CISA and NSA Tackle IAM Security Challenges in New Report

Written by

The CISA and the National Security Agency (NSA) have published new guidelines in a report called "Identity and Access Management: Developer and Vendor Challenges." 

The document, authored by the Enduring Security Framework (ESF), a partnership led by CISA and the NSA, focuses on addressing the challenges facing identity and access management (IAM) in cybersecurity. ESF's objective is to counteract threats that pose risks to critical infrastructure and national security systems.

This publication serves as a sequel to ESF's "Identity and Access Management Recommended Best Practices Guide for Administrators." It offers an in-depth analysis of the challenges that developers and technology manufacturers encounter while implementing IAM solutions.

Identity and Access Management Security Challenges 

The report discusses a series of security challenges faced by IAM providers:

  • Multifaceted landscape of multi-factor authentication (MFA)

  • Complexities of MFA adoption

  • Sustainment and governance challenges of MFA over time

  • Intricacies of single sign-on (SSO) technologies

  • Critical need for secure SSO adoption

  • Complexity and usability challenges

  • Standards improvement opportunities

Read more on MFA security: MFA Bypass - The Next Frontline for Security Pros

How Vendors Can Act  

The challenges in the employment of MFA and SSO technologies in enterprise environments require further work by IAM vendors and further development of RP applications, the report states. 

The report recommends the following key actions for vendors:

  • Standardize MFA terminology

  • Align products with NIST requirements

  • Invest in phishing-resistant authenticators

  • Support high-assurance MFA for enterprise use

  • Enhance enrolment security

  • Improve SSO systems

  • Implement broader support for identity standards

  • Create open-source solutions for integration challenges

  • Make SSO capabilities accessible to small and medium organizations

While the report primarily addresses challenges faced by large, resourceful organizations in the cybersecurity realm, it does offer valuable recommendations applicable to smaller entities. CISA urged cybersecurity defenders to study this guidance and engage with their software vendors to implement these crucial recommendations effectively.

"MFA and SSO are both critical security technologies that need to be adopted securely to address key threats all enterprises face, but doing so in a secure manner today is more difficult than in the past," reads the report.

"Through public-private partnership, this situation can be improved, and the security of all organizations further enhanced."

What’s hot on Infosecurity Magazine?