Embracing zero-trust: a look at the NSA’s recommended IAM best practices for administrators

The US National Security Agency and CISA have published a set of guidelines to help secure systems from access- and identity-based threats. Here’s what to look for in this wide-ranging document.

corporate security insider threat hacker spy cybersecurity human resources
Leo Wolfert/Shutterstock

By now, most of the industry has realized we’re seeing a shift from the legacy perimeter-based security model to an identity-centric approach to cybersecurity. If defenders haven’t realized this, malicious actors certainly have, with 80% of web application attacks utilizing stolen credentials and 40% of breaches that don’t involve insider threats and user error involving stolen credentials, according to sources such as the 2022 Verizon Data Breach Investigation Report.

Compromised credentials were involved in incidents such as the 2021 Colonial national gas pipeline breach, the 2021 Oldsmar Florida water treatment plant attack, and an attack on the South Staffordshire water treatment plant in the UK in 2022, illustrating that these incidents can and have spilled over from the digital realm to the physical, impacting critical infrastructure.

Luckily, we’re seeing a change in the industry to pivot to a zero-trust model of cybersecurity, underpinned by an emphasis on identity and data rather than the legacy castle-and-moat approach that preceded it and led to several decades of brittle defense and massive data breaches. This pivot includes guidance from leading organizations such as the National Security Agency (NSA), which in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA) recently released a “Recommended Best Practices for Administrations - Identity and Access Management (IAM)” guide.

The guidance opens by discussing the current threat landscape along with an overview of threat mitigation techniques. The NSA points out that some of the most common techniques used by malicious actors include activities such as creating new accounts to maintain persistence, exploiting vulnerabilities to forge authentication assertions, exploiting existing users and their access, and exploiting insecure system defaults and configurations. The guide’s most salient sections are dedicated to identity governance, environmental hardening, identity federation and single sign-on (SSO), multifactor authentication (MFA), and auditing and monitoring, which we will discuss below.

Identity governance

Identity governance helps organizations centralize and orchestrate activities associated with both user- and non-person entities (NPE) such as service accounts to align with their organizational policies. These activities cover the entire lifecycle of an account or identity, such as when an individual joins, moves, or leaves an organization or a team, triggering activities associated with their credentials and associated permissions. That same concept applies to NPEs such as machine-based identities that need credentials and permissions to carry out activities within an architecture.

Determining who has access to what and the risks associated with that access and then dynamically managing the access appropriately is no easy task. Identity governance enables a centralized approach to ensure the broad application of organizational policies, as well as mitigating risks such as identity sprawl and permission creep, in which individuals’ accounts are properly managed but their associated permissions regularly extended beyond what they actually need for their jobs. When this occurs and those credentials are compromised or abused, it can wreak havoc on organizations.

Leveraging innovative and emerging technologies, organizations can enable this governance while also taking advantage of capabilities such as conditional-based access control and dynamic least-permissive access control rather than long-lived credentials and access. Implementing identity governance can help mitigate attacks such as phishing, insider threats, and malicious actors creating accounts to maintain persistence beyond their initially compromised account. The NSA guidance also recommends utilizing privileged access management (PAM) solutions for advanced capabilities such as just-in-time access control.

Environmental hardening

Identity governance utilizes hardware, software, and digital environments to enable its implementation, and this is where environmental hardening comes into play. The NSA guidance points out that environmental hardening activities such as patching, asset management, and networking segmentation, along with other security best practices are key to mitigating the potential for compromised credentials, as well as limiting the blast radius, should an incident occur.

It is well known that malicious actors regularly try to compromise IAM components, so ensuring the security of environments in which those components operate is a key consideration. This includes performing activities such as creating a comprehensive asset inventory, understanding the connectivity of the assets you’ve identified, and protecting assets appropriately based on how critical they are to a business. You don’t apply the same level of resources and rigor to a publicly available, non-sensitive system as you do to your crown jewel systems, for example.

Identity federation and single sign-on

Knowing that credentials are a key target for malicious actors, utilizing techniques such as identity federation and single sign-on can mitigate the potential for identity sprawl, local accounts, and a lack of identity governance. This may involve extending SSO across internal systems and also externally to other systems and business partners.

SSO also brings the benefit of reducing the cognitive load and burden on users by allowing them to use a single set of credentials across systems in the enterprise, rather than needing to create and remember disparate credentials. Failing to implement identity federation and SSO inevitably leads to credential sprawl with disparate local credentials that generally aren’t maintained or governed and represent ripe targets for bad actors.

SSO is generally facilitated by protocols such as SAML or Open ID Connect (OIDC). These protocols help exchange authentication and authorization data between entities such as Identity Providers (IdP)’s and service providers. It is key for organizations utilizing SSO to understand the protocols involved as well as how the service providers involved have secured the protocols and the services themselves. The guidance provides a logical depiction of an example authorization data flow.

picture1 US National Security Agency

Best practices for implementing identity federation and SSO include knowing what systems in the environment are integrated with SSO or utilizing local identities, understanding how your trusted partners may leverage local accounts, and utilizing configuration management solutions to support identifying, tracking, and reporting on local account usage in an environment while working to get more systems federated and integrated with SSO to cut down on local account usage and its associated risks.

Multifactor authentication

By now, most CISOs should be familiar with MFA. But for those who aren’t, at a high level, MFA requires users to utilize multiple factors as part of their authentication activities. Think of a username and password plus an SMS text or code sent to an authentication app on your phone. As shown in the NSA guidance, these factors typically take the form of using something you have, know, or are (such as biometrics) as validation tools.

We know that malicious actors are after credentials to carry out their activities and the use of MFA significantly decreases the risk of compromised credentials, particularly high-assurance approaches such as phishing-resistant MFA.

MFA helps mitigate situations in which passwords have been exposed through external system compromises or by unauthorized users who convince victims to share their passwords. The use of strong MFA form factors ensures that the exposure of a username and password alone won’t leave an account compromised. The NSA guidance ranks MFA types, from weakest to strongest as SMS or voice, app-based MFA, and phishing-resistant MFA such as PKI-based systems and fast-identity hardware tokens (FIDO).

IAM auditing and monitoring

It is often said that many organizations are already compromised — they just don’t know it yet. This is where activities such as identity access management auditing and monitoring come into play, with value beyond compliance purposes: it helps identify anomalous or malicious activity present in an environment.

IAM auditing can provide insight into how systems are being used or abused, detect problems earlier in their lifecycle, aid in gathering forensic evidence which may be needed later as well as ensure privileged users know their activities are being monitored.

To prepare to implement successful and effective IAM auditing and monitoring, organizations need to first understand what normal behavior is, be familiar with organizationally defined policies and processes, as well as identify users with access to critical assets so they know what users and activities are the most critical to audit and monitor.

Organizations also need to ensure they have sufficient tooling and analytical capabilities in place to make use of the collected data and telemetry, as well as ensuring they have tooling in place to gather and consolidate it, to begin with. Organizations will also want to ensure they are not collecting noise and irrelevant data that simply distract from signals that are of real concern and pose risks to the organization.

The NSA checklist

Organizations looking to implement NSA-recommended identity and access management (IAM) protocols, the agency provides an appendix in the guidance that provides a detailed checklist for each of the areas discussed throughout this article. This provides a quick punch list approach to allow organizations to tackle the most pressing and key activities when it comes to securing their IAM processes and systems.

Copyright © 2023 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)