybersecurity. ESF's objective is to counteract threats that pose risks to critical infrastructure and national security systems.
This publication serves as a sequel to ESF's "Identity and Access Management Recommended Best Practices Guide for Administrators." It offers an in-depth analysis of the challenges that developers and technology manufacturers encounter while implementing IAM solutions.
Identity and Access Management Security Challenges
The report discusses a series of security challenges faced by IAM providers:
-
Multifaceted landscape of multi-factor authentication (MFA)
-
Complexities of MFA adoption
-
Sustainment and governance challenges of MFA over time
-
Intricacies of single sign-on (SSO) technologies
-
Critical need for secure SSO adoption
-
Complexity and usability challenges
-
Standards improvement opportunities
Read more on MFA security: MFA Bypass - The Next Frontline for Security Pros
How Vendors Can Act
The challenges in the employment of MFA and SSO technologies in enterprise environments require further work by IAM vendors and further development of RP applications, the report states.
The report recommends the following key actions for vendors:
-
Standardize MFA terminology
-
Align products with NIST requirements
-
Invest in phishing-resistant authenticators
-
Support high-assurance MFA for enterprise use
-
Enhance enrolment security
-
Improve SSO systems
-
Implement broader support for identity standards
-
Create open-source solutions for integration challenges
-
Make SSO capabilities accessible to small and medium organizations
While the report primarily addresses challenges faced by large, resourceful organizations in the cybersecurity realm, it does offer valuable recommendations applicable to smaller entities. CISA urged cybersecurity defenders to study this guidance and engage with their software vendors to implement these crucial recommendations effectively.
"MFA and SSO are both critical security technologies that need to be adopted securely to address key threats all enterprises face, but doing so in a secure manner today is more difficult than in the past," reads the report.
"Through public-private partnership, this situation can be improved, and the security of all organizations further enhanced."