Introduction
Identity and access management (IAM) is a framework of business processes, policies, and technologies that facilitate the management of digital identities to ensure that users only gain access to data when they have the appropriate credentials. Beyond the physical users, service and system accounts are also in scope for IAM and critical for IAM administrators to manage within their organizations. Inventorying, auditing, and tracking all of these identities and their access is imperative to ensure that proper IAM, including permissions and active status, is executed on a regular basis. Managing the growing complexities of digital identities can be daunting especially with industry’s push toward cloud and hybrid
computing environments; however, the need for IAM is more important today than ever. In recent years, we have seen various nation state-led cyber operations successfully access protected data by targeting the trust established within networks or by exploiting vulnerabilities in IAM products and/or IAM implementations. Specifically, the critical infrastructure within the U.S. is an attractive target for the adversaries. In fact, according to the 2022 Verizon Data Breach Investigation Report, 80% of web applications attacks leveraged stolen credentials, a technique used by both basic cyber criminals and nationstate bad actors. Additionally, excluding breaches based on user error and insider misuse,
40% of breaches involved stolen credentials and nearly 20% involved phishing. Recent and
notable attacks include:
In 2021, compromised credentials were used to attack and shut down the Colonial national gas pipeline in the U.S.1
• In another 2021 cyberattack, an unknown attacker manipulated computer systems in a Florida water treatment plant to increase the concentration of sodium hydroxide in the water supply by a factor of 100.2
• In 2022, another attack targeted a water treatment plant in South Staffordshire, U.K.3
As such, the critical infrastructure organizations have a particular responsibility to implement, maintain, and monitor secure IAM solutions and processes to protect not only their own business functions and information but also the organizations and individuals with whom they interact. It is important to keep in mind that IAM systems implement credential management, authentication, and authorization functions that are foundational to security and also very complex and subject to vulnerabilities if not implemented
correctly. Like any kind of software, IAM solutions are subject to software vulnerabilities and must be patched, updated, and managed. A vulnerable IAM solutions can facilitate access to multiple systems and data across the organization. Therefore, securing IAM infrastructure is critical. Ultimately, the goal is that organizations proactively take the appropriate action to protect against an attack rather than be in the position of deploying fundamental IAM capabilities far too late.
To address the risk to a wide range of critical public and private sector networks, the Enduring Security Framework (ESF) hosted a working panel staffed by government and industry subject matter experts tasked with assessing the challenges and threats to IAM and identifying recommendations on how to mitigate these risks. While the working group recognizes the need for a broad, layered approach to network defense, this guidance is focused on the aspects of IAM identified as critical in addressing the threats laid out in this paper.
