CISA and the National Security Agency (NSA) released new guidance in a report titled “Identity and Access Management: Challenges for Developers and Vendors.”
The document, authored by the Enduring Security Framework (ESF), a partnership led by CISA and NSA, focuses on solving the challenges facing identity and access management (IAM) in cybersecurity. The goal of the ESF is to thwart threats that pose risks to critical infrastructure and national security systems.
This publication follows ESF’s “Recommended Identity and Access Management Best Practices Guide for Administrators”. It provides an in-depth analysis of the challenges technology developers and manufacturers face when implementing IAM solutions.
Identity and Access Management Security Challenges
The report addresses a series of security challenges facing IAM providers:
-
Multi-Faceted Landscape of Multi-Factor Authentication (MFA)
-
Complexities related to MFA adoption
-
Sustainability and governance challenges of the AMF over time
-
The intricacies of single sign-on (SSO) technologies
-
Critical Need for Secure SSO Adoption
-
Complexity and usability challenges
-
Opportunities for improving standards
Learn more about MFA security: MFA Bypass – The Next Frontline for Security Professionals
How sellers can act
The challenges of using MFA and SSO technologies in enterprise environments require additional work from IAM vendors and further development of RP applications, the report said.
The report recommends the following key actions for suppliers:
-
Standardize MFA terminology
-
Align products with NIST requirements
-
Invest in phishing-resistant authenticators
-
High-assurance MFA support for enterprise use
-
Improve registration security
-
Improve SSO systems
-
Implement broader support for identity standards
-
Create open source solutions for integration challenges
-
Making SSO capabilities accessible to small and medium-sized organizations
While The report primarily addresses the challenges faced by large, resourceful organizations in the field of cybersecurity, it offers valuable recommendations applicable to smaller entities. CISA urged cybersecurity advocates to study this guidance and work with their software vendors to effectively implement these critical recommendations.
“MFA and SSO are two critical security technologies that must be securely adopted to address the major threats that all businesses face, but doing so securely today is more difficult than in the past,” can we read in the report.
“Through a public-private partnership, this situation can be improved and the security of all organizations further strengthened.”