Identity Management Solutions
Identity management as a platform is an emerging branch of Information security. Top vendors such as Microsoft, IBM, and Oracle have taken serious plunges into the Identity management arena. In this article, we shall see what it takes to implement an Identity management solution. Information security comprises various individual components that need to go hand in hand. One of the most important components is Identity management. Be it an intrusion prevention system, site advisors, or anti-malware solutions, each has one common requirement, the identity of the user. Identity management comprises various smaller components, such as LDAP authentication, active directory authentication, authentication chain mechanisms, one-time password transactions, Kerberos authentication, and integrated Windows authentication. A successful Identity management solution uses all these flavors seamlessly.
Let's start with understanding the basic concept of single sign-on (SSO). Suppose a user wishes to manage various online accounts; then entering the credentials for each of the service providers is a redundant task. Identity solutions aim to cater to such users by providing a single sign-on functionality, where the user enters the credentials the first time he/she wishes to access a particular service. From the second time onwards, the service provider queries the identity provider about the authenticity of the user. The user is no longer expected to provide the credentials. These credentials are stored in a credential store. The credential store can be a database (MySql or HyperSql) or a file system.
What should you learn next?
Next we come across one-time password providers (OTP servers). There are various modes of OTP transactions available, including SMS verification, e-mail verification, and IVR calls, to name a few. These are unique patterns of alphanumeric characters which are sent to the user to authorize him/her to use a particular service. The most common example is a bank transaction, where the user who wishes to perform a transaction is asked to enter the one-time password sent to him/her in that instant of time. This is more secure and authentic than the traditional username-password authorization, because the service provider is using multifactor authentication.
Every Identity management solution has two major components: an identity provider and a service provider. The identity provider provides the Identity of the user to the service provider. A classic example is your Google account. A Gmail account can be used for various online services, such as BlogSpot, YouTube, Facebook, etc. The service provider, such as YouTube, queries the identity provider (Google in this example) for the authenticity of the user, and then grants access to the services. Other forms of Identity provisioning include LDAP authentication and active directory authentication. LDAP authentication is basically a user who is present in your LDAP database. LDAP service by default runs on port 389 of you system. The query is done on the basis of uid. Generally a LDAP tree looks like this:
There is top level group called as system (generally represented as ou=system)
There is a mid-level group called as users (generally represented as ou=users)
Finally, the usernames (represented as uid=username or cn=username)
A classic LDAP search would look like:
Search on server <IP-address: Port number> for "uid = admin"
In "ou=system, ou=users" where password = "password"
The above illustration is just an English translation of what happens when you search an LDAP server for the identity of a particular user.
The other component that I mentioned is active directory services by Windows. Use the dcpromo command in the Windows server to enable the active directory services. Once enabled, the system configures a DNS server at the same time. The service provider queries the active directory for the list of users to authenticate the current user whose name is present in the directory.
Identity management on the cloud!
Cloud computing has emerged as a very effective medium for starting a business with optimum resources. With various vendors coming up with software-as-a-service (SaaS), many SMBs depend hugely on these SaaS providers. On the other hand, large-scale organizations have their own cloud deployments. Identity management on the cloud is in its nascent stages and various implementations of this flavor of identity are emerging. Most of the organizations use active directory implementation to authenticate their employees for using the network. Using the active directory as an Identity provider saves an organization from having to maintain a separate Identity provider. Most companies are unwilling to expose their active directory to the Internet because the slightest mistake can lead to a huge financial loss and data theft. Using a VPN connection to do the same is not a very cost-effective method. This challenge led to an emerging exchange format called as SAML (secure assertion markup language). SAML is based on XML, which is generally used for authentication and authorization data exchange. SAML, as the name implies, works on assertions. Each SAML specification consists of three major parts – the user, the identity provider, and the service provider. As mentioned above, when a user requests a service from service provider, the service provider queries the identity provider. The only difference here is that, the service provider looks for an identity assertion, and based on this assertion grants service to the user. A service provider and Identity provider is a one to many mapping.
So, as in the above case, SAML can provide Identity assertions in the case of active directory, which can be used by the SaaS provider to authorize and authenticate a user. Service providers are implemented in the form of connectors within an Identity application. SaaS-based service providers are called cloud connectors. As an Identity provider, the Identity connectors are implemented. While composing a cloud connector, we also map it to a corresponding Identity connector, thus the identity of the user is provided to the service provider. A cloud connectors can be an HTTP-post-based connector or an SAML-based connector. Each SAML-based connector has its own SSO URLS used for SAML assertions.
Authentication Chains
Authentication chains are generally multi-step authentication which is dependent on the result of the previous authentication. These include OpenID, LDAP, Active Directory, OTP, etc. In the following section we will see some of the popular products in the market with their features.
Here are a few popular products offering identity solutions:
Ping Federate
Ping Federate is one of the largest players in the identity domain. They provide cloud-based single sign-on services through federated Identity management services. This in turn helps maintain scalability and robustness in maintaining the single sign-on feature within an enterprise. The major advantage of this product is that it provides a wrapper over SAML 2.0 implementations, making it very user-friendly. This also has dynamic token handling when authenticating users through cloud connectors.
Oracle Identity management Solutions
This is a complete next-generation product, aimed at scalability and compliance management with added security for enterprise-related information. This solution is available for all the devices across firewall to work with the single sign-on functionality.
IBM Identity and Access management
The principle aim of this IBM product is to aid in enhancing business productivity by providing secure access to all enterprise services through its wide range of integration capabilities. It contains provisioning modules as well as single sign-on modules. The brand name under which IBM releases Identity solutions is Tivoli.
These are just the top few products on the market. Identity management is a wide spectrum of various topics under one roof. There is no single product that can offer everything, but as an enterprise you can always weigh various products and choose the right one for your needs.
In this Series
- Identity Management Solutions
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security