New guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) highlights ongoing difficulties faced by federal agencies and the private sector in adopting essential security measures like multifactor authentication (MFA) and single sign-on (SSO) services.
Despite the federal zero trust strategy's requirement for strong MFA adoption, and CISA's persistent encouragement of MFA and SSO use, some critical organizations have not universally adopted these security measures. A joint public-private panel led by CISA and the NSA has identified various issues, including unclear MFA terminology, security property ambiguity, and technical gaps, hindering the deployment of identity and access management best practices.
The guidance, published by the Enduring Security Framework, describes MFA deployment as a "notoriously difficult" challenge due to confusing definitions and policy issues. It notes that MFA offers varying levels of security, with SMS-based MFA being particularly vulnerable. Additionally, SSO deployment often involves complex trade-offs between functionality and security, requiring a significant number of skilled personnel.
To address these challenges, the guidance calls for clarity, interoperability, and standardization among MFA variations. It urges the vendor community to invest in MFA services, fortify defenses against threats like phishing, and simplify adoption by embedding phishing-resistant authenticators into operating systems.
Furthermore, the guidance recommends that identity and access management vendors develop more secure enrollment tools and automated methods for managing MFA authenticators. These recommendations aim to streamline MFA and SSO processes and establish standardization across various sectors.
The overarching goal of this guidance is to enhance security practices and bolster the adoption of critical security controls in both the public and private sectors, ultimately mitigating cybersecurity risks.
No comments:
Post a Comment