Securing Core Cloud Identity Infrastructure: Addressing Advanced Threats through Public-Private Collaboration
In recent years, the cloud landscape has faced increasingly sophisticated threat activity targeting identity and authentication systems. As cloud infrastructure has become more ubiquitous—underpinning key government and critical infrastructure data—sophisticated nation-state affiliated actors have exposed limitations in token authentication, key management, logging mechanisms, third-party dependencies, and governance practices. These threats reaffirm the critical role that public-private collaboration plays to safeguard cloud infrastructure and address the evolving technical and security challenges confronting our nation.
Challenges in Cloud Identity Security
Cloud providers implement measures to secure cloud identity systems with varying degrees of robustness against security threats. Review of recent cloud security incidents demonstrates threat actors are increasingly exploiting vulnerabilities, forging tokens, and using stolen credentials to compromise organizational infrastructure. To mitigate these risks, cloud service providers can further harden authentication and authorization mechanisms, prioritizing improvements in token technology, secrets management, access control, logging, and forensic capabilities. Uplifting security practices in these areas present complex challenges, including:
- Token Validation Technology: Token management is pivotal to security. Stateless tokens are particularly vulnerable, as the compromise of signing keys can lead to widespread token forgery. While stateful token validation and token binding with proof of possession offer stronger security, system complexity and integration costs hinder their adoption.
- Secrets Management Systems: Scaling centralized secrets management systems risks misconfiguration and inconsistent policies. Secure key storage, like hardware security modules, faces access restrictions and performance trade-offs. Properly managed secrets rotation and optimized frequency are vital for security and continuity.
- Logging Practices: Limited telemetry and short log retention impede detection of forged tokens, compromised keys, and unauthorized token generation. Balancing consumer visibility with manageable log volumes is challenging, while inconsistent logging standards across providers hinder threat detection and response.
Driving Public-Private Partnership to Fortify Infrastructure at Scale
To address these challenges, CISA's Joint Cyber Defense Collaborative (JCDC) is working side-by-side with cloud service providers to foster discovery and discussion of best practices for strengthening cloud identity security. Together, we are exploring innovative solutions, including approaches to better protect tokens to prevent validation errors and forgery, improved secrets management for consistent encryption and access control, and enhanced logging to better detect malicious behavior.
On June 25, CISA hosted the JCDC Cloud Identity Security Technical Exchange, gathering approximately 50 experts across the U.S. federal government and top cloud providers to analyze core cloud identity security practices, including individuals from:
- AWS
- Google Cloud
- HashiCorp
- IBM
- Microsoft
- Okta
- Oracle
- Wiz
- The OpenID Foundation
- National Institute of Standards and Technology (NIST)
- National Security Agency (NSA)
The goal was to promote knowledge transfer across these organizations and to discuss approaches to harden cloud identity infrastructure at scale. The exchange focused on technical insights, operational experiences, and candid perspectives grounded in real-world situations. Insights gleaned from this exchange laid the foundation on how we can work together to improve the adoption of essential cloud identity security practices and enhance the resilience of critical cloud infrastructure.
Public-private operational collaboration like this remains critical to the nation’s collective defense. Through JCDC, CISA continues to deepen trust across our closest and most capable partners, sharpening our respective cyber defense capabilities while increasing our reciprocal value to each other. We are learning and evolving our shared approaches quickly to stay ahead of our adversaries and enhance both real-time incident management and overall resiliency of the ecosystem. For example, CISA will leverage this technical exchange to provide actionable and threat-informed implementation guidance for the broader cloud community and inform future industry standards and guidelines in partnership with NIST and NSA. This partnership also supports CISA in reducing risk across the federal enterprise through more secure access and use of cloud environments and services.
Securing cloud identity infrastructure is a strategic priority for CISA. We are committed to the public-private collaboration that is essential to countering the significant threats facing critical infrastructure. Together, we can build a more resilient cloud security ecosystem that protects our nation’s critical infrastructure from advanced threats. We look forward to working with partners to strengthen our defenses by further identifying systemic risks to cloud infrastructure, implementing best practices, and developing guidance for addressing emerging cloud-related threats.
Disclaimer
CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services referenced or linked to on this page. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. Full Disclaimer: See https://www.cisa.gov/notification.