Meeting the Latest NIST Guidelines with Okta
Today’s Evolving Security Guidelines
Traditional security is insufficient to protect the cloud and hybrid infrastructure of today’s enterprise. Our users have adopted new styles of working, and new ways of connecting. As IT becomes nimble—adopting ever increasing cloud solutions—the organisation’s sensitive information is everywhere.
Enter the digital identity. It’s used in nearly every aspect of daily life. The average employee has a multitude of services (Experian says over 40) registered to any one of their personal or business email accounts. At the enterprise, our employees use their identity to access critical data and services now sprawling across cloud, SaaS and on-premises applications.
Simply updating identity or access tools are not enough. Governments and enterprises need guidance in adopting and implementing today’s identity and access management solutions. The National Institute of Standards and Technology (NIST), the foremost standards body for cybersecurity, has released updated guidance that aligns with market-driven business models, innovation and addresses the new risks these present.
“If you are a defence or government supplier—or subcontractor to a government supplier—you will need to comply with NIST Special Publication 800-171(SP 800-171) Protecting Covered Defense Information in Nonfederal Systems and Organizations by December 31, 2017.”
Today’s risks require a marriage between security and identity
If the barrage of recent data breaches tells us anything, it’s that identity is the new currency in the market. According to Symantec’s Internet Security Threat Report, 1.1 billion identities were stolen in 2016 alone2. Armies of botnets are attempting to reuse and harvest stolen credentials in drive-by downloads or targeted phishing scams—all while we are still struggling with security basics. The 2017 Verizon Data Breach Investigations Report revealed that last year alone, 81% of hacking-related breaches leveraged weak or stolen passwords3. Society’s standards around access and identity have been slow to evolve and in turn our authentication strategies have remained stagnant—for nearly 15 years. Passwords are still in use in most organisations and those same entities use multiple solutions to manage access across their sprawling enterprises. Identity represents a critical control point that, once addressed, dramatically improves security across the ecosystem. Entities supporting federal agencies are now being held to new identity standards, requiring them to take a new look at Identity and Access Management (IAM) in accordance with updated guidelines and mandates. They are looking for a comprehensive solution that understands and meets these requirements.
Further, the latest release of NIST’s Special Publication 800-63, Digital Identity Guidelines, wipes away our old password rules and places the burden of access in the hands of identity and access technology. Many other security standards are following suit as the Payment Card Industry Data Security Standard (PCI DSS) requires MFA around applications and infrastructure supporting and processing payment card data. Similarly, new mandates from New York Department of Financial Services (NYDFS) require certain covered enterprises to move beyond legacy authentication solutions and implement robust IAM that supports MFA and a federated architecture to reach today’s cloud, mobile, and on-premises services.
NIST Meets the Changing Risk Landscape with Major Changes
In an effort to address today’s risks nearly all standards have recognised that we can no longer secure access to our organisation with single factor authentication: a simple password. For all federal agencies and government suppliers, NIST standards mandate the use of Multi-Factor Authentication (MFA) for privileged access and remote access to the network—essentially all of today’s modern knowledge workers.
In an effort to address today’s risks nearly all standards have recognised that we can no longer secure access to our organisation with single factor authentication: a simple password. For all federal agencies and government suppliers, NIST standards mandate the use of Multi-Factor Authentication (MFA) for privileged access and remote access to the network—essentially all of today’s modern knowledge workers.
What is NIST?
Founded in 1901 the National Institute of Standards and Technology (NIST) is one of the nation’s oldest physical science laboratories and is dedicated to supporting America’s competitiveness. Responsible for The Cybersecurity Framework, NIST helps businesses and governments understand and address today’s quickly evolving cyber risks.
Why NIST compliance matters to your enterprise
A leader in cybersecurity research and standards, NIST operates in an open and transparent manner inviting collaboration from the public and private sector. Addressing everything from critical infrastructure to sensitive government systems and industrial competitiveness, NIST standards provide a broad range of recommendations meeting the compliance needs of other regulations like NYDFS, the Health Insurance Portability and Accountability Act (HIPAA), and support industry standards like PCI DSS.
NIST is not just for federal, state or local government systems; over 30 percent of U.S. organizations4 are using NIST guidelines, particularly the Cybersecurity Framework. In fact, if you are a defence or government supplier—or a subcontractor to a government supplier—you will need to comply with the latest NIST guidelines.
Recent federal acquisition directives for both civilian and DOD agencies require compliance protection for all information created by the government, or an entity on behalf of the U.S. Government. To provide a framework for compliance, NIST issued SP 800-171, Protecting Covered Defense Information in Nonfederal Systems and Organizations, containing 14 control families, with associated controls including guidelines for Authentication and Identity Management. NIST SP 800-171 geared towards protection of sensitive unclassified federal information that is housed in, processed or transmitted by non-federal information systems and environments. The 800-171 fits neatly into The Cybersecurity Framework and is supported by the most recent release of NIST Digital Identity Guidelines.
Generally speaking, NIST compliance is often considered cumbersome and costly by many security teams. Navigating NIST recommendations for authentication and identity management is Okta’s business. Okta’s cloud-native access management centralises IAM and offers a full range of factor and assurance level supp