Perimeter
8/28/2012
11:01 AM
Gunnar Peterson
Gunnar Peterson
Commentary
Connect Directly
RSS
E-Mail
50%
50%

ID Don't Mean A Thing Unless It's Got That Integration Thing

Architecture astronauts talk identity strategy, but pros talk identity integration logistics

When embarking on identity and access management (IAM) architecture and development efforts, the initial phases often churn through finding the "right" standard or protocol to use. Should the project use OpenID or SAML or IWA or something else altogether? While its important to sort through the tradeoffs and design considerations (after all the Cloud Security Alliance alone mentions 27 different identity standards!), selecting Identity protocols and standards is the beginning not the end.

The critical next steps include a plan for integrating the selected identity protocol and standards into the overall application. This step causes way more stumbling than it should. By now, we should know that there are no silver bullets in infosec. But even today, enterprises write RFIs and RFPs that hone in on support for a specific standard and yet gloss over the importance of integration.

Identity has made tremendous progress over the past decade, in my view progress on standards like SAML and XACML has been the "quiet revolution" in delivering more efficacy to real world security. But the standards and products that support them are not enough by themselves if they cannot integrate to your application then we are left with yet another silo or worse yet --- shelfware.

How should IAM architects avoid integration traps? The first step is identifying the integration targets. Every protocol and standard is different but at a minimum there are likely to be two integration points -- First Mile integration and Last Mile integration.

The First Mile is responsible to find and package the claims about the user subject. First Mile integration generally means being able to communicate with data stores and processes such as user activity, logins, user authentication, user stores, directories, attribute stores, and account information. In SAML, this often occurs via the Identity provider communication with user directory such as Active Directory.

The Last Mile is responsible to make and enforce access control decisions based on the claims its sent via the identity provider. This process can be summed up as"you assert, we decide." The Last Mile must be integrated with the application, service provider, Web service interface, mobile service or Web app. The extent of this integration is pretty variable. Most of the time it's a fairly coarse-grained authorization check, but there's been movement towards finer-grained access control through attribute based access control and standards like XACML that enable deeper integration and more policy-based authorization.

In both the First Mile and Last Mile integration points, the IAM Architect's job is to define the breadth and depth of integration. The architecture must factor in the communication protocols, data formats, token types, and other hooks to applications and data stores required to get the job done.

There's an old military saying that amateurs discuss tactics, armchair generals discuss strategy, but professionals discuss logistics. There's plenty of tactics and strategy necessary to light up a new identity protocol in your company, but successful IAM pros must plan for integration logistics, too.

Gunnar Peterson is a Managing Principal at Arctec Group Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.