Recently, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), in partnership with the Enduring Security Framework (ESF), published new identity and access management (IAM) alert covering vendor and developer challenges. CISA and the NSA address development and technology challenges that limit the organizational adoption of single sign-on (SSO) from the perspective of considerable and sophisticated enterprise organizations. CISA and the NSA do, however, provide best practices that smaller organizations can implement as an IAM framework for identity access management (IAM). A broad IAM solution that implements multi-factor authentication (MFA) and single sign-on (SSO) is critical in managing access to mission-critical resources. 

Let's explore and dive into this publication by breaking down its components in an easily digestible post!

What is Identity and Access Management (IAM)?

Identity and Access Management (IAM) is the processes, policies, procedures, and technology that manage users' identities to ensure the authentication (I am who I say I am) and authorization (I am allowed to use this resource) of users which ensures the security of resources and data.

What is Multi-Factor Authentication?

Instead of a simple username and password, multi-factor authentication adds strength to the authentication process by requiring additional means or factors of authentication, such as a code sent to your phone, a push request, a secret question, or biometric data.

Multi-factor Authentication (MFA) provides a strong defense against password spraying, password re-use, and some phishing techniques. CISA has identified three challenges related to MFA implementation: definitional and policy challenges in the vendor community, deployment and adoption-related challenges, and sustainment and governance-related challenges.

What is Single Sign-On (SSO)?

In today's interconnected world, multiple services and applications may act as an identity provider. This becomes problematic when users must remember multiple usernames and passwords, often leading to username and password re-use. Single Sign-On services centralize identity management and access control, allowing a centralized provider to control authentication and authorization across multiple applications and services.

Interoperability With Collaboration, Consider Challenges

Effective IAM implementation requires a mix of tech and processes. CISA and the NSA encourage vendors to prioritize interoperability to solve diverse challenges. Collaboration is key, as not all vendors can solve all issues. IAM must enable legitimate access while detecting unauthorized attempts. Technical challenges in MFA and SSO, and non-tech challenges like cost and user experience, must be considered.

Key Challenges According to CISA and the NSA

In this paper, CISA and the NSA focus on the adoption challenges large organizations with significant resources face when adopting identity and access management solutions.

IAM Challenge: MFA Definitional & Policy Challenges

Limiting Confusion Around MFA

CISA and the NSA recognize that one of the main difficulties surrounding implementing an MFA solution is confusion around MFA:

• Definitions and unclear policy around various flavors of MFA, which leads to a lack of understanding. This can be detrimental when evaluating different MFA solutions or articulating MFA best practices.

• The availability of various authentication mechanisms and compatibility with existing systems.

Standardized terminology ensures understanding, as generic vendor terms may not align with NIST guidelines. While federal groups develop self-validation instructions, vendors are encouraged to consistently map their products to NIST requirements so that organizations have evidence to assess mappings.

Clarifying Security Properties

CISA and the NSA see a challenge in clarifying security properties:

• The unclear security properties of certain implementations of MFA.

• The varying MFA security levels.

SMS-based MFA is the least secure, while MFA using separate hardware storage is highly resistant to secret key extraction. Some MFA types, like PKI or FIDO2, resist phishing attacks due to cryptographic binding. Vendors can build trust by investing in phishing-resistant authenticators and standardizing their adoption. NIST SP 800-63, defines “Authenticator Assurance Levels” or (AALs) as one way of classifying the relative strength of authenticators based on the security properties they provide.

IAM Challenge: MFA Adoption Challenges

IAM Challenge: MFA Adoption Challenges

CISA and the NSA see an opportunity for vendors to advance MFA adoption by:

• Providing deployment support to large and complex organizations. According to research by the CISA and the NSA, some IAM vendors need more support for robust MFA methods like PKI and FIDO2 standards. Even when PKI and FIDO2  are supported, there are limitations, such as PKI needing to be recognized as a true multifactor authenticator due to its unique cryptographic keys.

• There are restrictions on the types of FIDO2 authenticators that can be registered, and policy definitions based on attestation might need to be revised. Consistent required security or protocol version support across client platforms, including iOS and Android (enrolled in Mobile Device Management), hinders widespread adoption.

• Investment in user-friendly, high-assurance MFA implementations for mobile and desktop platforms is crucial for driving adoption rates. This also applies to SSO providers consuming MFA solutions, often offering many complicated solutions.

CISA and the NSA encourage vendors to create and offer a diverse catalog of default configurations for end-to-end business use cases, which could further drive MFA adoption.

IAM Challenge: MFA Sustainment and Governance Challenges

CISA and the NSA see the following sustainment and governance challenges:

• A lack of robust management over the full credential lifecycle management in currently available MFA solutions.

• Opportunities for improvement in stronger support for the governance of MFA authenticators, critical as strong governance over the MFA authenticator lifecycle enables higher trust in using MFA when employed.

They encourage the broader identity and access management community to develop secure enrollment tooling to aid in the MFA credential lifecycle management process needs of large and complex organizations.

In the context of FID0 authenticators, we need additional support for attestation under the enterprise context to determine if an authenticator was issued to a particular organization or person.

IAM Challenge: SSO and Identity Federation

The Identity Provider (IdP) has concentrated risk in an SSO environment. With this in mind, organizations must use the best security standards when designing and deploying Identity Providers (IdPs).

Complexity & Usability Challenges

CISA and the NSA have identified organizations needing help understanding the tradeoff between simplicity and complexity. With greater complexity comes costs associated with managing SSO solutions. With a simplified approach, some use cases may not be supported. This gives threat actors opportunities to exploit. Often, the tradeoff comes in the form of a lessened security posture, which directly undermines the security benefits of SSO technology itself.

CISA and the NSA see the following vendor opportunities to assist organizations with complexity and usability challenges:

• A secure by default option and easy-to-use SSO solution. Vendors are encouraged to provide security recommendations and their impacts.

• Opportunities to understand trust relationships in configurations better. Vendors are encouraged to aid in the detection of insecure implementations and build awareness to improve the adoption of more secure uses of standards such as SAML.

• SSO should enable secure MFA across all use cases. Under the context of cloud SSO providers, vendors should offer complete MFA solutions, including phishing-resistant MFA for highly privileged users or segregate trust. Furthermore, CISA and the NSA see an opportunity for a more robust privileged authentication flow with modern federation protocols.

Standards Improvement Opportunities

CISA and the NSA see opportunities for improvements in standardization:

• Standards like RFC 8176 only cover some use cases. Other standards, such as NIST SP 800-63 and proprietary standards, exist and compete. Opportunities exist to drive MFA adoption by standardizing MFA types focusing on complicated enterprise use cases. These include standardizing terminology and then the security properties of MFA.

• Standards improvement around federation configurations such as the OpenID foundations FastFederation (FastFed) standards. These are critical for simplifying and scaling SSO adoption.

• Standard improvement is around identity federation assertions. Vendors should provide tools to manage the risk of assertion lifetime, assertion reuse, and assertion scope. Efforts in federation protocols and standards such as the IETF OAuth2 DPoP token help manage risks associated with token stealing and reuse and need broader industry support.

• Broader support and development for protocols such as Risk Incident Sharing and Coordination (RISC) and Continuous Access Evaluation Protocol (CAEP) around shared events would enable critical use cases, such as limiting access to managed devices and quickly revoking access to compromised accounts.

Ecosystem Challenges

SSO integration into large and complex environments often provides challenges when integrating with legacy systems. Internally, many organizations have policies and procedures to solve these challenges, but they need to be more widely understood by the broader industry. CISA and the NSA see an opportunity for:

• A broader IAM ecosystem to provide a knowledge repository to solve these complex integration challenges, especially those that revolve around open standards instead of proprietary points.

CISA and the NSA understand that SSO capabilities are often bundled with high-end enterprise offerings, which limit SSO adoption amongst small and medium organizations. They encourage vendors to:

• Include SSO features common in high-end enterprise offerings in pricing plans targeted toward ALL business users.

• Offer OAuth2 and OIDC as an alternative federation protocol SAML to limit misconfigurations that arise due to complexity. 

• The implementation of identity lifecycle management through open standards such as System for Cross-domain Identity Management (SCIM) as a core component of developing software targeted towards businesses.

Conclusion

CISA and the NSA, in partnership with the Enduring Security Framework (ESF) see opportunities to improve the adoption and deployment of identity and access management (IAM) technologies by developing new products and adopting open standards. CISA and the NSA see MFA and SSO as critical security components for all organizations.

I hope you found this analysis insightful, if you have any questions or concerns feel free to reach out on social media.