Adapting authentication to a cloud-centric landscape
In this Help Net Security interview, Florian Forster, CEO at Zitadel, discusses the challenges CISOs face in managing authentication across increasingly distributed and remote workforces, the negative consequences of ineffective authorization, and how the shift toward cloud transformation affects authentication strategies.
What are some real-world consequences of ineffective authorization, and how can they be prevented?
Ineffective authorization can have multiple negative consequences, some of them include:
Data breaches: When unauthorized individuals have access to sensitive data, it can be stolen or misused in multiple ways against an individual organization.
Fraud: Ineffective authorization can make it easier for attackers to commit fraud, such as credit card fraud or identity theft.
System security: When authorization is not properly implemented, it can create system vulnerabilities that can be exploited by attackers to compromise or extract information.
Compliance violations: Ineffective authorization can lead to compliance violations, such as those related to data privacy laws. This can result in fines, penalties, and other sanctions.
Loss of productivity: When employees do not have the authorization they need to do their jobs, it can lead to lost productivity. This can also lead to frustration and dissatisfaction among employees which is an often overlooked point.
There are a number of ways to prevent ineffective authorization, including:
Implementing strong access control policies and procedures
Access control policies should define who has access to what resources and under what conditions. Access control procedures should ensure that these policies are implemented and enforced.
Using least privilege
The principle of least privilege states that users should only be granted the permissions they need to perform their job duties. This helps to reduce the risk of unauthorized access to sensitive data or systems. This might however conflict with your company culture to some extent when companies have an open access mindset which can have unintended consequences for the company culture and productivity.
Regularly reviewing authorizations
Authorizations should be reviewed regularly to ensure that they are still appropriate. This is especially important when there are changes in personnel or job duties.
Using secure authentication
Passwordless or multi factor authentication requires users to provide two or more pieces of identification to gain access to a system or resource. This helps to prevent unauthorized access, even if a user’s password is compromised.
Educating users about security risks
Users should be educated about the security risks associated with ineffective authorization and how to protect themselves. This includes training them on how to create strong passwords, avoid phishing attacks, and report suspicious activity.
Implement test automation in development
Companies who build their own software should invest in automated testing of their authorization system to prevent development errors from breaking the access control. It is worth noting that in 2021 OWASP assigned broken access control to the number 1 position in their Top 10 report.
Keep a long term audit trail
Oftentimes if a breach happens it is crucial to have an audit trail that lasts longer than a few months (from our own experience we recommend 13 months). This is because it can take a long time after a breach until it becomes visible.
What are the most significant challenges CISOs face today in managing authentication across increasingly distributed and remote workforces?
The most significant challenges I see CISOs facing today are:
The growing number of devices and applications that need to be secured
With more and more employees working remotely, they are using a wider variety of devices and applications to access corporate resources. This makes it difficult to keep track of all of the devices and applications that need to be secured, and to ensure that they are all using strong authentication methods.
Authentication devices
When companies want to start using secure authentication concepts like passwordless (FIDO2) or even Smartcards it becomes an additional burden to deliver the authentication devices to their employees. Oftentimes the use of a TOFU (trust on first use) process leads to additional risk. However this might not be relevant to all companies.
The increasing sophistication of cyberattacks
Cyberattacks are becoming increasingly sophisticated, and attackers are constantly looking for new ways to bypass traditional authentication methods. This makes it more difficult for CISOs to keep their organizations safe.
The need to balance security with usability
CISOs need to find a way to balance the need for strong authentication with the need for usability. If authentication is too complex or inconvenient, users may be tempted to bypass it, which could leave the organization vulnerable to attack.
The lack of resources
Many organizations do not have the resources they need to implement and manage strong authentication across a distributed workforce. This can make it difficult to keep up with the latest security threats and to ensure that all users are using strong authentication methods.
With evolving privacy regulations globally, how should authentication strategies adapt to stay compliant while being effective and user-friendly?
There are a number of authentication methods that can be used to protect user privacy, such as zero-knowledge proof concepts. However in some cases they might conflict with the goal of the authentication process to reliably link the authentication method to a subject.
It ultimately depends on the business case of a service. If authentication of a possibly anonymous user is fine, these concepts will work great. But as soon as you (need to) link a privacy preserving authentication means to an identity it defeats the purpose.
With the rise of biometric authentication it is worth noting that to preserve privacy it is important to not share biometric data (in any kind or form) over networks. It should also be abstained from using biometric data as means of generating key material for the authentication on a user’s device (it can be used though on-device for the authentication i.e to unlock a secret storage) as this would lead to unintended exposure of potentially traceable PII. There are multiple reasons to explicitly state this the most important though is the reason that people are often not aware that biometrics cannot easily be changed as one could with a password.
How has the shift toward cloud transformation affected authentication strategies for businesses?
The shift toward cloud transformation has led to more managed and unmanaged devices, internal applications and third party services needing to be secured. The need for better/stronger authentication, more flexibility, and more automation is clearly one of the biggest challenges. To address this, businesses are adopting new authentication strategies like MFA, passwordless, risk-based authentication, biometric authentication, zero-trust security and SSO strategies.
This becomes an interesting discussion as soon as organizations use cloud systems to control their identities and credentials. Which from a risk perspective needs some special considerations.
- What happens if the identity system is inaccessible? This can have multiple reasons like a conflict with the service provider or operational problems with such. Companies should create contingency plans for this risk.
- What happens if the identity system is compromised? Does one get the information to do the forensics afterwork. A recent example for this is the breach Microsoft had recently.
How are organizations navigating the tension between supporting legacy protocols and adopting new authentication technologies?
Organizations are navigating the tension between supporting legacy protocols and adopting new authentication technologies by phasing out legacy protocols over time, using both legacy protocols and new authentication technologies simultaneously, or by using a single authentication system to support all users and applications. The best approach for an organization will depend on its specific needs and circumstances.
However there are some of the key considerations to be made:
- The cost: Supporting legacy protocols can become an operational burden. As multiple systems need to be operational.
- The risks: Supporting legacy protocols can become a problem to work towards secure authentication (especially passwordless) if users still rely on a single factor login for certain services. It might be more efficient to isolate these environments from the rest of an architecture. However this might depend on the amount of users who need access to a legacy service.
By carefully considering these factors, organizations need to make informed decisions about how to navigate the tension between supporting legacy protocols and adopting new authentication technologies and the impact on their users.
What best practices are emerging for managing machine credentials effectively as organizations develop machine identity strategies?
Some of the best practices I can think of for managing machine credentials effectively as organizations include:
Usage of a (machine) identity management: This can help organizations to automate the management of machine credentials, including the provisioning, rotation, and deprovisioning of credentials. This reduces the risk of human error and improves the security of machine credentials.
Using secure storage: Machine credentials should be stored safely to protect them from unauthorized access. This can be done using a variety of encryption methods, such as symmetric or asymmetric encryption or by using specialized secret storage solutions like HSMs or software based products.
Rotate machine credentials regularly: Machine credentials should be rotated regularly to reduce the risk of them being compromised. The frequency of rotation will depend on the sensitivity of the data that the machine is accessing.
Use secure authentication: Secure authentication can help to protect machine credentials to prevent unauthorized access to the secret storage or the identity system.
Monitor machine activity for suspicious behavior: Organizations should monitor machine activity for suspicious behavior, such as repeated failed login attempts or access to unauthorized resources. This can help to detect unauthorized access and take corrective action.
These best practices form a great base when working with machine identities even though there are more things to consider once one starts the journey in this area.