FB pixel

US cyber agency offers guidance on cloud-based hybrid identity management models

Categories Access Control  |  Biometrics News
US cyber agency offers guidance on cloud-based hybrid identity management models

As organizations move biometric and identity data management to cloud-based services to maintain optimal protection against cybersecurity threats, there are inevitable pain points when cloud systems collide with legacy on-premises digital ID management models to create what the Cybersecurity & Infrastructure Security Agency (CISA) calls “hybrid identity solutions.” To minimize disruption and ensure interoperability between systems facing integration, the agency has published guidance on secure cloud business applications.

“CISA developed this Hybrid Identity Solutions Guidance to help readers better understand identity management capabilities, the tradeoffs that exist in various implementation options, and factors that should be considered when making implementation decisions,” says the document. While on-premises systems are certain to linger, secure integration is possible. “However,” says the report, efforts must be “tightly coupled with broader plans to adopt zero trust architectures.”

CISA specifies that the document is not intended to be a comprehensive discussion of hybrid models, but rather a “basic toolset” motivated by “the need for agencies to authenticate and authorize users and entities to access business applications hosted in the cloud.”

The toolset includes two primary recommendations regarding cloud-based systems. First, “CISA recommends that agencies plan to migrate to cloud-based, passwordless authentication via either (1) their existing investments in public key infrastructure (PKI) and Personal Identity Verification (PIV) or Common Access Card (CAC) to authenticate to the identity services, or (2) by leveraging FIDO2 and the Web Authentication standard.”

Moreover, “CISA also recommends that agencies transition from traditional on-premises-based federation approaches to a cloud-primary authentication (italics in original) approach using modern authenticators and open standards-based protocols and relying on cloud services for their primary source of identity when authenticating users and entities for most access needs.”

In urging organizations to put the emphasis on cloud-based authentication and identity management, “CISA recognizes that this identity transition is a journey” that “can require a great deal of planning, resources, and effort.” But, says the agency, “agencies will find that achieving this mature hybrid identity model is well worth the time and effort required.”

Hybrid models for identity architecture

The document outlines several hybrid solution models that agencies can review to select the hybrid identity architecture that best suits their specific needs and risk tolerances. These include, in the order listed in the guidelines: federated authentication, pass-through authentication, password synchronization, cloud primary authentication; multi-factor authentication (MFA) including knowledge, possession and inherence such as biometric indicators; single sign-on options; FIDO2; password managers; and context-based access control.

Each option is covered with a diagram and description of its architecture, a review of security and implementation considerations, and advice for deployment. Regarding inherence and the question of biometric authenticators, CISA says “biometric authentication can be resistant to phishing when used locally to unlock a cryptographic key. However, depending on the quality of the scanner and algorithm, impersonating someone’s biometric data is possible. Another issue with biometrics is the inability to reset or disable a human’s biometrics.”

“Agencies should be selective in the quality of biometric sensors and algorithms implemented. Some biometrics, such as voice recognition, should be avoided as they are not secure due to the potential for impersonation.” That said, the report concedes that MFA is a powerful security tool, and that “agencies can move into passwordless MFA options, such as FIDO2, to achieve stronger security while easing the authentication experience for their users.”

Related Posts

Article Topics

 |   |   |   |   |   |   | 

Latest Biometrics News


New FaceTec CLO among avalanche of appointments in biometrics and fraud protection

New executives have been named by biometrics providers FaceTec, Pindrop and Fingerprint Cards, along with C-level appointments by Prove and…


Indonesia issues call for World Bank-backed digital identification project

Indonesia is looking for a company providing consulting services as a part of its upcoming digital transformation project backed by…


Affinidi data sharing framework leverages privacy-preserving open standards

Affinidi, a company specializing in data and identity management, unveiled the Affinidi Iota framework at the WeAreDevelopers World Congress. This…


Sri Lanka set for January biometric passport launch, plans airport upgrades

Sri Lanka is preparing to begin issuing biometric passports with electronic chips embedded as of January, 2025, according to a…


Vending machines with biometric age verification roll out in Germany, US

Vending machines are growing in popularity as a way to sell age-restricted products around the world, with Diebold Nixdorf algorithms…


San Francisco police hit with lawsuit over facial recognition use

In 2019, San Francisco became the first city in the U.S. to ban facial recognition technology, forcing the police and…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events