Designing Secure Authentication and Identity Management
Building better security through multi-factor authentication, access controls, and more
Join the DZone community and get the full member experience.Join For Free
Editor's Note: The following is an article written for and published in DZone's 2021 Application Security Trend Report.
Organizations and individuals face an ever-increasing threat from a wide variety of actors. Threats can come from nation states, organized crime gangs, or even determined individuals. These attacks come in the forms of ransomware, which can cripple your business and cause data loss or data exfiltration. Beyond ransomware, more insidious attacks like the SolarWinds supply chain attack can impact a large number of organizations beyond the initial attack victim. A supply chain attack looks for weak links in the business process — in this case, pursuing a network monitoring vendor whose software is widely used and inherently needs to run with high privileges.
While there is no single complete security solution, a multi-faceted defense and in-depth solution can provide strong protection against attacks. The first layer of that strategy has always been a strong identity management solution to provide authentication and authorization. In this article, you will learn about the design of modern identity management solutions, including multi-factor authentication, just-in-time and conditional access, and how these solutions can integrate with a wide variety of custom and off-the-shelf applications.
What Is Identity Management?
The history of identity management dates to the 1500s when governments began to consistently issue birth certificates. As computer systems became prominent, usernames and passwords for individual computers became prevalent; however, that solution didn’t scale to large distributed systems. Local usernames and passwords evolved into identity federation systems like Microsoft’s Active Directory, which allow users to log in to multiple systems in a “circle of trust” and provide centralized management and monitoring of authentications. A centralized system allows for both users, as well as services or applications, to have identities. In modern identity and access management (IAM) solutions, application identity is a major part of the security model.
Legacy systems like Active Directory and other identity management solutions rely on lightweight directory access protocol (LDAP) for data storage and Kerberos as its network authentication protocol. One of the limitations of Kerberos were limitations around its HTTP functionality, which limited the ability to modernize authentication systems using a combination of protocols such as SAML, WS-Federation, and OAuth, all of which aim to move away from the classic username and password and rely on token-based claims.
While the user may still authenticate with a username and password, they are issued a token that has specific information about which resources the requestor has access to. These tokens expire and can be revoked, which provides extra levels of security control that contain additional metadata that allows for richer security methods like conditional access.
The other aspect of modern IAM systems — like Azure Active Directory and Okta — allows users to authenticate beyond the circle of trust, and to authenticate other software-as-a-service offerings like their own corporate identities. This means that instead of using a specific username and password for each application like Salesforce or DocuSign, users can authenticate with their corporate identity, which allows for better management and security for those applications.
This is an excerpt from DZone's 2021 Application Security Trend Report.
Read the Report
Multi-Factor Authentication — You Need to Do It
Another important aspect of modern security is multi-factor authentication (MFA), which requires the user to have a username and password, and then authenticate using a second device, whether it be in the form of a text message, email, physical key, or an authenticator application on a phone. Authenticator applications are more secure as they are far less likely to be compromised than a cell phone number or an email account.
The image below describes multi-authentication at a high level — modern MFA systems require both a password and PIN or approval from your mobile app, and in some cases, a fingerprint or facial recognition is required as the final step.
Some users may complain about the MFA process as it takes more time than simply logging in; however, the additional security provided is well worth the overhead. The other concern is that your applications support authenticating using MFA, as some legacy applications may not support modern authentication methods. The client access issue is a major concern — in the case of legacy applications, this can be challenging, especially if you lack access to source code to change the client drivers. If you own the source code for your application, or you are building a new application, you should also understand how your authentication stack integrates with your authentication provider.
What Is Conditional Access?
Beyond just using MFA, there are other ways you can add additional intelligence into your authentication process. Conditional access uses logic after the initial authentication to decide whether to allow a connection to complete, force an additional MFA process, or block the connection completely. At a basic level, this means if/then logic is implemented when a user authenticates.
Typically, this is implemented through various policies. Some examples of common policies include:
- Requiring MFA for all administrative users
- Blocking access from specific countries
- Limiting access to managed devices for specific applications (for example, email)
- Requiring the device to be currently patched
An example of a how conditional access works is shown below:
Signals are defined as the input (or the if part of the if/then logic) that conditional access uses for its decision point. There are a number of signals that conditional access platforms use, but some common ones are trusted IP address ranges, what application is making the request, or device state. Using these signals allows conditional access to dynamically change who and what can log in, making your authentication process more secure.
Privileged Identity Management and Just-in-Time Access Controls
The biggest risks to any organization’s systems and data is administrative accounts, which can typically perform all manner of attacks, including deleting or exfiltrating data and removing audit logs that demonstrate which activities occurred. In fact, this was the crux of the SolarWinds attack — because of the low level where SolarWinds collected data, its software inherently had to run with extremely high privileges. Attackers are always trying to gather administrative credentials so they can do more damage.
However, organizations need administrators to keep the lights on, so what should they do? A common technique is for administrators to have two sets of credentials — a typical low privileged account for tasks like email and other business systems and a dedicated administrative account for systems management tasks. This has a couple of benefits: It makes auditing admin activity easier since you can narrow the focus to the admin accounts, and secondly, it means admins are not normally logged in with admin privileges, thus reducing the attack footprint.
Privileged identity management and just-in-time access take this split account to another level. The administrative accounts are disabled by default, and the administrator requests access to the account, which is approved by a manager or a fellow administrator. Since access is then limited to a specified amount of time, the scope and processes are widely configurable in most authentication platforms, so you can tailor your policies to meet your organization’s needs. The major benefit of PIM and just-in-time access is that administrative logins are disabled by default and a process is put in place to escalate to those accounts.
The modern threat surface can be daunting to many organizations. While implementing multi-factor authentication everywhere possible is a good start in protecting against advanced threat actors, implementing more complex controls like conditional access and privileged identity management are needed to protect your environment from more advanced attacks.
|Joey D’Antoni, Principal Consultant at Denny Cherry and Associates Consulting
@jdanton1 on DZone | @jdanton on Twitter | joeydantoni.com
Joseph D'Antoni is a Principal Consultant at Denny Cherry and Associates Consulting. He is recognized as a VMWare vExpert and a Microsoft Data Platform MVP and has over 20 years of experience working in both Fortune 500 and smaller firms. He has worked extensively on database platforms and cloud technologies and has specific expertise in performance tuning, infrastructure, and disaster recovery.
Opinions expressed by DZone contributors are their own.