The Cybersecurity Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have come together in a collaborative effort to release a significant document that aims to enhance identity and access management (IAM) practices. Titled “Identity and Access Management: Recommended Best Practices for Administrators,” this document is part of the Enduring Security Framework (ESF) and serves as a distillation of CISA’s IAM and cybersecurity guidance, which is based on NIST standards.
Protecting critical infrastructure and services has become increasingly important as cyberattacks continue to target these vital systems. From the Colonial Pipeline supply chain attack to attempts to compromise the water supply of a Florida city, and even attacks on the power grid of Ukraine, the need for robust cybersecurity measures is evident. These attacks not only pose a threat to sensitive information and processes but also endanger the lives of millions of people around the world.
In response to this urgent need for enhanced cybersecurity, the release of the ESF guidance for IAM best practices in the private sector is a significant step forward. Based on the previous adoption of NIST recommendations in private industry standards and guidelines, it is expected that this document will serve as a de facto set of instructions for regulatory bodies within the industry.
The ESF guidance focuses on educating and providing clarification on common cybersecurity terms, illuminating current threats, and offering strategies for maintaining security. Several key areas stand out in this guidance:
1. Protecting operational technology (OT) is essential: While the document succeeds in standardizing IAM practices across the IT industry, it falls short in providing adequate guidance for the energy, manufacturing, and other sectors that rely on OT. The perspective needs to be revised to address the specific needs and challenges of the OT space, emphasizing the importance of safeguarding these systems from threats responsibly.
2. Network segmentation and OT-specific considerations: Although network segmentation is mentioned in the guidance, it is treated as a checklist item rather than an in-depth topic. Future revisions should expand on network design, highlighting the necessity of one-way traffic flows and true network isolation. These techniques, along with syslog and telemetry reporting, play a crucial role in securing OT systems but are often overlooked in larger IT practices.
3. Importance of identity life-cycle management programs: Identity life-cycle management, also known as “joiners, movers, and leavers,” requires further expansion and guidance. As tools evolve, assigning granular access becomes more achievable. The adoption of zero-trust practices necessitates mature identity management practices and efficient delivery of necessary metadata through user directories. Addressing shared accounts, especially those with elevated credentials, is crucial, and strong, phishing-resistant authentication methods must be employed to access these accounts.
4. Role of multifactor authentication (MFA) in cybersecurity programs: Multifactor authentication is a critical component of any effective cybersecurity program. The guidance document devotes significant attention to the topic, recommending the use of modern phishing-resistant MFA solutions such as passkeys, security keys, and smart cards. These methods provide strong identification and protect against common attacks that compromise network security.
This guidance holds important implications for businesses seeking to strengthen their cybersecurity practices. While adopting new guidance can appear overwhelming, it is crucial to invest in modern cybersecurity measures to protect critical infrastructure, data, systems, and supply chains. Although managing legacy infrastructure while upgrading cybersecurity may be challenging, strategic investments in solutions that meet current needs while enhancing security will prove invaluable in safeguarding against cyber threats.