The Cybersecurity and Infrastructure Security Agency (CISA) has released new guidance to help deal with identity management capabilities when transitioning from on-premises enterprise networks to cloud-based solutions.
CISA developed the March 12 guidance – titled Secure Cloud Business Applications (SCuBA): Hybrid Identity Solutions Guidance – to help readers better understand identity management capabilities and the tradeoffs of implementation options.
“Identity management vulnerabilities have played a key role in several recent high-profile cybersecurity incidents … In light of these and other incidents, industry stakeholders, vendors, and other key partners continue to encourage a transition from on-premises to cloud-based identity solutions and phishing-resistant multifactor authentication (MFA),” stated CISA.
The guidance makes some primary recommendations, such as “agencies [should] plan to migrate to cloud-based, passwordless authentication via either their existing investments in public key infrastructure (PKI) and Personal Identity Verification (PIV) or Common Access Card (CAC) to authenticate to the identity services, or by leveraging FIDO2 and the Web Authentication standard.”
Other recommendations include pushing Federal agencies to transition on-premises-based federation approaches to a cloud primary authentication approach as their primary source of identity management for most users.
“For a variety of reasons, it is not likely that all agencies will completely abandon on-premises identity services. This will result in a future state in which agencies must securely architect, deploy, maintain, and update on-premises and cloud-based identity services in a manner that integrates across these environments,” said CISA.
“CISA recognizes that this identity transition is a journey. Agencies should leverage existing resources and infrastructure to support such a transition over time,” added the agency.