How to effectively manage IAM controls to secure critical assets
In previous posts I have discussed in depth the importance of authorization, specifically dynamic authorization, to control access to critical information assets. However, authorization is only a portion of the access control equation, another piece that organizations require is the authentication step if they want to effectively manage access to sensitive data.
Authentication is the practice of validating the identity of a registered user attempting to gain access to an application, API, microservices or any other data resource. In contrast, once you are authenticated, authorization is about deciding whether an individual is permitted to perform a given action on a specific resource.
When dealing with access to any sort of sensitive data assets, both authentication and authorization are required. Without both, you risk exposing information via a breach or unauthorized access, ultimately resulting in bad press, customer loss and potential regulatory fines.
Authentication and authorization go hand-in-hand
Some content or resources may be available for public consumption and don’t require any type of identification or authentication – think of basic web site content. However, protected resources do require additional security steps. The first step of access control at runtime is authentication because if we can’t reliably and securely validate the subject identity, how can we make appropriate decisions about what they can and can’t do? Think of authentication as a crucial precursor to authorization.
Take for example a typical bank website. You can visit the website to learn about various offerings for banking accounts, loans, investment advice, commercial banking products and so on. To take the next step and apply for a loan, credit card or other banking service/product will require you to log in or authenticate if you are an existing customer, or if you need to register (registration is a whole other story for another day) to become a new customer.
Once you are authenticated to the website, then authorization policies kick in to determine what resources you can access. Seems easy enough, but with modern authentication processes, we can find out a lot more about a subject than just who they are.
There are now many different authentication processes that can be used that can be used to validate a user’s identity, including:
- Single Sign-On (SSO) allows a user to leverage a single set of login credentials to access multiple applications. Think using your Facebook or Google log in to access several different applications. A technique called federation is used by SSO systems when the applications you are logging into are spread across different domains. Industry standards like Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) facilitate this process.
- Multi-Factor Authentication (MFA) requires multiple means of authentication. One example is logging into a website with your username and password but then you are asked to provide a one-time access code that the website sends to the user’s cell phone. The goal is to create multiple security layers to provide a higher level of assurance during the authentication step.
- Consumer Identity and Access Management (CIAM) solutions provide features like customer registration, self-service account management, consent and preference management, but they also provide multiple authentication features. Some of those features include ones we have covered like SSO and MFA and typically have a user interface that is tailored for end-user populations as opposed to employees.
With these modern authentication techniques, we can uncover additional information about a user beyond who they are. For example, we can determine geolocation, time of day, role, company, language preferences, whether they have a paid account for our service, whether they are carrying out an action on their own behalf or for someone else, etc. In addition, CIAM systems manage user profiles, preferences and consent settings. This data (attributes) is very useful information for an authorization service, such as an Attribute Based Access Control (ABAC) system.
From an architecture perspective, managing authentication separately from authorization provides additional benefits. This approach allows you to utilize the right type of user management and authentication that is suitable for the risk level of the application or group of applications. Flexibility is extremely important at this time because so much industry effort is being devoted to multifactor authentication techniques that can reduce reliance on weak passwords and deal with the myriad of security threats that also continue to rapidly evolve.
Combining authentication and attribute-based access control
Authentication and ABAC interrelate and can interoperate to become a very powerful tool. Typically, organizations, large or small, have complicated requirements for granting employee access to protected resources. In this digital age, that community of users is growing exponentially to include customers, partners, joint venture organizations and so on. ABAC systems utilize policies and rules to easily navigate and enforce access based on the rich set of user data available through the authentication layer.
Access to general resources and functions within and organization likely only require minimum strength of authentication, anyone in the organization can access them anywhere at any time. However, for highly sensitive information assets or transactions that exceed a certain threshold, the ABAC service can redirect the employee, customer or partner to use an MFA before the access is granted. Then the ABAC policies can also decide what actions the employee can take once they are properly authenticated. This loose coupling of authentication and authorization is an example of the flexibility mentioned earlier – the MFA technique can be changed as those technologies evolve or as the risk tolerance for access to data is updated.
As controlling access to information becomes more complex it will become increasingly important to combine cross-domain identity protocols to solve real world business problems. By combining the right authentication protocols with an ABAC model, organizations can securely share critical information while improving the experience for all the users involved.