NSA-CISA report offers IAM guidance, addresses risks that threaten critical infrastructure, national security systems
The U.S. National Security Agency (NSA), in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and industry partners, published on Wednesday a cybersecurity technical report (CTR). The NSA-CISA document provides guidance on identity and access management (IAM) to developers and vendors of multi-factor authentication (MFA) and single sign-on (SSO) technologies with actionable recommendations to address key challenges in their products.
The CTR outlines various challenges, including ambiguity with MFA terminology; lack of clarity on security properties; reliance of MFA on self-enrollment by the user and ‘one time enrollment code flow,’ and tradeoff between SSO functionality and complexity. It also covered improvements necessary to standards throughout the identity ecosystem; knowledge base for the integration between existing architectures and legacy applications; and SSO capabilities often bundled with high-end enterprise features making them inaccessible to small and medium businesses.
The new NSA-CISA report, ‘Developer and Vendor Challenges to Identity and Access Management,’ identified that to strengthen the authentication process, MFA requires the user to present multiple elements in different categories, or ‘factors,’ as part of an authentication attempt. “These factors are something you have, something you know, and something you are.”
Similarly, SSO provides a risk mitigation capability by centralizing the management and control of authentication and access across multiple systems and from multiple identity providers. “Implemented properly, it can raise the authentication assurance level required for initial sign on and can control and secure the authentication and authorization information passed between systems,” it added.
Following on the work the Enduring Security Framework (ESF) published on IAM best practices for administrators released in March, targeted for administrators to make the best use of existing solutions, a working panel staffed by subject matter experts from both government and industry was tasked with assessing developer and vendor challenges relating to IAM. The working panel specifically identified the adoption and secure employment of MFA and SSO technologies as a key developer and vendor challenge that has been difficult to meet with the technology that is currently available.
While the working group recognizes the broad scope of the challenges relating to MFA and SSO, the NSA-CISA paper addresses challenges that are informed by an understanding of threats in the IAM space that are actively being exploited by adversaries. The paper is targeted at the challenges facing sophisticated organizations with substantial resources and high-end adversaries, though it also touches on some challenges that inhibit less sophisticated organizations defending against more rudimentary adversaries.
When it comes to addressing MFA, the document highlights several significant challenges. These challenges encompass definitional and policy issues surrounding MFA in the vendor community, obstacles related to MFA adoption, and concerns regarding MFA sustainment and governance. In the realm of SSO and identity federation, the document identifies a different set of challenges. These often revolve around complexity and usability, opportunities for enhancing standards, and navigating the ecosystem challenges.
“MFA is widely recognized as one, if not the most, important preventative security controls available today. It provides a strong defense against various adversarial attack techniques such as password spraying, compromised password reuse, and—in some instances—phishing,” according to the NSA-CISA report. “However, a key challenge is that it is notoriously difficult to deploy and many organizations, small and large, still have not done so even if they recognize the value.”
MFA deployment presents significant challenges for organizations. One major issue is the lack of clarity and consistency in definitions and policies for different MFA methods, often leading organizations to opt for seemingly easy-to-deploy options like SMS-based MFA without considering their relative security levels. To address this, standardization and interoperability are crucial, starting with the establishment of common terminology.
To alleviate these issues, IAM vendors should collaborate on terminology standardization. Furthermore, there is a disconnect between generic vendor terminology and the technical security properties outlined by NIST (National Institute of Standards and Technology) in SP 800-63. Vendors have yet to consistently document how their products align with NIST requirements, making it challenging for organizations to evaluate their offerings.
“A second problem impeding adoption of MFA is the lack of clarity regarding the security properties that certain implementations provide,” according to the report. “In SP 800-63, NIST articulates a set of ‘Authenticator Assurance Levels’ (AALs) as one way of classifying the relative strength of authenticators based on the security properties that they provide. According to NIST, MFA is required at ‘AAL2’ and ‘AAL3.’ At its core, MFA seeks to address two classes of threat: those related to password reuse and compromise, and those related to adversarial use of phishing.”
Certain MFA methods, such as those based on public key infrastructure (PKI) or FIDO2, are resistant to phishing attacks due to cryptographic binding.
The report identified that “vendors have a real opportunity to lead the industry and build trust with product consumers with additional investments to bring such phishing-resistant authenticators to more use cases, as well as simplifying and further standardizing their adoption, including in form factors embedded into operating systems, would greatly enhance the market.”
On MFA adoption challenges, the report identified “One such issue is support for the strongest forms of MFA, such as those based on PKI and FIDO2 standards, in vendor products. Most IAM vendors offering SSO products support both PKI and FIDO2 authentication, but some do not. And even where such support exists, it is often incomplete.”
Additional vendor investment in supporting high assurance MFA implementations for enterprise use on both mobile and desktop platforms in a maximally user-friendly flow would substantially aid in MFA adoption by organizations of all sizes, the NSA-CISA report said.
The final category of MFA related challenges addressed is governance and sustainment of MFA over time as employees join and leave the organization. All types of authentication credentials, including passwords, must be directly associated with user identities and their directory accounts. Robust management of this process, which is often called ‘credential lifecycle management,’ is often lacking in available MFA solutions.
Moving to SSO, the NSA-CISA document said that ‘SSO’ means a situation where an identity provider (IdP) within an organization authenticates a user and then conveys proof of that authentication to a series of applications – called relying parties (RPs) – typically without requiring the user to re-authenticate for each application. “SSO is built on top of identity federation protocols such as security assertion markup language (SAML) or Open ID Connect (OIDC) that specify how authentication may be conveyed from the IdP to the RPs. These capabilities are critical for security because they make more advanced authentication, such as multi-factor authentication, or contextual authentication policies, a problem to be solved once within an organization rather than handled differently for each application,” it added.
Balancing functionality and complexity remains a key challenge in deploying SSO technology. The document recognizes that there is still a significant tradeoff between functionality and complexity. Organizations can choose streamlined IdPs with simplified configurations that are not able to support all the use cases that they may face, or they may deploy sophisticated tooling that requires significant numbers of highly skilled personnel to operate in a secure way.
The report also identified that tooling for understanding trust relationships and the impact to changes in the configuration could be improved. Changes to identity configurations often have organization-wide impact and thus need to be carefully controlled and managed. It also included the issue of ensuring SSO can enable secure MFA across all use cases, including privileged access use cases.
It also addressed open standards as a critical part of the identity ecosystem, however, there is room for improvement. The document focuses on several identity standards topics, but it is not meant to be a comprehensive list of such issues.
“Another issue around standards concerns the strength of identity federation assertions themselves. Many identity federation protocols use bearer assertions that are vulnerable to theft and replay,” according to the NSA-CISA document. “The validity of bearer assertions, which can be significant, can increase this risk. It is important that IAM vendors and RPs carefully consider issues such as assertion lifetime, assertion reuse, and assertion scope (e.g. issuer and audience) and provide tools for system owners to easily manage this risk.”
It also pointed to the early-stage standards activities around sharing of within-session risk. “These protocols (RISC and CAEP) enable identity providers and relying parties to exchange signaling around risk of particular sessions. Broad support for and development of these standards in the enterprise ecosystem will enable a variety of security use cases, ranging from limiting access to managed devices to quickly revoking access when accounts are compromised,” it added.
The NSA-CISA report said that beyond complexity and standards, integration of SSO into the enterprise is still often difficult for a variety of reasons. “For one, architectures designed for leveraging open standard based SSO together with legacy applications are not always widely understood. For example, in some organizations it is still difficult to integrate applications with an organizational IdP due to lack of talent or knowledge of architectural options.”
Additionally, the report pointed to community development by the IAM vendor ecosystem of a shared, open-source repository of open standards-based modules and patterns to solve these integration challenges would aid in adoption. “Some vendors have created such repositories, but they are typically not widely embraced by multiple vendors and sometimes leverage proprietary integration points rather than open standards.”
It also outlined that apart from capability gaps, there are several business practices in the market that merit attention.
In conclusion, the NSA-CISA report said that the challenges in the employment of MFA and SSO technologies in enterprise environments require further work by IAM vendors and further development of RP applications. “These challenges span the spectrum from developing new product offerings to broadly adopting key ongoing standards activities. MFA and SSO are both critical security technologies that need to be adopted securely to address key threats all enterprises face, but doing so in a secure manner today is more difficult than in the past. Through public-private partnership, this situation can be improved, and the security of all organizations further enhanced.”
Last week, CISA announced that it has formally adopted the OASIS Common Security Advisory Framework (CSAF) Version 2.0 standard to issue security advisories related to ICS (industrial control systems), OT (operational technology), and medical devices. The move delivers machine-readable advisories using the CSAF 2.0 standard, taking proactive steps by joining the agency to enable automation, future tooling, and driving timely remediation.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
