FB pixel

US cyber agency offers guidance on cloud-based hybrid identity management models

Categories Access Control  |  Biometrics News
US cyber agency offers guidance on cloud-based hybrid identity management models
 

As organizations move biometric and identity data management to cloud-based services to maintain optimal protection against cybersecurity threats, there are inevitable pain points when cloud systems collide with legacy on-premises digital ID management models to create what the Cybersecurity & Infrastructure Security Agency (CISA) calls “hybrid identity solutions.” To minimize disruption and ensure interoperability between systems facing integration, the agency has published guidance on secure cloud business applications.

“CISA developed this Hybrid Identity Solutions Guidance to help readers better understand identity management capabilities, the tradeoffs that exist in various implementation options, and factors that should be considered when making implementation decisions,” says the document. While on-premises systems are certain to linger, secure integration is possible. “However,” says the report, efforts must be “tightly coupled with broader plans to adopt zero trust architectures.”

CISA specifies that the document is not intended to be a comprehensive discussion of hybrid models, but rather a “basic toolset” motivated by “the need for agencies to authenticate and authorize users and entities to access business applications hosted in the cloud.”

The toolset includes two primary recommendations regarding cloud-based systems. First, “CISA recommends that agencies plan to migrate to cloud-based, passwordless authentication via either (1) their existing investments in public key infrastructure (PKI) and Personal Identity Verification (PIV) or Common Access Card (CAC) to authenticate to the identity services, or (2) by leveraging FIDO2 and the Web Authentication standard.”

Moreover, “CISA also recommends that agencies transition from traditional on-premises-based federation approaches to a cloud-primary authentication (italics in original) approach using modern authenticators and open standards-based protocols and relying on cloud services for their primary source of identity when authenticating users and entities for most access needs.”

In urging organizations to put the emphasis on cloud-based authentication and identity management, “CISA recognizes that this identity transition is a journey” that “can require a great deal of planning, resources, and effort.” But, says the agency, “agencies will find that achieving this mature hybrid identity model is well worth the time and effort required.”

Hybrid models for identity architecture

The document outlines several hybrid solution models that agencies can review to select the hybrid identity architecture that best suits their specific needs and risk tolerances. These include, in the order listed in the guidelines: federated authentication, pass-through authentication, password synchronization, cloud primary authentication; multi-factor authentication (MFA) including knowledge, possession and inherence such as biometric indicators; single sign-on options; FIDO2; password managers; and context-based access control.

Each option is covered with a diagram and description of its architecture, a review of security and implementation considerations, and advice for deployment. Regarding inherence and the question of biometric authenticators, CISA says “biometric authentication can be resistant to phishing when used locally to unlock a cryptographic key. However, depending on the quality of the scanner and algorithm, impersonating someone’s biometric data is possible. Another issue with biometrics is the inability to reset or disable a human’s biometrics.”

“Agencies should be selective in the quality of biometric sensors and algorithms implemented. Some biometrics, such as voice recognition, should be avoided as they are not secure due to the potential for impersonation.” That said, the report concedes that MFA is a powerful security tool, and that “agencies can move into passwordless MFA options, such as FIDO2, to achieve stronger security while easing the authentication experience for their users.”

Related Posts

Article Topics

 |   |   |   |   |   |   | 

Latest Biometrics News

 

Growth of digital wallet use shaking up payment regulations and benefits delivery

Digital wallets are transforming online, offline and cross-border payments around the world, prompting calls for regulatory change in Australis and…

 

Sardine nets $70M in Series C funding for automated fraud prevention platform

Sardine, a startup that employs machine learning for fraud prevention, compliance and credit underwriting, has announced a $70 million Series…

 

Indonesia aims to boost digital ID uptake in bid for greater efficiency

Indonesia is digitizing its civil registration services in a bid for greater efficiency as the country’s citizens enjoy improved convenience…

 

Ondato’s biometric age verification joins NIST leaderboard

Ondato has joined the U.S. National Institute of Standards and Technology evaluation of age assurance algorithms in the latest update…

 

Digital identity strengthens super wallets, transforming India’s DPI

India’s digital transformation has been accelerated by its digital public infrastructure (DPI), a framework that enables seamless digital services through…

 

AU petitioned over legal ID discrimination suffered by Kenyan minority group

Legal representatives of a human rights group, Nubian Rights Forum (NRF), have submitted a petition to the African Union (AU)…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events