Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/30/2013
12:14 AM
Patrick Harding
Patrick Harding
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Vanishing IT Security Boundaries Reappearing Disguised As Identity

It's that time of year, when nothing is as it seems. If cloud and mobile are haunting your dreams, consider some open protocol treats.

It's not an illusion: The security boundaries we used to depend on are now little more than vapor. The migration of applications to the cloud, mobility and businesses granting nonemployees access to sensitive resources are trends challenging CIOs everywhere -- at a time when IT is expected to "do more with less" and deliver added value while staff sizes shrink and the number of users and applications explodes.

What's the trick for dealing with this transformation? Standards. More precisely, a set of modern identity management protocols aligned with fresh Web-based development methods and a dash of seniority from a de facto standard many enterprises use today for single sign-on.

This contemporary protocol set is built on developer-friendly frameworks, like REST and JavaScript Object Notation (JSON), and standards, including the System for Cross-Domain Identity Management, OAuth and OpenID Connect, and the venerable Security Assertion Markup Language.

You need all of these pieces for scalable user management, a cornerstone of compliance mandates. Let's dig a bit into each standard's role:

System for Cross-Domain Identity Management: Without creating user identities, you can't manage application access. However, enterprises have struggled with fragile proprietary provisioning systems that break with application or operating system changes. Where early efforts around the Service Provisioning Markup Language failed because of complexity, SCIM offers a simple set of commands to create, read, update and delete.

SCIM is a developer-friendly standard that leverages REST and JSON, replacing costly proprietary or manual provisioning methods. SCIM 1.0 is already in use by service providers and available in identity and access management products. The IETF standards body has nearly completed the definition for the 2.0 version of the SCIM protocol.

Security Assertion Markup Language: Created more than a decade ago, SAML is the most widely deployed identity standard in the enterprise. It is the de facto method for Web-browser-based authentication and single sign-on to enterprise software-as-a-service applications. IT also uses it to connect disparate applications, such as those introduced by a merger or acquisition. SAML should be your first choice for Web-based SSO because so many applications and identity systems support it. SAML also delivers SSO without relying on password credentials, which can be easily intercepted by attackers and used for unauthorized transactions and data security breaches. And SAML enables access at scale by eliminating password resets in the target application. The SAML assertion remains the gold standard for browser-based user authentication and SSO.

OAuth 2.0: What about native mobile applications, which frequently lack browser-based functionality? Enter OAuth 2.0, which is more of a framework than a protocol.

The OAuth 2.0 standard enables native mobile applications to access resources on behalf of the user. It's an API-friendly protocol that leverages REST and JSON, and it's built into many SaaS applications, including Facebook, Google and Yahoo; cloud infrastructure platforms like Windows Azure Active Directory; and modern IAM software, including that offered by my company, Ping Identity. OAuth is the enterprise "sure bet" for credential-based access to native mobile applications and has gained mindshare among developers and SaaS application vendors. The core standard for OAuth 2.0 is finalized and approved by the IETF.

While OAuth is the de facto credential standard for nonbrowser applications, it lacks a framework for the scalable registration of these applications -- a necessary task if apps are to be granted access to enterprise resources. Also, OAuth requires a broader identity management framework to provide user SSO to many applications.

OpenID Connect can help meet those OAuth challenges. It's built on top of the OAuth framework to provide "identity at scale" by delivering an automated registration process for applications and a discovery process for authentication systems. And given its OAuth roots, OpenID Connect streamlines into the OAuth authentication flow in a way other protocols cannot.

The definition of the standard is substantially complete and is in final review status at the OpenID Foundation, with final approval expected early next year. Adoption is already underway: Google last week told partners it is phasing out OpenID 2.0 and OAuth 1.0 in favor of OpenID Connect. The move will require websites that accept Google IDs for logins to upgrade to the specification. Salesforce.com and Microsoft are among others that support OpenID Connect, and IAM software vendors are also touting support. Acceptance of the protocol is also pushing it onto the infrastructure radar of mobile operators, government-backed identity initiatives in the U.S. and Europe, and enterprise hybrid-cloud deployments. CIOs should pay attention.


Specs On The Move

Acceptance of this group of protocols has raced well beyond the lab and beta test environments. The groundwork is done, and examples of production use are everywhere. Service provider and enterprise security architects realize that identity -- every employee, every device and every application -- is vital in a connected world. The only way to scale access and security across that connected world is through standards, especially as cloud, mobile and social transform how we do business.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
pcalento011
50%
50%
pcalento011,
User Rank: Apprentice
11/1/2013 | 1:18:33 AM
re: Vanishing IT Security Boundaries Reappearing Disguised As Identity
Are our current frameworks secure enough? Not in the least. The challenge isn't just to embrace various frameworks, but to stay one-step-ahead of the moving threat. And I'm not sure this is a CIO-only problem, the CISO needs to be involved. --Paul Calento
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31547
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules.
CVE-2021-31548
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed.
CVE-2021-31549
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The Special:AbuseFilter/examine form allowed for the disclosure of suppressed MediaWiki usernames to unprivileged users.
CVE-2021-31550
PUBLISHED: 2021-04-22
An issue was discovered in the CommentBox extension for MediaWiki through 1.35.2. Via crafted configuration variables, a malicious actor could introduce XSS payloads into various layers.
CVE-2021-31551
PUBLISHED: 2021-04-22
An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query parameters allowed for XSS on certain PageForms-managed MediaWiki pages.