US cyber agency offers guidance on cloud-based hybrid identity management models

As organizations move biometric and identity data management to cloud-based services to maintain optimal protection against cybersecurity threats, there are inevitable pain points when cloud systems collide with legacy on-premises digital ID management models to create what the Cybersecurity & Infrastructure Security Agency (CISA) calls “hybrid identity solutions.” To minimize disruption and ensure interoperability between systems facing integration, the agency has published guidance on secure cloud business applications.
“CISA developed this Hybrid Identity Solutions Guidance to help readers better understand identity management capabilities, the tradeoffs that exist in various implementation options, and factors that should be considered when making implementation decisions,” says the document. While on-premises systems are certain to linger, secure integration is possible. “However,” says the report, efforts must be “tightly coupled with broader plans to adopt zero trust architectures.”
CISA specifies that the document is not intended to be a comprehensive discussion of hybrid models, but rather a “basic toolset” motivated by “the need for agencies to authenticate and authorize users and entities to access business applications hosted in the cloud.”
The toolset includes two primary recommendations regarding cloud-based systems. First, “CISA recommends that agencies plan to migrate to cloud-based, passwordless authentication via either (1) their existing investments in public key infrastructure (PKI) and Personal Identity Verification (PIV) or Common Access Card (CAC) to authenticate to the identity services, or (2) by leveraging FIDO2 and the Web Authentication standard.”
Moreover, “CISA also recommends that agencies transition from traditional on-premises-based federation approaches to a cloud-primary authentication (italics in original) approach using modern authenticators and open standards-based protocols and relying on cloud services for their primary source of identity when authenticating users and entities for most access needs.”
In urging organizations to put the emphasis on cloud-based authentication and identity management, “CISA recognizes that this identity transition is a journey” that “can require a great deal of planning, resources, and effort.” But, says the agency, “agencies will find that achieving this mature hybrid identity model is well worth the time and effort required.”
Hybrid models for identity architecture
The document outlines several hybrid solution models that agencies can review to select the hybrid identity architecture that best suits their specific needs and risk tolerances. These include, in the order listed in the guidelines: federated authentication, pass-through authentication, password synchronization, cloud primary authentication; multi-factor authentication (MFA) including knowledge, possession and inherence such as biometric indicators; single sign-on options; FIDO2; password managers; and context-based access control.
Each option is covered with a diagram and description of its architecture, a review of security and implementation considerations, and advice for deployment. Regarding inherence and the question of biometric authenticators, CISA says “biometric authentication can be resistant to phishing when used locally to unlock a cryptographic key. However, depending on the quality of the scanner and algorithm, impersonating someone’s biometric data is possible. Another issue with biometrics is the inability to reset or disable a human’s biometrics.”
“Agencies should be selective in the quality of biometric sensors and algorithms implemented. Some biometrics, such as voice recognition, should be avoided as they are not secure due to the potential for impersonation.” That said, the report concedes that MFA is a powerful security tool, and that “agencies can move into passwordless MFA options, such as FIDO2, to achieve stronger security while easing the authentication experience for their users.”
Article Topics
biometrics | CISA | cybersecurity | digital identity | identity access management (IAM) | interoperability | multifactor authentication | U.S. Government
Comments