No. 2: Identity Federation and User Identities in the Cloud
Greetings to the second of our five part series addressing the top vulnerabilities and misconfigurations common in the cloud environment.
Previously, InfoSec pro Sasha Raljic discussed accountability and data ownership in the cloud and the importance of determining the rightful data owners.
Here, he looks at user identity federation and the importance of managing user identities across the cloud environment so that an appropriate level of access is achieved throughout an organisation.
Federated Identity and Managing User Identities
Federated identity is a broad term that doesn’t just apply to ensuring an appropriate level of access is achieved, or that organisational security is maintained. As organisations move their services and infrastructure to the cloud, their boundaries have changed drastically.
Identity and Access Management is a critical requirement, given that data sensitivity and privacy are growing areas of concern in the cloud.
The goal of identity federation is to enable users of one domain to securely access the data or systems of another domain easily and with the least amount of administrative overheads.
The screenshot above demonstrates a so called ‘claims-based’ access control. The Identity provider issues a token with the details of the authenticated user. This is referred to as ‘claims’ and can include other information, such as role memberships, as well as more granular access rights. Applications and services authorise access to features and functionality based on these claims.
Federated identity improves usability by implementing a single-sign on mechanism which eliminates multiple identities assigned to individual users. By having a centralised identity management system, the probability of user password disclosure is reduced significantly.
For example, if a single user has access to five different applications, having five different user accounts increases the chances of password disclosure and password reuse. The federated identity model removes this risk by having one user identity accessing five different applications with potentially five different privilege levels. In short, federated user identity benefits the organisation and the cloud environment by:
- Eliminating the need for users to remember another password. This avoids other misconfigurations, such as insufficient password complexity and password reuse.
- Eliminating the management of duplicate user identities; no need for one user to juggle multiple accounts on multiple systems.
- Allowing organisations to re-use internal identity process. For example, password complexity and rotation may be expanded into the cloud.
While federated user identity has numerous advantages that benefit both security and usability, there are also disadvantages that can have a negative impact on an organisation. Risk of unauthorised access still exists, especially if the services granting access to users are misconfigured.
In sensitive environments additional assurance is required, which could make the process of establishing trust particularly difficult. Attacks on specific standards and protocols which may be used to exchange information between the identity provider and service providers. Attacks on Security Assertion Markup Language (SAML) have already been documented. A successful attack on SAML could allow malicious attackers to reply to sessions or even gain unauthorised access.
Arguably the biggest risk relates to availability. The implementation of a single sign-on capability creates a single point of failure. In the event of federated identity management system going offline, access to systems and applications would not be possible.
While identity federation has many advantages, organisations should be careful how these identities and AAA protocols are implemented. This is especially applicable to multi-tenancy cloud environments.
If you have concerns with your cloud environment security or would like support with any other cyber risks, we’d be delighted to hear from you. Click here to contact us.