Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

NSA Shares Guidance on Maturing ICAM Capabilities for Zero Trust

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.

The National Security Agency (NSA) this week published guidance to help system operators mature identity, credential, and access management (ICAM) capabilities to improve their cyberthreat protections.

Immature ICAM capabilities pose a risk to critical infrastructure, national security, and defense industrial base (DIB) systems, but improvements can be made by integrating zero trust principles and designs into enterprise networks.

Part of the national cybersecurity strategy, the adoption of zero trust is mandated by the president’s executive order on improving the nation’s cybersecurity (EO 14028) and National Security Memorandum 8 (NSM-8), which applies to federal civilian executive branch (FCEB) agencies and national security system (NSS) owners and operators.

According to the NSA, a mature zero trust framework requires the adoption of capabilities from seven different pillars, namely application/workload, automation and orchestration, device, data, network/environment, user, and visibility and analytics.

Following the 2021 guidance on the adoption of a zero trust security model, the NSA is now providing recommendations on the capability and maturity levels for the user pillar. Primarily intended for NSS owners and operators, the guidance may be useful for other system operators as well, the NSA notes.

The user pillar of zero trust, which refers to the management of user access in a dynamic risk environment, refines capabilities associated with the Federal Identity, Credential, and Access Management (FICAM) framework, which was established in 2009 to provide a common ICAM segment architecture for federal agencies to use.

Capabilities associated with the FICAM framework and user pillar include identity management, credential management, access management, federation, and governance.

These capabilities refer to the ownership, use and protection of identity information, the binding of an identity to an individual, the granting and denying of access across resources, interoperability with mission partners, and improving systems and processes to reduce risks.

Advertisement. Scroll to continue reading.

Maturing identity management, the NSA says, includes creating an inventory of users with access to critical resources, using standardized inventories that are centrally accessible, performing identity vetting, defining enterprise attribute standards, and defining risk-based attributes.

For all established identities, secure credentials should be issued – some identities may be associated with multiple credentials, depending on their roles within the organization – and the NSA recommends strong multi-factor authentication for person users and hardware-based protections for non-person entity authenticators.

Strictly managed credential lifecycles, the use of enterprise-approved, highly assured authenticators, updating user credentials to ensure compliance with NSS standards, and implementing effective procedures to quickly revoke and replace credentials when needed are steps to be taken towards a mature zero trust implementation.

The access management aspect of zero trust covers the policies and mechanisms through which only authenticated users that are authorized can access protected resources. It involves minimizing privileges to specific roles, implementing least privilege access policies and just in time / just enough access policies, adopting privileged access management (PAM) tools, providing privileged access devices/workstations to administrators, and implementing a risk adaptive access framework.

For a mature model, NSA recommends inventorying user entitlements and access policies, ensuring that all access policies are in line with least privilege principles, enabling segregation of resources, and ensuring that user access is granular to specific resources, to minimize risks.

When implementing identity federation, organizations should inventory needed partner identities, map partner identity and credential assurance levels and access policies, and establish levels of trust for the federated identities.

“Expanding and refining the FICAM roadmap under the principles of a Zero Trust security model will provide an organization with tools and processes for resisting, detecting, and responding to ever increasing threats that exploit weaknesses or gaps in their ICAM programs. The tools and processes support an operational mindset that threats exist within the nominal boundaries of their systems. Vigilance is required to ensure that risks are continually assessed and appropriate responses are enacted in a timely manner,” the NSA concludes.

Related: Cyber Insights 2023 | Zero Trust and Identity and Access Management

Related: The Ever-Increasing Issue of Cyber Threats – and the Zero Trust Answer

Related: White House Publishes Federal Zero Trust Strategy

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...