Resources
Earlier this year, CISA (Cybersecurity and Infrastructure Security Agency) released their Enduring Security Framework Guidance on IAM (Identity Access Management). While we highly recommend practitioners read the document itself for its best practices and list of immediate actions, we want to discuss some of CISA’s best practices as well as their current and future trends.
We’ll summarize the most important parts of this guidance and include commentary where we think CISA’s guidance could be expanded with actionable solutions.
IAM is a combination of infrastructure and tools for organizations to manage and control access to their digital resources and services. As a whole, IAM solutions manage user identities and enforce authentication and authorization based on predefined security policies.
The fundamental goal of IAM is to control access to the organization’s assets and resources. It accomplishes this by:
Having an inventory of all users and assets — tracking both allows the organization to apply relevant levels of access control
Enforcing least privilege access — the idea that all accounts should have just enough access to function and no more
Monitoring and logging all user activity — once everything is trackable, you should monitor user activity for discrepancies and address any anomalous activity
CISA breaks down IAM threat mitigation into five broad categories:
Identity Governance
Environmental Hardening
Identity Federation and Single Sign-On
Multi-Factor Authentication
IAM Monitoring and Auditing
We’ll discuss the IAM best practices in each category, with specific callouts for the following trends when relevant:
Integration with cloud services
Remote workforce and BYOD (Bring Your Own Device)
User experience
IoT devices
Identity governance is the process by which an organization centralizes orchestration of its user and service accounts management in accordance with their policies. Identity governance provides organizations with better visibility to identities and access privileges, along with better controls to detect and prevent inappropriate access. It is comprised of a set of processes and policies that cover the segregation of duties, role management, logging, access review, analytics, and reporting.
— Identity Governance, Page 4 of IAM Best Practices
CISA further identifies the three most critical lifecycle events in identity governance:
Join – when a new user is added to the system
Move – when a user in the system requires changes to their roles and permissions
Leave – when a user leaves the system and has all roles and permissions revoked
Organizations should also ask themselves if their identity governance mitigates the following threats:
Phishing, spear phishing, or social engineering — if an account is compromised, how contained is the breach? Are key business processes and services protected in the case of a high-level account being compromised?
Insider threats — what happens if the attacker is an insider? Is the infrastructure leveraging context to limit internal users from abusing their privileges?
Creating accounts to maintain persistence — a key point of identity governance is to keep track of accounts; attackers may create new accounts to maintain their access. How likely is it for the organization to track creation of these new accounts and revoke their privileges? How fast can it do so?
This directly touches upon the trend of remote workforce and BYOD (Bring Your Own Device), with an additional effect on User Experience.
The Join, Move, Leave (JML) user lifecycle events are becoming more critical in a globalized workforce. As we see it, remote work is here to stay despite the best efforts of “return to office.” But even if certain companies manage to force a return to office, remote work also encompasses distributed workforces. Centralizing user and service accounts management will enable a better user experience, streamlining workflow productivity without compromising on security.
As an example, organizations want to ensure their IAM solutions enable coworkers collaborating from India to have the correct level of access as their US-based counterparts. Consequently, infrastructure should support remote work through good IAM identity governance components:
Applying SSO to all assets, particularly legacy applications
Fine-grained access and security policies enforcing least privilege access
Automated, context-aware risk analysis systems in place for revoking privileges from a user
Hardening the enterprise environment includes making sure the foundations and implementations of IAM are sufficiently secured, assured, and trusted. The degree of hardening will vary depending on what is being protected. For example, credential issuing systems for cryptographic digital certificates or stores of passwords are more critical since they secure authentication for entire organizations. Implementation of cryptographic mechanisms must also be sufficient to provide the level of security assumed and needed by the system.
— Environmental Hardening, Page 6 of IAM Best Practices
When hackers are testing all access points and looking for points of leverage, the infrastructure’s defense is only as good as its weakest component. The services involved with IAM solutions are an obvious target for hackers; compromise can result in access to sensitive resources and enable persistence through lateral movement.
The three steps to environmental hardening are:
Manage Inventory and Assets — Understand every single component of the system, even the ones that may only be “temporary” or have “restricted privileges.” All assets should be accounted for, especially if it provides any level of reach into the system.
Identify Asset Connectivity — Consider how the system is designed and the resources isolated; if X becomes compromised, what other components are likely to fail or become compromised as a result?
Identify Value of Assets — The most important assets should be prioritized for protection. They should be continuously backed up (and separated), with all access gated and logged for auditing to detect anomalies. The organization’s resources should be concentrated on the “crown jewels.”
We agree with CISA on the importance of hardening the environment in which components and resources reside in. By making it harder for the environment to be breached, the assets within are better protected. However, this runs straight into the Perimeter Problem: assuming that a hardened environment is enough to protect critical assets.
If the goal of environmental hardening is to protect the resources within and limit lateral movement, the National Institute of Science and Technology (NIST) has set forth even better guidance in their Implementing a Zero Trust Architecture paper.
“Access controls can be enforced on an individual resource basis, so an attacker who has access to one resource won’t be able to use it as a springboard for reaching other resources.”
Whereas CISA states that you should make it harder to get into the environment where assets reside, NIST’s line states that the resource itself should be hardened. Entering the resource’s network should not provide access; the resource itself should be capable of determining if the request is authorized.
Attackers should not be able to get into a network segment and then have access to everything within that network. Instead, each individual resource and asset should be able to verify whether the request comes from an authorized, authenticated user.
As an analogy, CISA’s guidance on environmental hardening is akin to saying that “your house needs better locks and walls,” compared to NIST’s guidance that “everything in your house should be able to check who is using it and whether they should be.”
Identity federation using SSO within and/or between organizations, including the utilization of identity providers, mitigates risks by centrally managing differences in policies and risk levels between the organizations and eliminates wide implementation and dependence on local identities. Without formally defining the policies and levels of trust and assurance between organizations or between multiple identity providers within an organization, the organization is susceptible to attacks based on weaknesses in each federated IAM. SSO provides a risk mitigation capability by centralizing the management and control of authentication and access across multiple systems and from multiple identity providers. Implemented properly, it can also raise the authentication assurance level required for initial sign on and can control and secure the authentication and authorization information passed between systems.
— Identity Federation and SSO, Page 10 of IAM Best Practices
Identity federation is a practice of consolidating user identity data in a single centralized location. Users do not need separate accounts in each application that they can access, but rather each application relies on the central identity service.
In other words, identity federation supports users across different environments. This usually results in giving users one account (for SSO) to access everything they need. Identity federation is distinct from user management, which is the process of managing that SSO account, determining the permissions it has, and what services or systems the user is allowed to access.
Passwords introduce the problem of password fatigue — the complex passwords required today are easily forgotten, made worse by multiple accounts. By having one account for multi-access, organizations can reduce the problems of passwords and lost accounts.
CISA recommends two immediate actions:
Assess if you can add SSO to each asset and resource.
Determine if that SSO integration can collect user context including location, device, and behavior.
As we mentioned previously, access control should be enforced on a per-resource basis. The logical next step — adding SSO to each resource for authentication — should be implemented immediately in a world dominated by cloud services.
In a sense, all cloud users are remote — their workflows and processes should be enabled and user flow trackable across all environments. That user context — location, device, behavior — should be leveraged in all of your access control decisions.
And yes, it’s possible to add SSO to every single application and resource, make it scalable, and enforce a central security policy.
Also known as MFA, this is the approach of requiring multiple elements from different categories for a user to authenticate. Many users are familiar today with needing to have a one-time password, push or email notification, physical hardware authentication device, or more in order to complete the authentication process.
The goal of MFA is to reduce the possibility of compromised credentials giving access. Passwords are so problematic that major players (like Google) are starting to push for adoption of password-less authentication flows.
CISA’s recommended actions to take now:
Determine the MFA solution best suited in the organization’s operating environment.
Implement MFA as part of the SSO solution.
Have an inventory of the deployed MFA authenticators.
Routinely test these implementations.
Although MFA is becoming a mainstay, implementation has been mostly limited to applications designed with MFA integration in mind. As a result, many organizations don’t have MFA enabled on all of their assets.
But much like identity federation and SSO earlier, it is possible to add MFA to every single application and resource, make it scalable, and enforce a central security policy.
Keep in mind that the SSO and MFA should not necessarily be something the user dislikes. Many users see MFA as a road bump — their login process is slowed by needing to pull out a device to MFA themselves! Organizations can smooth out these experiences by looking for MFA opportunities that do not impact the user journey.
For example, user devices (such as a YubiKey) can be registered beforehand. Then, the MFA process can happen in the background if an account login comes from a pre-registered device and the user experience is not interrupted. Implementing uninterrupted MFA processes will go a long way towards obtaining user approval.
IAM auditing and monitoring should not only check for compliance, but also monitor for threat indicators and anomalous activities. This encompasses the generation, collection, and analysis of logs, events, and other information to provide the best means of detecting compliance related infractions and suspicious activities. Attacks such as use of stolen credentials and misuse of privileged access by insiders would not be detected in a timely manner, if at all, without an effective IAM auditing and monitoring program. These auditing and monitoring capabilities can be integrated with automated tools that orchestrate response actions to counter these IAM attacks. Effective reporting from auditing and monitoring also provide situational awareness of the security posture of an organization’s IAM.
— IAM Monitoring and Auditing, Page 22 of IAM Best Practices
What do you do when the user who is supposed to have access is also abusing that access? You implement observability with an eye towards tracking what everyone is doing with their access.
CISA considers this important because it:
Acts as a deterrent when users know their actions are being tracked;
Gives observability into how the system is being used and attempted to be misused;
Detects problems through indicators and behavior changes;
and collects logs for evaluating towards iterative improvements of the system.
In more concrete terms, a monitoring and auditing solution mitigates both unauthorized access and insider threats. While many other aspects of IAM solutions are about protecting resources and controlling who has access, monitoring and auditing is one of the few ways of dealing with insider risks.
CISA then gives a great list of best practices for preparing this monitoring and auditing on page 23, including recommended actions to take now, paraphrased to be more actionable:
Establish baseline expectations of activities and actions, including procedures for confirming the legitimacy of actions.
Monitor and establish what are considered good and bad behaviors, including how activities are conducted. Have an understanding of where traffic would flow if an attacker is attempting to establish a foothold.
Monitor external traffic and interactions with previously unknown entities. Keep in mind that data exfiltration can be intentionally “low and slow” to avoid detection, and to not treat that as an accepted baseline of activity.
While CISA promotes monitoring, we also want to stress the importance of verifying.
The infrastructure is recording all actions — great! But why wait until anomalous activity is brought up during audits and reviews to stop it? The system is taking in data — it should act upon it. Why isn’t the system itself verifying each request?
Too many IAM solutions don’t verify every single request by taking a shortcut — users are authenticated and authorized at the beginning of each session, and then the session is just monitored with all subsequent actions treated as good-to-go. This passive observation has a mindset: “It’s logged, wait for something to break so you can come check out the logs!”
And yet, this can fail if a session token is stolen, the workstation itself is compromised, or the user themselves are a malicious insider. The IAM solution needs to do more than monitor and log — it needs to monitor, log, and act.
IAM maturity is a continuous process, one that can and should be combined with NIST’s zero trust maturity model. While we wish CISA had included a rubric so organizations can understand where they currently stand and have actionable steps to get to the next level, NIST’s rubric works for both purposes.
All of the relevant information is pertinent to IAM needs, and organizations are encouraged to pursue IAM maturity by implementing zero trust best practices.
Curious about zero trust?
We have a no-marketing-fluff Children’s Guide to Zero Trust if you just want a quick overview.
If you want to sink your teeth into it, here’s how NIST defines Zero Trust Architecture.
Or if you just want to jump straight into knowing why anyone cares, the Benefits of Zero Trust Architecture as defined by NIST.
Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.
Company
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements
