White Paper. What is an Identity Provider, and Why Should My Organization Become One?

Transcription

1 White Paper What is an Identity Provider, and Why Should My Organization Become One? May 2015

2 Executive Overview Tame Access Control Security Risks: Become an Identity Provider (IdP) Organizations today face a wide range of security threats by an even greater range of bad actors with different motivations and varying tactics for trying to breach an organization. According to the Identity Theft Resource Center, in the United States alone, there were 783 reported breaches in That s an average of 15 breaches per week exposing corporate and personal information. At the heart of the problem is the inability to verify online identities. Simply put, it is increasingly difficult to know whether people or companies are who they say they are. The solution is to become an Identity Provider (IdP). By becoming an IdP, you can not only address today s security risks, but also safely embrace new technology trends for on premise, cloud, mobile and VPN systems. With the products now available on the market, there s no reason not to become an IdP today. This paper will discuss why your organization should become an IdP, what becoming an IdP involves, and why you should automate as much of this process as possible. Assert Your Identity 2

3 Table of Contents What IdPs Are and Why They Are Important... 4 IdPs Defined What an IdP Does Why You Must Become an IdP Today... 5 Protect Yourself Against the Risks You Know About Prepare for Emerging Risks Protect Your Existing Identity Investments Keep Your Identities Safe and In-House Guard Against Expanding Insider Attacks Do Service Providers Support IdPs?... 6 Becoming an IdP... 7 Do I Have to Purchase Yet Another Security Product? How Do I Become an IdP on My Own? The Easy Way to Become an IdP: Automation... 8 SecureAuth IdP the World s First IdP with Adaptive and Two-Factor Authentication... 9 Conclusion Assert Your Identity 3

4 What IdPs Are and Why They Are Important IdPs Defined To help address the online identity problem, organizations must become Identity Providers. What is an Identity Provider? Simply put, an identity provider is an authentication component that serves identity details to a service provider for on premise, cloud, mobile and VPN systems. By becoming an IdP, your organization can greatly improve security. An IdP can provide Single Sign-on (SSO) from your identity store, such as Active Directory (AD) or LDAP, out to the cloud, SaaS applications, mobile applications, and VPNs along with any other resources that should be protected by strong authentication. Instead of having separate credentials, and multiple separate identities daisychained together increasing risk of credential theft, your users have a single identity, thus greatly reducing the surface area that attackers may take advantage of. Simply put, by becoming an IdP, both your organization and the service providers you connect to can be sure your users really are who they say they are. What an IdP does How exactly does an IdP work? An IdP obtains identity credentials from the enterprise, conducts an authentication session, and then passes the trusted identity to the service provider, as illustrated in Figure 1. Specifically, the IdP: 1. Connects to an identity store (e.g. Active Directory, LDAP, SQL, etc.) 2. Accepts an identity from some mechanism (Active Directory SSO, an X.509 certificate via the browser or Java etc.) 3. Authenticates the user in some fashion (ID + password, Integrated Windows Authentication [IWA], two-factor, etc.) 4. Analyzes the context of the identity for risk factors and takes appropriate action 5. Asserts the identity out to the service provider in an agreed-upon way, typically through a federated token (e.g SAML, OpenID) 6. Audits the authentication session in some manner Assert Your Identity 4

5 Service Provider #1 (SP) SaaS Applications Service Provider #2 (SP) Internet Desktop and Mobile Based Users Firewall / VPNs Internal Users and Administrators Enterprise Web Applications Identity Provider (IdP) Figure 1: What an IdP does Directory(s) (AD/other) Why You Must Become an IdP Today Before we get into the details of how to become an IdP, let s review the five key reasons why you need to do it today. 1. Protect Yourself Against the Risks You Know About The most important reason to become an IdP is to mitigate the many risks that organizations are faced with today, whether its theft of intellectual property via an advanced attack, high end cybercrime motivated for financial gain, or data destruction driven by hacktivism. Recent attacks that we re all familiar with in the media are certainly illustrative of this. 2. Prepare for Emerging Risks Many software vendors have moved away from on-premises products to SaaS/ Cloud based delivery methods and larger platform providers like Microsoft, Apple, Google and VMware are all heavily invested in this delivery method. Becoming an IdP will enable you to embrace these new technologies safely, eliminating security as a roadblock to your business. 3. Protect Your Existing Identity Investments Many organizations have invested heavily in their existing identity stores, such as Active Directory and most have structured their roles and policies according to LDAP concepts such as user and group objects and attributes. Becoming an IdP enables you to preserve this investment. When choosing to invest in an IdP, try to avoid choosing a product that synchronizes identities and instead choose a solution that respects the existing security boundary of the identity store. Assert Your Identity 5

6 4. Keep Your Identities Safe and In-House You will hear various service providers telling you to outsource identity management to them, and doing so might work out fine. But this approach involves serious risks. What happens if there is a breach? What happens if the service provider fails or, worse, is acquired by your main competitor? If you are in a heavily regulated industry, also be aware that outsourcing identities complicates compliance. Becoming an IdP helps avoid these risks. 5. Guard Against Expanding Insider Attacks In this age of outsourcing and partnering, organizations of all sizes must grant access to enterprise resources to contractors, partners, guests and temporary employees. Becoming an IdP will help mitigate the risks associated with that access. Plus, by not outsourcing identity management to a service provider, you eliminate the possibility of insider threats from that service provider which is critical. Do Service Providers Support IdPs? They do. In fact, one of the critical ingredients for an IdP is SAML (Security Assertion Markup Language), an XML-based framework that enables the exchange of security information. SAML is backed by Salesforce.com, SuccessFactors, Oracle, Box, Google, and many others. Figure 2: Most major service providers support SAML. Assert Your Identity 6

7 Through SAML, your organization can deliver information about user identities and access privileges to a cloud provider in a safe, secure and standardized way. Many enterprises consider SAML the cornerstone of their SSO efforts. And it should be noted than many VPN vendors are opening their systems to support SAML as well. Another major standard is OpenID. While SAML is an enterprise-focused standard, OpenID is more suited for consumer-facing apps. It allows users to be authenticated in a decentralized manner, saving the need for each service provider to develop its own authentication systems. For example, when you log into a third-party application or site using your Google or Yahoo! credentials, you are leveraging OpenID. Becoming an IdP Do I Have to Purchase Yet Another Security Product? An IdP isn t a product you necessarily purchase, but rather an ability you acquire the ability to verify identities to various applications in an agreedupon format. That said, most organizations will indeed purchase products to help them become an IdP. Going it alone is a long, cumbersome, error-prone process, so most organizations will find it more cost-effective to turn to markettested solutions that streamline the process. Let s explore both options, starting with going it alone. How Do I Become an IdP on My Own? For the do-it-yourself (DIY) enterprises out there, becoming an IdP on your own is certainly achievable. Here are the eight things you must do: 1. Set up a secure web server. 2. Establish secure data store connectivity. 3. Conduct the proper authentication of the user. 4. Construct the proper ID artifact (that is, the match protocol of the service provider). 5. Cryptographically sign the ID token. 6. Construct distinct IdP URLs for each distinct service provider. 7. Log the user authentication and ID assertion. 8. Manage the enterprise ID (used in federation steps above). At first glance, this doesn t look that complicated. You ve probably already set up a secure web server, for example. But consider step 6. What exactly is required to construct distinct IdP URLs for each distinct service provider? Assert Your Identity 7

8 It s complicated. First, you must link your in-house identity stores in a way that enables you to serve credentials to a service provider, such as Google. But once the first service provider is worked out, departments across your company will clamor for the addition of other service providers, such as Salesforce.com, SuccessFactors, and Workday. How are you going to craft a new IdP for each of the resources your enterprise would like to federate to? This is not trivial. It requires that you either (1) set up a completely new IdP server for each service provider or (2) sub-divide your current IdP in a secure and well-articulated manner to support multiple service providers. The first option is easier, but it causes serious maintenance and security issues. The maintenance issue, obviously, is due to the proliferation of servers across the enterprise. The security issue is a little less intuitive but no less real: as IdP servers proliferate, the enterprise loses track of them, and some of the servers fall out of the scope of security reviews and related procedures. Option two lacks these drawbacks, but it is very challenging. It requires you to securely subdivide each subset IdP in the master server to be its own distinct server by allowing it to: + Configure its own data store selector + Configure its own authentication and user workflow + Configure its own identity assertion event + Configure its own logging In other words, you need to craft the IdP solution to support an unlimited number of sub-idps (one for every current and future service provider) a task that s beyond the reach of almost all enterprises. The Easy Way to Become an IdP: Automation Technology tends to move towards automation and consolidation. This rule is not as set in stone as Moore s Law, but everything from managing software patches to deploying servers to resetting passwords tasks that used to be cumbersome and error- prone can now be automated. Unfortunately, too many IT shops struggle with the labor-intensive, error-prone processes for years before they turn to automation (or before automated solutions are even available). Don t make this mistake as you attain IdP capabilities. Automated IdP solutions are available and they will simplify the process, save you money, and help you avoid dangerous misconfigurations. For example, automated IdP solutions save you from the trouble of: + Setting up and properly configuring your secure web servers + Setting up secure connections to your enterprise data stores + Authenticating users to multiple third-party apps and services + Sub-dividing the IdP to support multiple service providers + Manually logging user authentication and ID assertions + Enabling SSO for on premise, cloud, VPN, and third-party apps Assert Your Identity 8

9 SecureAuth IdP the World s First IdP with Adaptive and Two-Factor Authentication SecureAuth IdP is the only product that delivers instant IdP capabilities for on premise, cloud, mobile, and VPN systems with adaptive and Two-Factor authentication built in. Service Provider #1 (SP) SaaS Applications Service Provider #2 (SP) 2-Factor Internet Desktop and Mobile Based Users Firewall / VPNs AD/SSO Internal Users and Administrators Enterprise Web Applications Directory(s) (AD/other) Figure 3: Only SecureAuth IdP delivers both IdP functionality and adaptive and Two-Factor authentication in a single solution. With SecureAuth IdP, your organization can quickly become a secure, auditable IdP and enjoy all the benefits we ve discussed in this whitepaper. You ll be able to enforce and extend security standards to all on premise and cloudbased applications, as well as to any mobile devices you support and VPNs you rely on. SecureAuth IdP also enables Single Sign-on without the need to synchronize to an enterprise directory or send credentials to a third-party SSO provider, which dramatically increases IT security. Assert Your Identity 9

10 Conclusion The proliferation of identity information used for authentication poses a serious risk to all organizations today. To manage today s risks and be poised to adopt emerging technologies such as cloud-based infrastructures and mobile apps, enterprises need to become their own Identity Provider. DIY enterprises can become IdPs on their own, but this is a complicated, expensive, and potentially error-prone process. Now that, scalable, enterprise grade IdP solutions are available on the market, informed organizations will choose these solutions to automate as much of this process as possible. And SecureAuth IdP is the only product that delivers instant IdP capabilities with adaptive and Two-Factor authentication built in. See for yourself how straightforward and swift the process of enabling regulation-compliant SSO for all of your on premise, cloud, mobile, and VPN systems can be. Visit to learn more and get on the SecurePath to strong access control today. Assert Your Identity 10

11 ABOUT SECUREAUTH Based in Irvine, California, SecureAuth offers identity and information security solutions that deliver innovative access control for on-premise, cloud, mobile and VPN systems to millions of users worldwide. SecureAuth IdP provides adaptive and Two-Factor authentication alongside Single Sign-on (SSO) in one solution. Its unique architecture enables organizations to leverage legacy infrastructures while also embracing nextgeneration technologies, so they can preserve existing investments while also meeting today s security challenges and tomorrow s. For the latest insights on secure access control, follow the SecureAuth blog, on Twitter, or visit Assert Your Identity 11

12 8965 Research Drive Irvine, CA p: f: secureauth.com WP-IdentityProvider