What’s an identification supplier (IdP)? | by Teri Radichel | Cloud Safety | Feb, 2023

February 2, 2023

24

ACM.148 Centralize consumer authentication to your group

A part of my collection on Automating Cybersecurity Metrics. The Code.

In my final submit I wrote about safety product assessments.

I’m going to be having a look at a product in my upcoming posts. However first, I want to clarify what I’m attempting to do, and why. Alongside that, I want to clarify a couple of phrases, beginning with these:

Consumer Listing
Single Signal-On (SSO)
Id Supplier (IdP)

I’m going to clarify these phrases utilizing an instance. Think about the next state of affairs and your choices. I’m in all probability lacking some professionals and cons beneath as a result of I’m considering this via somewhat rapidly, however I simply need to clarify a couple of key factors.

Let’s say your organization decides to make use of AWS, Azure, and GCP. How do you allow your customers to log into every of these platforms? There are a selection of the way you might remedy this drawback.

Possibility 1: Create a consumer in every cloud platform.

You may create an account in AWS, Azure, and GCP and create a brand new username and password in every account. Then when the consumer needs to log into every account, they’d use the corresponding username and password in each.

Execs:

It’s straightforward to arrange.
If an attacker steals one set of credentials, they can’t get into all three cloud environments.
The consumer hopefully has a distinct username and password in every account, so publicity of 1 set of credentials doesn’t expose entry to each cloud atmosphere.

Cons:

The consumer has to take care of three units of credentials and preserve observe of them.
When the consumer leaves the corporate, it’s important to bear in mind to take away or disable the credentials in every cloud atmosphere.
This drawback turns into exponential as the corporate provides extra customers and cloud companies.

Possibility 2: Use a distant password administration system that logs into programs for you.

The consumer enters the username and password for every cloud supplier right into a system that acts as a password supervisor. The consumer logs into the password administration system which shows an icon for every cloud supplier on a dashboard. When the consumer clicks an icon, the password administration system logs into the cloud platform utilizing the username and password it saved for that cloud platform.

Execs:

Simple for the consumer.
Completely different credentials for every cloud supplier.

Cons:

When the consumer leaves the corporate, it’s important to bear in mind to take away or disable the credentials for every cloud atmosphere.
You might or might not need the third-party system to retailer the username and passwords for all of your cloud environments.
Though there are totally different credentials for every cloud supplier they’re all saved in a single place, so the password supervisor turns into a single level of assault.
Password resets could also be difficult.

Possibility 3: Create a single consumer listing and sync customers names and passwords to every cloud platform.

You would possibly think about using the strategy of including all of your customers and their passwords to a company listing. A listing is a single database the place you retailer all of the details about the customers in your group and their password. That method you don’t should preserve observe of customers in a number of locations. For this selection, everytime you arrange a brand new system, you sync the consumer names and passwords to the brand new system. That method the consumer can log into all of the programs with the identical username and password.

Execs:

It’s simpler for a consumer to login as they solely have to recollect one set of credentials.

Cons

A number of locations the place consumer names and passwords could also be uncovered.
Syncing passwords is commonly a fragile and error-prone course of with a number of factors of failure.
When a consumer leaves the corporate, it’s important to run the syncing course of to replace all three platforms to disable the consumer’s entry.

Possibility 4: Create a single consumer listing and sync distinctive password hashes to every cloud platform.

I wrote about hashes in my e-book on the backside of this submit. A hash is an irreversible cryptographic illustration of the password on this instance. The consumer logs into the cloud supplier. The cloud supplier generates a hash. The hash is in comparison with the hash saved by the cloud supplier.

Execs:

It’s simpler for a consumer to login as they solely have to recollect one set of credentials.
An worker on the cloud with a hash can’t use that to log into different cloud platforms.
A hash is probably not very helpful for an attacker, relying on the place and the way it’s utilized by the programs.
Every cloud platform can use a separate hash with a novel seed of the password so a hash from one platform gained’t work on one other (hopefully).

Cons:

Syncing passwords is commonly a fragile and error-prone course of with a number of factors of failure.
When a consumer leaves the corporate, it’s important to run the syncing course of to replace all three platforms to disable the consumer’s entry.
If the consumer enters the username and password on the cloud supplier to generate the hash for comparability, then the cloud supplier has entry to the underlying username and password.

Possibility 5: Create a single consumer listing. When customers login they log into and authenticate on a system exterior the cloud supplier, which passes data to the cloud supplier indicating the consumer login is legitimate.

Execs:

It’s simpler for a consumer to login as they solely have to recollect one set of credentials.
The username and password are by no means uncovered to the three cloud platforms.
When a consumer leaves the corporate, you terminate their credentials and future entry in a single place.
Every cloud nonetheless manages separate classes for entry to every particular person cloud.
A single password reset works for all programs since there may be one set of credentials.
No error inclined syncing that may get corrupted or fail.

Cons:

The identification platform is now a single level of failure. If it fails — customers can’t log into something.

Id Supplier (IdP)

The final possibility is a real identification supplier. The Id present accommodates the consumer credentials and doesn’t expose them to a third-party system. The Id Supplier handles authentication of the customers individually from the system the consumer is attempting to log into. For instance, many corporations use Microsoft Energetic Listing as an Id Supplier. Customers login through a web page hosted by Azure Energetic Listing and purposes combine with AD to find out if customers are correctly authenticated earlier than granting them entry to programs.

There may be one other doable variation on identification supplier. It might be a system that handles authentication when the consumer credentials are saved in numerous cloud platforms. For instance, some platforms facilitate logging in with credentials saved in Fb, Google, or Twitter. From the appliance’s perspective, it sends the authentication request to an identification supplier. The IdP sends again a sign that the consumer has or has not been authenticated. The applying doesn’t know or care how the consumer authenticated. It simply is aware of that the consumer is legitimate.

Some might argue that final instance just isn’t a real IdP as a result of the system that coordinates authentication just isn’t storing the credentials or immediately authenticating the customers. However the level I’m attempting to make right here is the authentication and the authorization are dealt with by two totally different programs.

There could also be different situations, options, or variations on this theme, however hopefully now you possibly can perceive why a demo of a system that lets you log into all of your cloud environments just isn’t sufficient that can assist you consider whether or not you need to use that product. And the problems I describe above are solely scratching the floor of the belongings you would need to perceive earlier than utilizing a product like this.

The chance related to Single Signal-on (SSO)

Some individuals might think about among the different situations above aside from primary to be an IdP. The consumer logs in at one place, after which can entry a number of programs. However that’s actually what is named Single Signal-On (SSO).

With a Single Signal On (SSO) resolution, a consumer can login to a number of programs with the identical username and password. Whether or not that consumer identify and password is saved in a single listing, hashed, or copied round just isn’t the priority of the consumer. It doesn’t matter if authentication happens within the system the place the consumer logged in or the cloud platform they’re attempting to entry from the consumer’s perspective. They solely care that they don’t have to recollect or handle separate units of credentials.

The chance with SSO is much like the multi-session compromise danger I described on this submit:

If an attacker can get right into a consumer’s SSO dashboard, then the attacker can get into something the consumer is allowed to entry. For that reason, it might scale back the chance of a devastating breach if the authentication platform would at all times require MFA when logging into a brand new system — and no matter the place the consumer is situated. I as soon as labored at an organization that might not require MFA if the consumer was situated within the workplace. Attackers can get onto a consumer’s workstation or laptop computer within the workplace, too. Use a zero-trust strategy to safety.

The target — an IdP

My goal is to discover utilizing an IdP that strikes the authentication to a separate platform if doable. The entry or authorization is offered by AWS roles, teams, and insurance policies. Nevertheless, once we attempt to combine with a third-party platform, we might discover that now we have eradicated some issues whereas introducing others. I’m already anticipating quite a lot of potential new dangers when introducing this integration, however I gained’t know for positive till I get into the main points.

Observe for updates.

If you happen to appreciated this story ~ use the hyperlinks beneath to indicate your assist. Thanks!

Help:
Clap for this story or refer others to observe me.
Observe on Medium: Teri Radichel
Join E-mail Checklist: Teri Radichel
Observe on Twitter: @teriradichel
Observe on Mastodon: @teriradichel@infosec.trade
Observe on Publish: @teriradichel
Like on Fb: 2nd Sight Lab
Purchase a Ebook: Teri Radichel on Amazon
Purchase me a espresso: Teri Radichel
Request companies through LinkedIn: Teri Radichel or via IANS Analysis

About:
Slideshare: Shows by Teri Radichel 
Speakerdeck: Shows by Teri Radichel
Recognition: SANS Distinction Makers Award, AWS Hero, IANS College
Certifications: SANS
Training: BA Enterprise, Grasp of Sofware Engineering, Grasp of Infosec
How I acquired into safety: Lady in tech
Firm (Penetration Assessments, Assessments, Coaching): 2nd Sight Lab