NIST, CISA Finalizing Guidance for Identity and Access Management Post-SolarWinds

As agencies look to avoid a repeat of incidents like SolarWinds—where adversaries used access to the IT management contractor and took advantage of poor identity management to compromise at least nine federal agencies—authentication vendors in the space are getting more attention, but implementers will still need to be heavily involved, leading officials said.  

“In the wake of SolarWinds, any of the leading vendors out there are definitely experiencing a net positive,” Jeremy Grant told Nextgov. 

Grant, managing director of technology business strategy at the law firm Venable, previously advised the National Institute of Standards and Technology on identity and authentication management during the development of the agency’s roadmap for improving critical-infrastructure security.  

“In terms of choosing one vendor over the other,” he said of the top providers in the market—which includes companies like Ping, Okta, Forgerock and Microsoft’s Active Directory Federation Services, “the argument is usually more like a claim that Coke is better than Pepsi.” 

Federal officials participating in a virtual event hosted by the Advanced Technology Research Center Tuesday agreed on the significant amount of subjectivity that would be inherent in any agency’s decision. They focused more on the common foundational elements that would be necessary on the part of agencies regardless of the vendor or method they choose to meet directives passed down by the Office of Management and Budget for establishing “zero-trust” systems.

Advisories the Cybersecurity and Infrastructure Security Agency published, as agencies rushed to stop the bleeding after the SolarWinds revelation, described the adversary using Microsoft’s ADFS to move laterally across networks by hijacking the credentials of system administrators. The executive order—EO 14028—that resulted aims to focus agencies on prioritizing the identity and access management systems central to zero trust, where permission to view or edit certain assets is granted based on specific roles—such as human resources personnel—and attributes—such as the location—of those seeking it.

 “We're seeing a larger role in the identity space in the government. We’re trying to produce increasing guidance, we have our zero trust maturity model, our cloud security reference architecture,” said the Cybersecurity and Infrastructure Security Agency’s Grant Dasher, adding, “there’s going to be more coming soon in those spaces.”

Dasher said one of the lessons agencies should learn from SolarWinds is the importance of “understanding the trust boundaries and surface area within your infrastructure.”

“I think if someone carefully looked at the way a particular architecture was designed, they might realize that ‘hey, you know, I need this federation for most cases, but do I want it for my admin accounts? Probably not. I probably want my admin accounts in the cloud to have a separate root of trust, that is, you know, understood and narrower and isn't bringing in all the surface area of my legacy [on-premises assets],’” he said.

NIST is also refreshing its suite of publications on identity and access management and will issue, “for the first time ever, a real, dedicated document on guidance around federation,” so that authentication can happen not just between agencies, but between agencies and their contractors and citizens, according to Matt Topper. Topper, who is president of Uberether—a firm that helps customers, including federal agencies, with their identity and access management systems—was also a panelist on the ATARC webinar.   

The contractor piece is crucial, as managed service providers are often an entry point for high-level adversaries, but it’s not always clear whose responsibility it is to oversee their access to government systems. 

“I always joke that the contractor that's been with the agency longest has more access than the director, because we don't do a good job at recertifying their access. When they leave one contract and join another, they just gain it over time,” Topper said. “We do a lot of DOD work and you'd be amazed how hard it is to answer the question of ‘who is that contractor’s manager and who owns the responsibility that person is allowed on our network today?’”

Topper added an optimistic note: “We're finally getting to a point with some of the work that CISA has done with the master user record, and master device records … to bring that together and make sure that data is clean.”

Gerald Caron, chief information officer for the Department of Health and Human Services, said at the end of the day, federation of identities—“whether it be on Ping, or Okta, ADFS, whatever—is a good thing … [for] not having to remember username and password for 20 different applications, which I hate.”