Identity and Security in a World of SAAS: the Case for Federation
As you probably heard, a significant network security incident happened last week. A large phishing attack was perpetuated against CheckFree.com. Millions of consumer identities have presumably been stolen. Consumer impact aside, the attack warrants our attention because it shows the new challenge that identity and access management faces in a world of outsourced network services. For businesses, the lesson is as clear as it is scary. In a world of SAAS, you do no longer control your security. Your home-grown access policies have become irrelevant. As an enterprise, you have lost control of your network protection. Unfortunately CheckFree and millions of their consumers learned this lesson the hard way last Friday.
So what happened? In a nutshell (you will find a very good explanation here), the bad guys first used a spear phishing attack to capture the credential that would allow access to CheckFree's account at Network Solutions. Once the first phase was successfully completed, the attackers logged into the Network Solutions account to map CheckFree's name server to theirs own servers, located in Ukraine. Following the DNS compromise, the bad guys eventually launched a large scale phishing attack against CheckFree's customers, potentially allowing the compromise of millions of consumer identities.
Because, the DNS servers were hosted at Network Solutions, CheckFree's security was totally bypassed. As a matter of fact, it did not matter what level of security checkfree.com implemented. Their policies had become irrelevant. Had CheckFree deployed risk-based authentication, two-factor authentication, smart card with biometry or anything else to their millions of consumers, it would not have mattered. Checkree's consumer identity protection had become as vulnerable as Network solutions name and passwords.
The lesson is brutally clear. In a world of SAAS, a world where most enterprises are increasingly living in, corporate access policies are no longer enforceable. As an enterprise, you can raise your identity game, but your game is now as good as your weakest SAAS vendor (granted that in this case, Network Solution provided a mission critical Internet service by managing the IP addresses of CheckFree's name servers). When it comes to security, if you do not control access policies (authentication and authorization), the truth is that you do not control anything. Furthermore, you may now longer be in compliance since most regulations like Sarbanes-Oaxley require an enterprise to implement stringent policy, processes and audit to regulate employee and non-employee access to critical business information.
The DNS Cathedral and the Identity Bazaar
While the pundits scream for DNSSec deployment, the bad guys have already found a chin in our future Internet armor. Their message to us is simple: there is no point in securing the front door if the back door is to remain open. DNSSec is important, but not the panacea. Phishing will not go away unless we also work on strengthening identity and access management on the Internet. Last week attack makes this conclusion inescapable. Today, the Internet counts about 100 millions domain name. There are also hundreds of ICANN accredited registrars. Some are small companies, some are very large businesses. The world now understands that millions of businesses worldwide rely on these registrars for protecting their most precious digital asset: their Internet name. Does it mean that all the registrars of the world, large or small, need to change the way they authenticate users all at once?
Maybe, but a coordinated and more effective approach should also be considered. Time may be ripe for federated identity services, a new breed of cloud services that would make it easier for registrars (and SAAS vendors) to deploy stronger authentication; a federated identity service that provides choice of authentication and allow registrants to define authorization policies based on their own internal requirements and business needs. Instead of each individual registrar whose business expertise has little to do with identity management, a shared identity service trusted by the whole ecosystem could increase security for a much lower cost and complexity than point solution deployment. A cloud identity broker that provides additional authentication factors such device ID, certificates, one time passwords or smart card would have allow CheckFree to enforce two-factor authentication without Network Solution having to know or do anything.
Identity Brokers - Local Bootstrap Credentials - Locally Defined Policies
Software aficionados will always question the security of a centralized cloud identity service. Centralized identities present a risk. However, the risk of a centralized IDP can also be reduced by allowing domain name holders (the enterprise) to provide their own bootstrap credentials to the IDP. After all, small and large enterprises like CheckFree already issue trusted credentials to their employees. A cloud identity service that can also integrate with the enterprise would provide optimal security, accountability and flexibility. Simple yet effective security policies could now be implemented- for example, requiring that every employee access to Network Solution originates from CheckFree's internal IT network (think Kerberos to SAML). Such simple access policy alone would have defeated the Ukrainian attack from last week. Finally, had CheckFree already issued tokens or smart cards for remote access to its employee, a federated identity cloud service would have enabled their re-use to protect employee access to Network Solution.
Interestingly, the same week Google Facebook and MySpace launched their own competing solution for consumer federation, the CheckFree incident reminds us that the most urgent need for federated identity may not lie in the land of consumers but in the world of enterprise and B2B security. Undisputedly, the growth of cloud computing and SAAS exacerbates the need for secure identity providers. In that world, less OpenID, no FB Connect or MySpaceID; SAML tends to be the Lingua Franca. As the CheckFree incident demonstrates, the benefits of SAML federation are significant for enterprises. Compliance, security, and data safety are at stakes. Who know? As smarter attacks keep on emerging, SAAS federation and SAML identity providers may be the next big thing when it comes to securing cloud computing and digital identities on an increasingly wilder Internet.