White Paper. What is an Identity Provider, and Why Should My Organization Become One?

Similar documents
WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

The Top 5 Federated Single Sign-On Scenarios

Integrating Single Sign-on Across the Cloud By David Strom

SECUREAUTH IDP AND OFFICE 365

Identity. Provide. ...to Office 365 & Beyond

WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES

managing SSO with shared credentials

The increasing popularity of mobile devices is rapidly changing how and where we

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

White paper Contents

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

Intelligent Security Design, Development and Acquisition

An Overview of Samsung KNOX Active Directory-based Single Sign-On

HP Software as a Service. Federated SSO Guide

Cisco Software-as-a-Service (SaaS) Access Control

USING FEDERATED AUTHENTICATION WITH M-FILES

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta Inc. 301 Brannan Street San Francisco, CA 94107

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Identity Implementation Guide

WHITEPAPER. 13 Questions You Must Ask When Integrating Office 365 With Active Directory

CLAIMS-BASED IDENTITY FOR WINDOWS

Speeding Office 365 Implementation Using Identity-as-a-Service

Flexible Identity Federation

Agenda. How to configure

Google Apps Deployment Guide

identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible

An Overview of Samsung KNOX Active Directory and Group Policy Features

Directory Integration with Okta. An Architectural Overview. Okta White paper. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Windows Least Privilege Management and Beyond

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

Enable Your Applications for CAC and PIV Smart Cards

Getting Started with AD/LDAP SSO

Leveraging SAML for Federated Single Sign-on:

Introduction to SAML

EXECUTIVE VIEW. SecureAuth IdP. KuppingerCole Report

TOP REASONS WHY SIEM CAN T PROTECT YOUR DATA FROM INSIDER THREAT

Increase the Security of Your Box Account With Single Sign-On

Identity & Access Management in the Cloud: Fewer passwords, more productivity

An Enterprise Approach to Mobile File Access and Sharing

EXECUTIVE VIEW. EmpowerID KuppingerCole Report. By Peter Cummings October By Peter Cummings

WHITE PAPER HOW TO USE SAML SSO TO LINK YOUR ACTIVE DIRECTORY TO THE CLOUD

Cloud Computing. Chapter 5 Identity as a Service (IDaaS)

SAML-Based SSO Solution

Google Identity Services for work

How to Overcome Challenges in Deploying Cloud Apps to Get the Most from your IAM Investment

Automating User Management and Single Sign-on for Salesforce.com OKTA WHITE PAPER. Okta Inc nd Street Suite 350 San Francisco CA, 94107

SAML SSO Configuration

white paper 5 Steps to Secure Internet SSO Overview

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

HP Software as a Service

Okta Identity Management for Portals Built on Salesforce.com. An Architecture Review. Okta Inc. 301 Brannan Street San Francisco, CA 94107

Secure WiFi Access in Schools and Educational Institutions. WPA2 / 802.1X and Captive Portal based Access Security

Copyright: WhosOnLocation Limited

How To Use Salesforce Identity Features

How to Implement Enterprise SAML SSO

A HIGH-LEVEL GUIDE TO EFFECTIVE IDENTITY MANAGEMENT IN THE CLOUD

Top. Reasons Legal Firms Select kiteworks by Accellion

Three Ways to Integrate Active Directory with Your SaaS Applications OKTA WHITE PAPER. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

TRANSITIONING ENTERPRISE CUSTOMERS TO THE CLOUD WITH PULSE SECURE

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

identity management in Linux and UNIX environments

Comparing Alternatives for Business-Grade File Sharing. intermedia.net CALL US US ON THE WEB

WHITEPAPER. NAPPS: A Game-Changer for Mobile Single Sign-On (SSO)

E l i m i n a t i n g Au t hentication Silos and Passw or d F a t i g u e w i t h Federated Identity a n d Ac c e s s

The Role of Federation in Identity Management

How To Manage A Plethora Of Identities In A Cloud System (Saas)

Top. Reasons Federal Government Agencies Select kiteworks by Accellion

Is Cloud ERP Really Cheaper?

NCSU SSO. Case Study

MY1LOGIN SOLUTION BRIEF: PROVISIONING. Automated Provisioning of Users Access to Apps

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

SAML Security Option White Paper

IBM Tivoli Federated Identity Manager

Single Sign On. SSO & ID Management for Web and Mobile Applications

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

APIs The Next Hacker Target Or a Business and Security Opportunity?

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

McAfee Cloud Single Sign On

Top Eight Identity & Access Management Challenges with SaaS Applications. Okta White Paper

Identity in the Cloud

SAML-Based SSO Solution

Top Three Reasons to Deliver Web Apps with App Virtualization

CA Federation Manager

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta White paper

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Transcription:

White Paper What is an Identity Provider, and Why Should My Organization Become One? May 2015

Executive Overview Tame Access Control Security Risks: Become an Identity Provider (IdP) Organizations today face a wide range of security threats by an even greater range of bad actors with different motivations and varying tactics for trying to breach an organization. According to the Identity Theft Resource Center, in the United States alone, there were 783 reported breaches in 2014. That s an average of 15 breaches per week exposing corporate and personal information. At the heart of the problem is the inability to verify online identities. Simply put, it is increasingly difficult to know whether people or companies are who they say they are. The solution is to become an Identity Provider (IdP). By becoming an IdP, you can not only address today s security risks, but also safely embrace new technology trends for on premise, cloud, mobile and VPN systems. With the products now available on the market, there s no reason not to become an IdP today. This paper will discuss why your organization should become an IdP, what becoming an IdP involves, and why you should automate as much of this process as possible. Assert Your Identity 2

Table of Contents What IdPs Are and Why They Are Important... 4 IdPs Defined What an IdP Does Why You Must Become an IdP Today... 5 Protect Yourself Against the Risks You Know About Prepare for Emerging Risks Protect Your Existing Identity Investments Keep Your Identities Safe and In-House Guard Against Expanding Insider Attacks Do Service Providers Support IdPs?... 6 Becoming an IdP... 7 Do I Have to Purchase Yet Another Security Product? How Do I Become an IdP on My Own? The Easy Way to Become an IdP: Automation... 8 SecureAuth IdP the World s First IdP with Adaptive and Two-Factor Authentication... 9 Conclusion... 10 Assert Your Identity 3

What IdPs Are and Why They Are Important IdPs Defined To help address the online identity problem, organizations must become Identity Providers. What is an Identity Provider? Simply put, an identity provider is an authentication component that serves identity details to a service provider for on premise, cloud, mobile and VPN systems. By becoming an IdP, your organization can greatly improve security. An IdP can provide Single Sign-on (SSO) from your identity store, such as Active Directory (AD) or LDAP, out to the cloud, SaaS applications, mobile applications, and VPNs along with any other resources that should be protected by strong authentication. Instead of having separate credentials, and multiple separate identities daisychained together increasing risk of credential theft, your users have a single identity, thus greatly reducing the surface area that attackers may take advantage of. Simply put, by becoming an IdP, both your organization and the service providers you connect to can be sure your users really are who they say they are. What an IdP does How exactly does an IdP work? An IdP obtains identity credentials from the enterprise, conducts an authentication session, and then passes the trusted identity to the service provider, as illustrated in Figure 1. Specifically, the IdP: 1. Connects to an identity store (e.g. Active Directory, LDAP, SQL, etc.) 2. Accepts an identity from some mechanism (Active Directory SSO, an X.509 certificate via the browser or Java etc.) 3. Authenticates the user in some fashion (ID + password, Integrated Windows Authentication [IWA], two-factor, etc.) 4. Analyzes the context of the identity for risk factors and takes appropriate action 5. Asserts the identity out to the service provider in an agreed-upon way, typically through a federated token (e.g SAML, OpenID) 6. Audits the authentication session in some manner Assert Your Identity 4

Service Provider #1 (SP) SaaS Applications Service Provider #2 (SP) Internet Desktop and Mobile Based Users Firewall / VPNs Internal Users and Administrators Enterprise Web Applications Identity Provider (IdP) Figure 1: What an IdP does Directory(s) (AD/other) Why You Must Become an IdP Today Before we get into the details of how to become an IdP, let s review the five key reasons why you need to do it today. 1. Protect Yourself Against the Risks You Know About The most important reason to become an IdP is to mitigate the many risks that organizations are faced with today, whether its theft of intellectual property via an advanced attack, high end cybercrime motivated for financial gain, or data destruction driven by hacktivism. Recent attacks that we re all familiar with in the media are certainly illustrative of this. 2. Prepare for Emerging Risks Many software vendors have moved away from on-premises products to SaaS/ Cloud based delivery methods and larger platform providers like Microsoft, Apple, Google and VMware are all heavily invested in this delivery method. Becoming an IdP will enable you to embrace these new technologies safely, eliminating security as a roadblock to your business. 3. Protect Your Existing Identity Investments Many organizations have invested heavily in their existing identity stores, such as Active Directory and most have structured their roles and policies according to LDAP concepts such as user and group objects and attributes. Becoming an IdP enables you to preserve this investment. When choosing to invest in an IdP, try to avoid choosing a product that synchronizes identities and instead choose a solution that respects the existing security boundary of the identity store. Assert Your Identity 5

4. Keep Your Identities Safe and In-House You will hear various service providers telling you to outsource identity management to them, and doing so might work out fine. But this approach involves serious risks. What happens if there is a breach? What happens if the service provider fails or, worse, is acquired by your main competitor? If you are in a heavily regulated industry, also be aware that outsourcing identities complicates compliance. Becoming an IdP helps avoid these risks. 5. Guard Against Expanding Insider Attacks In this age of outsourcing and partnering, organizations of all sizes must grant access to enterprise resources to contractors, partners, guests and temporary employees. Becoming an IdP will help mitigate the risks associated with that access. Plus, by not outsourcing identity management to a service provider, you eliminate the possibility of insider threats from that service provider which is critical. Do Service Providers Support IdPs? They do. In fact, one of the critical ingredients for an IdP is SAML (Security Assertion Markup Language), an XML-based framework that enables the exchange of security information. SAML is backed by Salesforce.com, SuccessFactors, Oracle, Box, Google, and many others. Figure 2: Most major service providers support SAML. Assert Your Identity 6

Through SAML, your organization can deliver information about user identities and access privileges to a cloud provider in a safe, secure and standardized way. Many enterprises consider SAML the cornerstone of their SSO efforts. And it should be noted than many VPN vendors are opening their systems to support SAML as well. Another major standard is OpenID. While SAML is an enterprise-focused standard, OpenID is more suited for consumer-facing apps. It allows users to be authenticated in a decentralized manner, saving the need for each service provider to develop its own authentication systems. For example, when you log into a third-party application or site using your Google or Yahoo! credentials, you are leveraging OpenID. Becoming an IdP Do I Have to Purchase Yet Another Security Product? An IdP isn t a product you necessarily purchase, but rather an ability you acquire the ability to verify identities to various applications in an agreedupon format. That said, most organizations will indeed purchase products to help them become an IdP. Going it alone is a long, cumbersome, error-prone process, so most organizations will find it more cost-effective to turn to markettested solutions that streamline the process. Let s explore both options, starting with going it alone. How Do I Become an IdP on My Own? For the do-it-yourself (DIY) enterprises out there, becoming an IdP on your own is certainly achievable. Here are the eight things you must do: 1. Set up a secure web server. 2. Establish secure data store connectivity. 3. Conduct the proper authentication of the user. 4. Construct the proper ID artifact (that is, the match protocol of the service provider). 5. Cryptographically sign the ID token. 6. Construct distinct IdP URLs for each distinct service provider. 7. Log the user authentication and ID assertion. 8. Manage the enterprise ID (used in federation steps above). At first glance, this doesn t look that complicated. You ve probably already set up a secure web server, for example. But consider step 6. What exactly is required to construct distinct IdP URLs for each distinct service provider? Assert Your Identity 7

It s complicated. First, you must link your in-house identity stores in a way that enables you to serve credentials to a service provider, such as Google. But once the first service provider is worked out, departments across your company will clamor for the addition of other service providers, such as Salesforce.com, SuccessFactors, and Workday. How are you going to craft a new IdP for each of the resources your enterprise would like to federate to? This is not trivial. It requires that you either (1) set up a completely new IdP server for each service provider or (2) sub-divide your current IdP in a secure and well-articulated manner to support multiple service providers. The first option is easier, but it causes serious maintenance and security issues. The maintenance issue, obviously, is due to the proliferation of servers across the enterprise. The security issue is a little less intuitive but no less real: as IdP servers proliferate, the enterprise loses track of them, and some of the servers fall out of the scope of security reviews and related procedures. Option two lacks these drawbacks, but it is very challenging. It requires you to securely subdivide each subset IdP in the master server to be its own distinct server by allowing it to: + Configure its own data store selector + Configure its own authentication and user workflow + Configure its own identity assertion event + Configure its own logging In other words, you need to craft the IdP solution to support an unlimited number of sub-idps (one for every current and future service provider) a task that s beyond the reach of almost all enterprises. The Easy Way to Become an IdP: Automation Technology tends to move towards automation and consolidation. This rule is not as set in stone as Moore s Law, but everything from managing software patches to deploying servers to resetting passwords tasks that used to be cumbersome and error- prone can now be automated. Unfortunately, too many IT shops struggle with the labor-intensive, error-prone processes for years before they turn to automation (or before automated solutions are even available). Don t make this mistake as you attain IdP capabilities. Automated IdP solutions are available and they will simplify the process, save you money, and help you avoid dangerous misconfigurations. For example, automated IdP solutions save you from the trouble of: + Setting up and properly configuring your secure web servers + Setting up secure connections to your enterprise data stores + Authenticating users to multiple third-party apps and services + Sub-dividing the IdP to support multiple service providers + Manually logging user authentication and ID assertions + Enabling SSO for on premise, cloud, VPN, and third-party apps Assert Your Identity 8

SecureAuth IdP the World s First IdP with Adaptive and Two-Factor Authentication SecureAuth IdP is the only product that delivers instant IdP capabilities for on premise, cloud, mobile, and VPN systems with adaptive and Two-Factor authentication built in. Service Provider #1 (SP) SaaS Applications Service Provider #2 (SP) 2-Factor Internet Desktop and Mobile Based Users Firewall / VPNs AD/SSO Internal Users and Administrators Enterprise Web Applications Directory(s) (AD/other) Figure 3: Only SecureAuth IdP delivers both IdP functionality and adaptive and Two-Factor authentication in a single solution. With SecureAuth IdP, your organization can quickly become a secure, auditable IdP and enjoy all the benefits we ve discussed in this whitepaper. You ll be able to enforce and extend security standards to all on premise and cloudbased applications, as well as to any mobile devices you support and VPNs you rely on. SecureAuth IdP also enables Single Sign-on without the need to synchronize to an enterprise directory or send credentials to a third-party SSO provider, which dramatically increases IT security. Assert Your Identity 9

Conclusion The proliferation of identity information used for authentication poses a serious risk to all organizations today. To manage today s risks and be poised to adopt emerging technologies such as cloud-based infrastructures and mobile apps, enterprises need to become their own Identity Provider. DIY enterprises can become IdPs on their own, but this is a complicated, expensive, and potentially error-prone process. Now that, scalable, enterprise grade IdP solutions are available on the market, informed organizations will choose these solutions to automate as much of this process as possible. And SecureAuth IdP is the only product that delivers instant IdP capabilities with adaptive and Two-Factor authentication built in. See for yourself how straightforward and swift the process of enabling regulation-compliant SSO for all of your on premise, cloud, mobile, and VPN systems can be. Visit www.secureauth.com/secure-path to learn more and get on the SecurePath to strong access control today. Assert Your Identity 10

ABOUT SECUREAUTH Based in Irvine, California, SecureAuth offers identity and information security solutions that deliver innovative access control for on-premise, cloud, mobile and VPN systems to millions of users worldwide. SecureAuth IdP provides adaptive and Two-Factor authentication alongside Single Sign-on (SSO) in one solution. Its unique architecture enables organizations to leverage legacy infrastructures while also embracing nextgeneration technologies, so they can preserve existing investments while also meeting today s security challenges and tomorrow s. For the latest insights on secure access control, follow the SecureAuth blog, follow @SecureAuth on Twitter, or visit www.secureauth.com. Assert Your Identity 11

8965 Research Drive Irvine, CA 92618 p: 1-949-777-6959 f: 1-949-743-5833 secureauth.com WP-IdentityProvider-052815

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information