Perimeter
8/28/2012
11:01 AM
Gunnar Peterson
Gunnar Peterson
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

ID Don't Mean A Thing Unless It's Got That Integration Thing

Architecture astronauts talk identity strategy, but pros talk identity integration logistics

When embarking on identity and access management (IAM) architecture and development efforts, the initial phases often churn through finding the "right" standard or protocol to use. Should the project use OpenID or SAML or IWA or something else altogether? While its important to sort through the tradeoffs and design considerations (after all the Cloud Security Alliance alone mentions 27 different identity standards!), selecting Identity protocols and standards is the beginning not the end.

The critical next steps include a plan for integrating the selected identity protocol and standards into the overall application. This step causes way more stumbling than it should. By now, we should know that there are no silver bullets in infosec. But even today, enterprises write RFIs and RFPs that hone in on support for a specific standard and yet gloss over the importance of integration.

Identity has made tremendous progress over the past decade, in my view progress on standards like SAML and XACML has been the "quiet revolution" in delivering more efficacy to real world security. But the standards and products that support them are not enough by themselves if they cannot integrate to your application then we are left with yet another silo or worse yet --- shelfware.

How should IAM architects avoid integration traps? The first step is identifying the integration targets. Every protocol and standard is different but at a minimum there are likely to be two integration points -- First Mile integration and Last Mile integration.

The First Mile is responsible to find and package the claims about the user subject. First Mile integration generally means being able to communicate with data stores and processes such as user activity, logins, user authentication, user stores, directories, attribute stores, and account information. In SAML, this often occurs via the Identity provider communication with user directory such as Active Directory.

The Last Mile is responsible to make and enforce access control decisions based on the claims its sent via the identity provider. This process can be summed up as"you assert, we decide." The Last Mile must be integrated with the application, service provider, Web service interface, mobile service or Web app. The extent of this integration is pretty variable. Most of the time it's a fairly coarse-grained authorization check, but there's been movement towards finer-grained access control through attribute based access control and standards like XACML that enable deeper integration and more policy-based authorization.

In both the First Mile and Last Mile integration points, the IAM Architect's job is to define the breadth and depth of integration. The architecture must factor in the communication protocols, data formats, token types, and other hooks to applications and data stores required to get the job done.

There's an old military saying that amateurs discuss tactics, armchair generals discuss strategy, but professionals discuss logistics. There's plenty of tactics and strategy necessary to light up a new identity protocol in your company, but successful IAM pros must plan for integration logistics, too.

Gunnar Peterson is a Managing Principal at Arctec Group Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5704
Published: 2014-04-15
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

CVE-2013-5705
Published: 2014-04-15
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.

CVE-2014-0341
Published: 2014-04-15
Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_internal/home.tpl, or (3) templates_internal/entries.tpl; (4) an event field to ob...

CVE-2014-0342
Published: 2014-04-15
Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors.

CVE-2014-0348
Published: 2014-04-15
The Artiva Agency Single Sign-On (SSO) implementation in Artiva Workstation 1.3.x before 1.3.9, Artiva Rm 3.1 MR7, Artiva Healthcare 5.2 MR5, and Artiva Architect 3.2 MR5, when the domain-name option is enabled, allows remote attackers to login to arbitrary domain accounts by using the corresponding...

Best of the Web