If you are a business of any real size you have more than one web application. Internal facing, external facing, federated, the web drives your business. With that comes a complex requirement of security and controlling the access to those applications. Single sign on, moving from app to app seamlessly, yet maintaining proper security controls, session management, a low number of credentials needed, the list goes on.
Centralized authentication is the first step to help manage that, but if you ignore and attempt to not centralize the authorizations as well, you can start to have a larger disconnect in terms of security. Getting a user logged into a system is easy, but how can the user interact with a specific application is the next level. Some centralize it, others decided to keep that within the code of the applications. When you silo off authorization controls, which are basically your rules on access, you lose easy visibility and control across the enterprise. How can you control access in relation to another application when they are separated? How can you put in behavior authorization rules in for extended authentication? How can you find out very quickly all the rules without looking at all the lines of Java code?
Here’s an example. Say you are a financial institution. You have many applications that can process financial transactions, transfers, withdrawals, etc… Your authentication is centralized, which has multi factor, but the authorization is within the application. Now a mandate, regulation, whatever comes down that when money transfers in excess of $50,000 require a multi factor authentication challenge, regardless. When you have a disconnect, you have to spend time, money to build something that can do that rather than write a simple policy that can be globally used.
With financial institutions especially, behavior authorization is going to be a growing interest on taking extra precautions depending on what the user is doing. They are authenticated to be in the application, but would a normal person make a $100,000 transfer at 2:30am on a Saturday? No, so watch the behavior and challenge accordingly. You can do that in each application individually, just like you did with logins, but took the first step by centralizing that, why not take the next step.
What you will eventually get to is the application developers can focus on developing functionality of the application and the web access management system can worry about the security and universally apply it the same way to every app. One place for all the rules.
The trade off is that you will be creating more steps and more challenges along the way but here’s how I look at it. When you do certain transactions in the bank in person, you have to fill out more forms. When you pay with a credit card, some places ask to see your ID. However, it seems on the web and web services used there is an expectation that people cannot be inconvenienced with additional forms and questions.
People prove, time and time again, they cannot manage to keep their ID and password secure and secret. Most identity theft is because of flaws of the user’s management of their credentials. Trust no one, even authenticated users, that they are who they say they are. Question them to make sure. Check their location. Profile their system. Challenge them when they are doing potentially damaging activity if it’s not them. There are new systems now that watch and analyze how the user’s type and can tell when it’s not them. Those solutions are there for a reason, TO BE USED!
What do you want to deal with more?
A) A crabby customers who complains about the inconveniences of security?
B) A customer complaining about the $100,000 he just lost because someone social engineered his password at Starbucks and took advantage of the application’s conveniences with just a user id and password to transfer out all his money?
End of Line.
– Posted using BlogPress from my iPad
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.