The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) this week announced new guidance for identity and access management (IAM) administrators.
A framework for the management of digital identities, IAM covers the business processes, policies, and technologies that ensure user access to data.
The basis for proper IAM involves inventorying, auditing, and tracking user identities and access, which represent daunting but necessary operations, especially with state-sponsored groups successfully exploiting vulnerabilities in IAM products and implementations, CISA and the NSA point out.
According to Verizon’s 2022 Data Breach Investigation Report, stolen credentials have been used in most of the observed web application attacks, as well as in nearly half of reported data breaches.
With advanced persistent threat (APT) actors finding critical infrastructure an appealing target, organizations in this sector “have a particular responsibility to implement, maintain, and monitor secure IAM solutions and processes to protect not only their own business functions and information but also the organizations and individuals with whom they interact,” the new guidance reads (PDF).
CISA and the NSA point out that IAM solutions should be managed, patched, and updated as any other software, to prevent vulnerability exploitation that could lead to the compromise of multiple systems and data.
“Securing IAM infrastructure is critical. Ultimately, the goal is that organizations proactively take the appropriate action to protect against an attack rather than be in the position of deploying fundamental IAM capabilities far too late,” the guidance reads.
The document provides recommendations on mitigating threat actor techniques such as the creation of new accounts, taking over accounts of former employees, vulnerability exploitation, the creation of alternative access points, exploitation of users, the compromise of passwords, accessing systems and exploiting stored credentials, exploiting default passwords, and downgrading encryption.
The guidance also includes recommended best practices for identity governance, environmental hardening, identity federation and single sign-on (SSO), multi-factor authentication (MFA), and IAM monitoring and auditing.
These recommendations cover the creation, transition, and termination of user accounts; the hardening of on-site and cloud-hosted IAM systems; network hardening; backup creation; the implementation of least privilege principles and network segmentation; the assessment of network security; the management and security of critical IAM assets; the internal management of identities; MFA implementation; and what IAM auditing and monitoring involve.
“IAM weaknesses are frequently exploited in the most insidious threats, APTs, which have led to catastrophic data breaches. The use of SSO without a good MFA foundation and secure design selections, exacerbates the damage of attacks that an organization may be vulnerable to such as password cracking and authenticator hijacking,” CISA and the NSA note.
Related: CISA Seeks Public Opinion on Cloud Application Security Guidance
Related: NSA Shares Guidance on Maturing ICAM Capabilities for Zero Trust
Related: NSA Publishes Security Guidance for Organizations Transitioning to IPv6