Identity is the new security perimeter, and is a core component of a modern security program.
Business, Community, and Governmentleaders envision the economic potential ofthe digitization of all aspects of our environment, business, and society operating at peak efficiency while optimizing risk and resources.This vision can only be fully realized if identity verification, validation, federation, Single-Sign-On (SSO), and multi-factor authentication(MFA) for human and machine identities are leveraged as a core security function.Federation, SSO, and MFA are foundational enablers of digitization.
As we migrate our underlying system infrastructures from legacy on-premises solutions to hybrid SaaS, PaaS, and IaaS solutions, we can no longer hope to protect the fragmented data sets with traditional username/ password combinations. While we have known this for many years, the need for real-time data integration while maintaining Confidentiality, Integrity, and Availability, has exposed the challenges of existing practices including but not limited to; timely user on-boarding and off-boarding, user access changes, user access validation, password management, orphaned accounts, account sharing, and credential theft. Each of these challenges contributes to business risk, and a potential impact to the bottom line.
"When deploying MFA with federation and SSO, the organization should be thinking in terms of protecting the user or service identity"
Regardless of your organization’s position on identity verification and validation, which is a topic for another time, implementing Multi-Factor Authentication (MFA) with federation and Single-Sign-On (SSO) throughout the organization both internally and externally is an excellent way to mitigate risk, enable digitization, and increase productivity. While there will likely be organizational resistance to MFA, the benefits of federation and SSO to the end-user will outweigh the perceived extra authentication hurdle if packaged and delivered together with MFA. In order to deliver MFA with federation and SSO, conceptually bifurcatethe identity verification and validation process from the authentication process and address them with separate efforts.
Identify the in-scope internal and external applications and services based upon three characteristics: frequency of usage, user population, and confidentiality of data.If an application or service is infrequently used, has few users, and does not store confidential or sensitive data, then it might be considered out of scope. Then, prioritize application and service integration based upon: 1.) Frequency of Use, 2.) User population, 3.) Confidentiality of data. The reasoning is to address the most frequently accessed applications and services with the largest user-base first.
Identify a solution (usually an Identity Provider (IdP)) to federate internal identity stores, and SaaS, PaaS, and IaaS identity stores based upon the organization’s determined priority. Then identify a solution to provide the MFA functionality to the authentication process. While not always achievable, machine accounts or service accounts should also be in-scope for MFA whenever possible. Secondary identifiers can include certificates, software tokens, hardware identifiers, network addresses, etc. While each has its pros and cons, the additional requirement is better than username/password only.
While some IdPs can also provide MFA, their offering may not meet your business need. If you find you require a different MFA solution than your IdP provides, ensure these solutions are compatible, and implement them together. By doing so, when the user base experiences MFA for the first time, they gain the benefits and experience from SSO. In many cases the solutions can be deployed, and then enabled per user or group, per application or per service.
When deploying MFA with federation and SSO, the organization should be thinking in terms of protecting the user or service identity. Many organizations think in terms of protecting the applications, network, or the data within. Yet, the identity provides the access to all of these assets. As an example, an organization can have an application and the associated data fully encrypted end-to-end, however, if the user’s credentials are compromised through a phishing attack, the system is compromised. Therefore, we must protect the identity, and through that the applications, services, and data.
Since the identity must be protected, the scope for MFA and SSO should include as many internally developed and provided applications and services as possible, and all SaaS, PaaS, and IaaS solutions which provide critical services to the organization and/or store confidential or sensitive information.
Another very important consideration that has great impact on the success of the project is end-user experience. Be conscientious and considerate to your user base to ease acceptance and adoption. If your risk appetite and regulatory requirements permit it, enable “remember me” options in the MFA solution to reduce the number of times they are challenged.Consider limiting the durationto one that best balances the need to run with the need to protect for your organization.