Skip to content

Page247

Federated Identity with a Third-Party Service

Historically Federated Identity Management (FIM) focused on the enterprise and an expectation of on-premises hosted identity providers and applications. The increasing popularity of cloud-based identity solutions and general uptick in adoption of cloud services, particularly Software as a Service (SaaS) applications, has increased the diversity of FIM deployment and service models. While on-premises FIM deployments continue to be widely used in enterprises, there has been increasing adoption of entirely cloud-hosted FIM solutions as well as hybrid solutions that include and integrate components of both on-premises and cloud-hosted deployments.

Though adoption of cloud identity, or IDaaS, is increasing, not all applications and services will be able to integrate with the IDaaS providers. Also, architecturally, many internal applications are deployed in a way that precludes easy interfacing with public-facing cloud identity providers. Though not a perfect solution to the aforementioned challenges, one way to mitigate some of these issues is to deploy an on-premises third-party identity service. Leveraging an enterprise-hosted implementation of a third-party identity service can address some of the security and logistical challenges associated with the purely public-facing cloud identity services.

An on-premises implementation of a third-party identity service can allow internal applications to integrate with a cloud identity. This might be possible even without necessarily having to fundamentally alter the security architecture of the applications. Though this would depend upon implementation details, another benefit of moving to integrate third-party identity services is that it could allow for greater portability of the organization’s traditional on-premises identity solution.

Deploying an enterprise-hosted instance of the identity services is far from the only way to integrate with third-party identity services. Another approach would be to deploy solutions that would allow the existing traditional on-premises identity provider to integrate with the cloud identity providers. This model is one way of federating the local organization’s identity, and could allow for the use of typical organizational credentials, which even unbeknownst to the end users are integrated with a cloud identity to allow greater portability of users’ identities.

Credential Management Systems

Despite many laudable attempts to evolve beyond them, passwords continue to be a source of operational pain and common target of attack. While adoption of MFA and/or passwordless authentication systems does seem to be increasing, static passwords persist. Legitimate credentials represent a high-value target for adversaries. After initial exploitation, adversaries frequently seek and compromise credentials that can be used to pivot throughout the compromised network. Anything organizations can do to decrease the likelihood of credential compromise or limit the impact of credential compromise is a tremendous boon to security.

Credential management systems can help harden user credentials in meaningful ways. Some of the features potentially offered by credential management systems include: secure password generation, secure password storage, credential check-in and check-out, automatic password rotation, reduction in the number of credentials users must remember, multifactor authentication to unlock credentials, and audit logging of all interactions. Credential management systems that enable efficient, yet secure, access and use of credentials can increase the likelihood of users leveraging different randomly generated passwords for each credential and reduce occurrences of password reuse. While the capabilities vary, credential management systems can play a vital role in helping to better secure these high-value targets.