Connect with us

Hi, what are you looking for?



CISA, NSA Publish Guidance on IAM Challenges for Developers, Vendors

New US government guidance details the challenges that application developers and vendors face in identity and access management (IAM).

The US cybersecurity agency CISA and the NSA have published new guidance on implementing identity and access management (IAM), focusing on the challenges that developers and vendors face.

Released half a year after guidance for IAM administrators and mainly intended for large organizations (though it serves smaller businesses as well), the new publication – named Identity and Access Management: Developer and Vendor Challenges (PDF) – focuses on best practices to help organizations reduce the impact of threats to IAM.

The document details techniques that threat actors commonly use, such as creating new accounts for persistence, taking over employee accounts, exploiting vulnerabilities to force authentication, creating alternative entry points, compromising passwords, exploiting default credentials, and obtaining access to systems to obtain stored credentials.

As the document points out, Iranian threat actors have been observed exploiting IAM vulnerabilities to compromise credentials, escalate privileges, and establish persistence. The obtained access could be leveraged for data exfiltration and encryption, and other malicious activities.

“Exploiting known IAM vulnerabilities could allow a bad actor the same access to resources as legitimate users by mimicking legitimate activity which complicates detection of the bad actor. This provides the bad actor more time to gain access to resources and elevate privileges to gain persistent access,” CISA and the NSA explain.

The two agencies also note that threat actors have been observed increasingly exploiting Single Sign-On (SSO) functions to gain access to protected resources throughout the victim organization.

“Defending against this broad spectrum of attacks requires a comprehensive IAM solution, with operational awareness of the environment to detect anomalies and attribute anomalous activity to adversary exploits,” the guidance reads.

To mitigate threats to IAM, organizations need to focus on identity governance, environmental hardening, identity federation and SSO, multi-factor authentication (MFA), and IAM monitoring and auditing, the two agencies say.

Advertisement. Scroll to continue reading.

These mitigations allow organizations to better manage user accounts, their privileges, and access to resources, secure both software and hardware around the IAM solution, simplify identity management, improve account security by not relying solely on passwords, and counter internal threats alongside external ones.

By implementing security best practices in IAM, organizations can prevent attacks such as phishing and social engineering, the creation of new accounts for persistence, unsanctioned access to sensitive data and resources, credential stuffing, and unwanted employee access to restricted resources.

CISA and the NSA encourage all organizations to review the new guidance and implement the recommended mitigations where applicable, to assess their IAM posture and risks, harden their environments, and minimize the impact of IAM weakness exploitation.

“America’s critical infrastructure is a prime target for a broad spectrum of threat sources including advanced and ongoing attacks from nation state and terrorist organizations. These threats are real, ongoing, and evolving and the cybersecurity community is especially concerned about certain credible threats to IAM and SSO,” CISA and the NSA note.

Related: CISA Releases Guidance on Adopting DDoS Mitigations

Related: NSA, CISA Issue Guidance on 5G Network Slicing Security

Related: CISA, NSA Share Guidance on Hardening Baseboard Management Controllers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...