Identity & Access Management 101

The IAM 101 area provides free information about a variety of topics relevant to security, identity and access management, single sign-on, multi-factor authentication, provisioning, and other technologies that help businesses provide users with secure access to the applications and systems they need. We update the IAM 101 area regularly with new content, so be sure to bookmark this page.

All Topics

Authentication vs. Authorization

Authentication and authorization are two vital information security processes that administrators use to protect systems and information. _Authentication_ verifies the identity of a user or service, and _authorization_ determines their access rights. Although the two terms sound alike, they play separate but equally essential roles in securing applications and data. Understanding the difference is crucial. Combined, they determine the security of a system. You cannot have a secure solution unless you have configured both authentication and authorization correctly. ## What is authentication (AuthN)? Authentication (AuthN) is a process that verifies that someone or something is who they say they are. Technology systems typically use some form of authentication to secure access to an application or its data. For example, when you need to access an online site or service, you usually have to enter your username and password. Then, behind the scenes, it compares the username and password you entered with a record it has on its database. If the information you submitted matches, the system assumes you are a valid user and grants you access. System authentication in this example presumes that only you would know the correct username and password. It, therefore, authenticates you by using the principle of something only you would know. ### What is the purpose of authentication? The purpose of authentication is to verify that someone or something is who or what they claim to be. There are many forms of authentication. For example, the art world has processes and institutions that confirm a painting or sculpture is the work of a particular artist. Likewise, governments use different authentication techniques to protect their currency from counterfeiting. Typically, authentication protects items of value, and in the information age, it protects systems and data. ### What is identity authentication? Identity authentication is the process of verifying the identity of a user or service. Based on this information, a system then provides the user with the appropriate access. For example, let's say we have two people working in a coffee shop, Lucia and Rahul. Lucia is the coffee shop manager while Rahul is the barista. The coffee shop uses a Point of Sale (POS) system where waiters and baristas can place orders for preparation. In this example, the POS would use some process to verify Lucia or Rahul's identity before allowing them access to the system. For instance, it may ask them for a username and password, or they may need to scan their thumb on a fingerprint reader. As the coffee shop needs to secure access to its POS, employees using the system need to verify their identity via an authentication process. ### Common types of authentication Systems can use several mechanisms to authenticate a user. Typically, to verify your identity, authentication processes use: - something you know - something you have - or something you are Passwords and security questions are two authentication factors that fall under the something-you-know category. As only you would know your password or the answer to a particular set of security questions, systems use this assumption to grant you access. Another common type of authentication factor uses something you have. Physical devices such as USB security tokens and mobile phones fall under this category. For example, when you access a system, and it sends you a [One Time Pin (OTP)](https://www.onelogin.com/learn/otp-totp-hotp) via SMS or an app, it can verify your identity because it is your device. The last type of authentication factor uses something you are. [Biometric authentication](https://www.onelogin.com/learn/biometric-authentication) mechanisms fall under this category. Since individual physical characteristics such as fingerprints are unique, verifying individuals by using these factors is a secure authentication mechanism. ## What is authorization (AuthZ)? Authorization is the security process that determines a user or service's level of access. In technology, we use authorization to give users or services permission to access some data or perform a particular action. If we revisit our coffee shop example, Rahul and Lucia have different roles in the coffee shop. As Rahul is a barista, he may only place and view orders. Lucia, on the other hand, in her role as manager, may also have access to the daily sales totals. Since Rahul and Lucia have different jobs in the coffee shop, the system would use their verified identity to provide each user with individual permissions. It is vital to note the difference here between authentication and authorization. Authentication verifies the user (Lucia) before allowing them access, and authorization determines what they can do once the system has granted them access (view sales information). ### Common types of authorization Authorization systems exist in many forms in a typical technology environment. For example, Access Control Lists (ACLs) determine which users or services can access a particular digital environment. They accomplish this access control by enforcing allow or deny rules based on the user's authorization level. For instance, on any system, there are usually general users and super users or administrators. If a standard user wants to make changes that affect its security, an ACL may deny access. On the other hand, administrators have the authorization to make security changes, so the ACL will allow them to do so. Another common type of authorization is access to data. In any enterprise environment, you typically have data with different levels of sensitivity. For example, you may have public data that you find on the company's website, internal data that is only accessible to employees, and confidential data that only a handful of individuals can access. In this example, authorization determines which users can access the various information types. ## The difference between authentication and authorization As mentioned, authentication and authorization may sound alike, but each plays a different role in securing systems and data. Unfortunately, people often use both terms interchangeably as they both refer to system access. However, they are distinct processes. Simply put, one verifies the identity of a user or service before granting them access, while the other determines what they can do once they have access. The best way to illustrate the differences between the two terms is with a simple example. Let's say you decide to go and visit a friend's home. On arrival, you knock on the door, and your friend opens it. She recognizes you (authentication) and greets you. As your friend has authenticated you, she is now comfortable letting you into her home. However, based on your relationship, there are certain things you can do and others you cannot (authorization). For example, you may enter the kitchen area, but you cannot go into her private office. In other words, you have the authorization to enter the kitchen, but access to her private office is prohibited. ## What are the similarities between authorization and authentication? Authentication and authorization are similar in that they are two parts of the underlying process that provides access. Consequently, the two terms are often confused in information security as they share the same "auth" abbreviation. Authentication and authorization are also similar in the way they both leverage identity. For example, one verifies an identity before granting access, while the other uses this verified identity to control access. ## Authentication and authorization in cloud computing Security is a vital component in any cloud computing solution. As these services provide a shared access model where everything runs on the same platform, they need to separate and protect customer systems and data. Cloud service providers use authentication and authorization to achieve these security goals. In fact, cloud computing platforms could not provide economies of scale via their shared resourcing model without authentication and authorization. For example, when a user tries to access a particular cloud service, the system will prompt them for some form of authentication. This challenge could ask them to enter a username and password or use another identity verification factor, such as accepting a notification on an app. Once the user successfully authenticates, the cloud platform will then use authorization to ensure the user can only access their systems and data. Without authentication and authorization, the separation of customer environments on the same platform would not be possible. ## Which comes first, authentication or authorization? Authentication and authorization both rely on identity. As you cannot authorize a user or service before identifying them, authentication always comes before authorization. Again, we can refer back to our coffee shop example to illustrate this point. As mentioned, baristas can only create and view orders, while managers can also access daily sales data. If the POS system cannot identify which user is accessing the system, it cannot provide the correct level of access. Authentication provides the verified identity authorization needs to control access. When Rahul or Lucia sign into the system, the application knows who has signed in and what role it should assign to their identity. ## Access control vs. authentication? People often use the terms access control and authorization interchangeably. Although many authorization policies form part of access control, access control is a component of authorization. Access control uses the authorization process to either grant or deny access to systems or data. In other words, authorization defines policies on what a user or service may access. Access control enforces these policies. If we compare authentication and access control, the comparison between authentication and authorization still applies. Authentication verifies the user's identity, and access control uses this identity to grant or deny access.

READ MORE

What is CIAM?

What is Customer Identity & Access Management (CIAM)? Customer Identity and Access Management (CIAM) is a type of identity and access management (IAM) that integrates authentication and authorization into customer-facing applications. CIAM does three main things: 1. Improves customer registration and login experiences, while reducing the risk of account takeover (a rampant problem in the consumer space because of password reuse.) 2. Offers customized and branded experiences for consumers, businesses, and enterprise customers. 3. Provides a scalable solution that can support hundreds of millions of customers. CIAM Key Benefits Customer identity management is an important security measure across businesses of all shapes and sizes. Breaches can get expensive very quickly, often making a substantial impact on the bottom line. According to IBM Security, 80% of breached organizations have stated that customer PII was compromised during the breach and on average the cost of breach is $150 per customer. CIAM solutions can be easily integrated with systems that control common customer tasks such as account self-management, bill paying, order tracking, and returns, reducing the risks associated with poor password hygiene. Key benefits of CIAM include: - Identity and Access Management: IAM solutions securely manage digital identities and their access to various applications and systems. They manage people and also other kinds of identities, such as software (apps or programs), and hardware (such as IoT devices) - Customer data protection (MFA and Adaptive Authentication): Consumers are notorious for reusing passwords for the dozens of services they use online. Advanced CIAM solutions protect those passwords with adaptive multi-factor authentication (MFA), which looks at various contextual factors like location, time of day, and device. It supports even stronger security by increasing authentication requirements for high-risk login attempts. - Seamless and trusted digital customer experiences: Many companies have multiple web applications and portals, each with its own identity store, requiring users to authenticate multiple times when switching between different applications. This creates additional friction during the login process. By integrating all your digital channels with a single CIAM solution, you can provide a more seamless user experience: one point of entry for all the applications. - Quick migration of users without interrupting the user experience: A CIAM solution should work with your existing system to quickly migrate your customers without impacting the experience. - Customization with flexible APIs: When building applications, developers want to ensure a seamless customer experience for securing access to digital resources. APIs provide the flexibility needed to customize authentication requirements throughout the development lifecycle. - Multichannel support (mobile, laptop, game consoles, etc): The best solutions offer a diversity of entry points across all devices, making it as easy as possible for customers to access the tools they need to run their business. - Account self-service: A CIAM solution should empower the user to solve their problems through a self-service platform that allows them to reset passwords and go through authentication protocols without involving an IT professional. - Application lifecycle management: Businesses at any stage may be developing and deploying products that are being managed across a number of platforms. A comprehensive CIAM solution helps manage that process seamlessly. - Compliance with security and privacy standards like HIPAA and ISO: The ability to integrate additional security measures that apply to particular sectors like healthcare and international organizations. - Customer analytics: The ability to run comprehensive reporting around customer behavior is important for making key business decisions. Using customer analytics as a reference point, businesses can increase conversions, improve retention, supporting upselling and cross-selling messaging. - Scalability and high availability: A good enterprise solution needs to be able to support a high volume of users with as little delays and downtime as possible. CIAM vs IAM CIAM and IAM requirements are similar when it comes to scalability, security, and accessibility. Both must meet these three requirements to guarantee a great user experience, whether for internal employees or external customers. However, CIAM goes beyond the traditional IAM approach in the following ways: IAM CIAM Limited users (10–100,000) with less capability to handle spikes in traffic A CIAM portal must be able to support millions of users. It also has to be able to handle rapid spikes in traffic (volume and frequency). Use of the portal is unpredictable, but there will be peak times when many people are accessing your system at the same time, such as Black Friday, and your CIAM solution must be able to handle those peaks. Single identity per user Consumers can have multiple identities Company registration Self-registration Closed system Highly accessible system available on any device with a consistent login experience no matter where the end-user is or what device they’re using. Internal authentication with strict security policies CIAM must be implemented in a way that keeps the barrier of entry low. Authentication with external sources like social providers (e.g., Google, LinkedIn) reduces friction by enabling passwordless authentication without compromising on security. Employee access and profile data used for internal purposes Customer data used to provide critical analytics around marketing, business decisions, security, and compliance. How Does CIAM Protect Customer Data? Consumers have to remember a lot of passwords, and good CIAM vendors know that customer identity management is important for the security of the individual and the company. Whether it’s their social media, online banking, or online streaming accounts, the number quickly adds up. As consumer services are breached around the world, hackers accumulate even more user credentials, which are sold and bought online to launch large-scale password stuffing attacks using extensive bot networks. This puts consumers who reuse passwords at particular risk. With CIAM, you can give the consumer the option to add a second authentication factor or sign in with their social identity, which provides stronger protection against account takeover. Customers are given access to a customized, secure login portal with an authentication requirement. This portal is managed by the IT department, which keeps all security software, checks, and protocols up to date behind the scenes, protecting against ever-increasing viruses and hackers. In the past, companies only gave customers one option for signing in: username and password. Now that MFA is commonplace, applications often require two or more factors before granting users access. To ensure that adding MFA is not discouraging users from creating accounts or slowing down their experience, CIAM must be implemented in a way that keeps the barrier of entry low. Adaptive authentication uses risk scoring to determine whether or not MFA is required at the time of login. The risk score is a calculation of the risk level at the time of login that determines whether or not the end user will be granted access or will require a second level of authentication. Location, time, and frequency are some of the criteria used to determine the risk score. CIAM Solution Features - Robust Security & Authentication - Easy Migration & Administration - Seamless User Experiences - Reliability at Scale Does CIAM Improve Customer Retention and Sales? According to Gartner, CIAM is an essential component to building solid customer trust. In fact, by 2020, companies that implement digitally trustworthy customer solutions will generate 20 percent more online profit than those that do not. With a Trusted Customer Experiences™ solution, companies can build a strong foundation for customer identity, trust, and loyalty, while minimizing operating costs, maximizing revenue and retention, and optimizing the customer experience. SmartFactor Authentication™ minimizes friction during the authentication process by increasing security when you need it and not when you don’t. CIAM helps you acquire more customers, create more customer interactions, and influence cross-sells so you can build trust and loyalty to increase revenue and customer retention. CIAM Use Cases Since the goal of CIAM solutions is to streamline the end user experience while maintaining robust security, the various use cases all serve those goals. Here are the most common CIAM use cases: - Improve customer login experiences across multiple platforms and apps - Offer easy identity resolution and password resets/retrievals - Provide a unified and coherent customer experience - Streamline a secure sign-in process that reduces abandonment rates - Improve overall security by avoiding poor password hygiene - Streamline user authentication - Enable social login - Offer scalable customer identity management - Ease the process of user migration off of legacy systems

READ MORE

Privileged Access Management (PAM) Demystified

Every technology system manages its security by providing users with different levels of access. This role-based security model offers system administrators greater control and determines the actions each user can perform on the system. The principle of least privilege states that every user should only have the access they need to perform their duties and nothing more. Therefore, increasing the platform's security requires an organization to limit the number of users who have privileges to access administrative functions. Since actions such as accessing restricted information, adding or deleting users, and reconfiguring the application have security and operational ramifications, only trusted users should have the relevant access to perform these tasks. We often refer to these privileged accounts as superusers or administrators. However, privileged accounts can also refer to non-human system users. For instance, some enterprise services require a system account to access confidential data or restricted networks. You may also have services that rely on shared secrets like encryption keys that grant regular users access. As all these privileged accounts have access to confidential data and secure environments, we need to implement additional security measures to protect them. ## What is PAM? Privileged Access Management (PAM) is an information security (infosec) mechanism that safeguards identities with special access or capabilities beyond regular users. Like all other infosec solutions, PAM works through a combination of people, processes, and technology. We treat privileged accounts with extra care because of the risk they pose to the technology environment. For example, should the credentials of an administrator or service account fall into the wrong hands, it could lead to the compromise of the organization's systems and confidential data. Data breaches occur when threat actors compromise privileged access accounts. As these accounts hold the keys that unlock every door in a technology environment, we need to add additional layers of protection. That extra security is a Privileged Access Management solution. ## What does Privileged Access mean? In a technology environment, privileged access refers to accounts with elevated capabilities beyond regular users. For example, in a Linux environment, the root user can add, amend, or delete users, install and uninstall software, and access restricted parts of the operating system that are off-limits to a standard user. Windows environments follow a similar security construct, but the root user in that instance is called an administrator. Let's illustrate the concept of privileged access with a real-world banking example. A typical bank has customers, tellers, and managers. Each 'user' has different levels of authority when it comes to accessing the bank's cash. Customers can only access the money in their bank accounts. Tellers have more privileges than regular customers as they have access to all the cash in their respective drawers. Managers have even greater access than tellers, as they can access the money stored in the bank's vault. Technology systems also use this tiered privilege access model. Your role within the system determines what you can or cannot do. In our banking example, the tellers and managers would be the users with privileged access. As these roles have access to more of the bank's cash than customers, the bank needs to implement additional security measures before granting tellers and managers access. For instance, during their job interviews, they may need to pass a criminal record check. When they start working at the bank, their role will also determine their physical access. For example, tellers may be able to enter the secure area of the bank, but only managers will have the privileged access needed to enter the vault. ## Privileged Access Management vs. Privileged Account Management vs. Privileged Session Management Privileged Access Management is a security mechanism that consists of various components. Depending on the security problem the solution is trying to solve, different processes and technologies come into play. As the name suggests, Privileged Account Management refers to the mechanisms that manage and audit accounts that have system access beyond that of a standard user. In some Privileged Access Management systems, Privileged Account Management refers to the technology that stores credentials. For instance, an administrator may manage a portal that defines and controls methods to access the privileged account across various applications and enterprise resources. The Privileged Account Management portal stores the credentials of privileged accounts (such as their passwords) in a special-purpose and highly secure password vault. In addition to storing the credentials, the portal can also enforce policies regarding their conditions of access. For example, it may hold the credentials of a privileged service account that runs a critical system. Users that require access to those credentials may need to use a unique authentication mechanism. In some instances, these portals automatically change the password in the vault and on the system, ensuring the credentials remain secure after someone has accessed them. Privileged Session Management is a component of a Privileged Access Management solution that enables administrators to monitor, manage, and audit the activities of privileged users. It tracks and logs sessions initiated by internal and external users and connected systems with abilities beyond that of a standard user. These solutions reduce risk by notifying security administrators of any anomalous session activity that involves a privileged account. ## How does Privileged Access Management work? As mentioned, Privileged Access Management is a combination of people, processes, and technology. Therefore, the first step in implementing a PAM solution is identifying which accounts have privileged access. Following that, the business needs to decide which policies they will apply to these accounts. For instance, they may state that service accounts must renew their password each time a user accesses its stored credentials. Another example would be enforcing [Multi-Factor Authentication (MFA)](https://www.onelogin.com/learn/what-is-mfa) for all system administrators. Keeping a detailed log of all privileged sessions is another policy the organization may decide to implement. Ideally, each process should align with a particular risk. For example, forcing a change for service account passwords mitigates the risk of an insider threat. Likewise, keeping a log of all privileged sessions allows security administrators to identify any anomalies, and enforcing MFA is a proven solution to mitigate password-related attacks. Once the organization completes its discovery phase of identifying privileged accounts and finalizes its PAM policies, it can implement a technology platform to monitor and enforce its Privileged Access Management. This PAM solution automates the organization's policies and provides security administrators with a platform to manage and monitor privileged accounts. ## Privileged Access Management requirements A Privileged Access Management solution must have the capabilities to support the PAM policies of an organization. Typically, an enterprise PAM will have automated password management features that include a vault, auto-rotation, auto-generation, and an approval workflow. In addition to these password management capabilities, it should also provide administrators with the ability to implement and enforce Multi-Factor Authentication. An enterprise-grade Privileged Access Management Solution should also offer organizations the capability to manage privileged account lifecycles. In other words, it must give administrators the ability to automate the creation, amendment, and deletion of accounts. Finally, a PAM solution must provide robust monitoring and reporting. As security administrators need to monitor privileged sessions and investigate any anomalies, it needs to provide real-time visibility and automated alerting. ## PAM vs. IAM Privileged Access Management (PAM) is a component of a broader [Identity and Access Management (IAM) solution](https://www.onelogin.com/learn/iam). A PAM deals with the process and technologies needed to secure privileged accounts. On the other hand, an IAM solution offers password management, Multi-Factor Authentication, Single Sign-On (SSO), and user lifecycle management for all accounts, not just those with privileged access. ## PAM vs. Least Privilege The Principle of Least Privilege (POLP) is a security model that states users, networks, devices, and workloads should have the minimum access they need to perform their function and nothing more. On the other hand, Privileged Access Management deals with security processes and technologies required to protect privileged accounts. Therefore, while PAM enables some of the factors needed to enforce the Principle of Least Privilege, it is not the only technology to do so. PAM provides administrators with the functionality, automation, and reporting they need to manage privileged accounts. In addition, it supports the principle of least privilege as it allows for the necessary management and oversight to mitigate the risk of accounts that have capabilities beyond the standard user. However, organizations have access to other information security mechanisms to enforce the principle of least privilege. For example, they could implement Role-Based Access Control (RBAC) on every system. Other examples of enforcing the principle of least privilege include segmenting and securing their networks with VLANs and ensuring users are not local administrators on their corporate workstations. ## Why is PAM important? Privileged Access Management is vital in any organization as privileged accounts pose a significant risk to the enterprise. For instance, if a threat actor compromises a standard user account, they will only have access to that particular user's information. However, if they manage to compromise a privileged user, they will have far greater access and, depending on the account, may even have the ability to sabotage systems. Due to their status and profile, cybercriminals target privileged accounts as they can compromise entire organizations instead of a single user. With Forrester estimating that [80 percent of security breaches involve privileged accounts](https://www.securitymagazine.com/articles/91830-surge-in-attacker-access-to-privileged-accounts-and-services-puts-businesses-at-risk), securing and monitoring these core enterprise identities is vital. For instance, a PAM solution can solve security weaknesses such as multiple users accessing and knowing the same administrative password for a particular service. It also mitigates the risk of long-standing static passwords administrators do not want to change as they fear it could cause an unplanned disruption. ## PAM Best Practices A Privileged Access Management solution is only as effective as its implementation. Therefore, organizations should consider the following best practices: - **Implement the Principle of Least Privilege** - You cannot manage privileged accounts without first implementing the principle of least privilege. Locking down an environment so that only privileged accounts can access particular resources is a prerequisite for a successful PAM solution. - **Keep track of all privileged accounts** - You cannot manage a privileged account if it is not part of your PAM solution. - **Consider temporary privilege escalation** - Instead of granting a user perpetual privileged access, consider only providing it when needed and then removing it. - **Use Role-Based Access Control** - Privileged Access Management only works on a system if you have differing role-based access levels. For example, if everyone is an administrator, it is much more challenging to secure and manage. - **Automate** - Automation reduces the risk of human error and also increases the efficiency of your information security environment. - **Monitor, Log, and Audit** - Continuous monitoring and actively logging all privileged account activity is vital in ensuring an organization has the insights it needs to protect its environment. However, it is also crucial that an audit on the logs occurs regularly. Without it, the organization would not have the information it needs to identify potential risks and implement measures to mitigate them.

READ MORE

What is MFA?

Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA is a core component of a strong [identity and access management (IAM)](https://www.onelogin.com/learn/iam) policy. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack. ## Why is MFA Important? The main benefit of MFA is it will enhance your organization's security by requiring your users to identify themselves by more than a username and password. While important, usernames and passwords are vulnerable to [brute force attacks](https://www.onelogin.com/learn/mfa-types-of-cyber-attacks) and can be stolen by third parties. Enforcing the use of an MFA factor like a thumbprint or physical hardware key means increased confidence that your organization will stay safe from cyber criminals. ## How Does MFA work? MFA works by requiring additional verification information (factors). One of the most common MFA factors that users encounter are [one-time passwords (OTP)](https://www.onelogin.com/learn/otp-totp-hotp). OTPs are those 4-8 digit codes that you often receive via email, SMS or some sort of mobile app. With OTPs a new code is generated periodically or each time an authentication request is submitted. The code is generated based upon a seed value that is assigned to the user when they first register and some other factor which could simply be a counter that is incremented or a time value. ## Three Main Types of MFA Authentication Methods Most MFA authentication methodology is based on one of three types of additional information: Things you know (knowledge), such as a password or PIN Things you have (possession), such as a badge or smartphone Things you are (inherence), such as a biometric like fingerprints or voice recognition ## MFA Examples Examples of Multi-Factor Authentication include using a combination of these elements to authenticate: Knowledge Answers to personal security questions Password OTPs (Can be both Knowledge and Possession - You know the OTP and you have to have something in your Possession to get it like your phone) Possession OTPs generated by smartphone apps OTPs sent via text or email Access badges, USB devices, Smart Cards or fobs or security keys Software tokens and certificates Inherence Fingerprints, facial recognition, voice, retina or iris scanning or other Biometrics Behavioral analysis ## Other Types of Multi-Factor Authentication As MFA integrates machine learning and artificial intelligence (AI), authentication methods become more sophisticated, including: ##### Location-based Location-based MFA usually looks at a user’s IP address and, if possible, their geo location. This information can be used to simply block a user’s access if their location information does not match what is specified on a whitelist or it might be used as an additional form of authentication in addition to other factors such as a password or OTP to confirm that user’s identity. ##### Adaptive Authentication or Risk-based Authentication Another subset of MFA is [Adaptive Authentication](https://www.onelogin.com/learn/what-why-adaptive-authentication) also referred to as Risk-based Authentication. Adaptive Authentication analyzes additional factors by considering context and behavior when authenticating and often uses these values to assign a level of risk associated with the login attempt. For example: From where is the user when trying to access information? When you are trying to access company information? During your normal hours or during "off hours"? What kind of device is used? Is it the same one used yesterday? Is the connection via private network or a public network? The risk level is calculated based upon how these questions are answered and can be used to determine whether or not a user will be prompted for an additional authentication factor or whether or not they will even be allowed to log in. Thus another term used to describe this type of authentication is risk-based authentication. With Adaptive Authentication in place, a user logging in from a cafe late at night, an activity they do not normally do, might be required to enter a code texted to the user’s phone in addition to providing their username and password. Whereas, when they log in from the office every day at 9 am they are simply prompted to provide their username and password. Cyber criminals spend their lives trying to steal your information and an effective and enforced MFA strategy is your first line of defense against them. An effective data security plan will save your organization time and money in the future. ## What's the Difference between MFA and Two-Factor Authentication (2FA)? MFA is often used interchangeably with two-factor authentication (2FA). 2FA is basically a subset of MFA since 2FA restricts the number of factors that are required to only two factors, while MFA can be two or more. ## What is MFA in Cloud Computing With the advent of Cloud Computing, MFA has become even more necessary. As companies move their systems to the cloud they can no longer rely upon a user being physically on the same network as a system as a security factor. Additional security needs to be put into place to ensure that those accessing the systems are not bad actors. As users are accessing these systems anytime and from anyplace MFA can help ensure that they are who they say they are by prompting for additional authentication factors that are more difficult for hackers to imitate or use brute force methods to crack. ## MFA for Office 365 Many cloud based systems provide their own MFA offerings like AWS or Microsoft’s Office 365 product. Office 365 by default uses Azure Active Directory (AD) as its authentication system. And there are a few limitations. For example, you only have four basic options when it comes to what type of additional authentication factor they can use: Microsoft Authenticator, SMS, Voice and Oauth Token. You also might have to spend more on licensing depending on the types of options you want available and whether or not you want to control exactly which users will need to use MFA. Identity as a Service (IDaaS) solutions like OneLogin offer many more MFA authentication methods when it comes to authentication factors and they integrate more easily with applications outside of the Microsoft ecosystem. .tabbullet { margin-left: 2em; }

READ MORE

What is a DDoS attack?

A distributed denial-of-service (DDoS) attack occurs when a group of systems flood a server with fraudulent traffic. Eventually, the server is overwhelmed, causing it to either go down, or become unresponsive, even to legitimate requests. From early 2020 to 2021, we have seen a [341% growth in the number of DDoS attacks](https://www.helpnetsecurity.com/2021/06/11/ddos-attacks-increase-pandemic/). This is mainly because the pandemic forced many businesses to go digital, which naturally made them more susceptible to cyberattacks. DDoS attacks are one of the most feared cyberattacks, and for good reason. A well-conducted DDoS attack can be virtually impossible to prevent and really difficult to stop. They can start at any time and cripple servers of even the most sophisticated IT companies. In 2018, [GitHub was hit by the then-largest-ever DDoS attack](https://www.zdnet.com/article/github-was-hit-with-the-largest-ddos-attack-ever-seen/), which flooded their servers with over 120 million data packets every second. Regardless of the scale of attack, the underlying theme is always the same. Bombard a server with more requests than it can handle. Continue doing so until it either crashes or stops responding. Service disruptions can often take hours to remediate causing huge financial losses. ## The anatomy of a DDoS attack Instead of delving into technical details, let’s instead consider an analogy. Suppose that you run a takeaway burger joint. Customers place their orders by phone and pick them up when they are ready. One day, a prankster makes multiple calls to your place, ordering 100 burgers in total. This is enough to keep all your cooks occupied, so you stop taking new orders. However, the prankster never picks up the burgers. Not only were all your resources wasted on entertaining fake orders, you were also not able to cater to real customers. This can be annoying but easy to prevent since it’s just one person placing all the false orders. You can simply block their number, and the problem is solved. The same situation can happen on a server. One malicious client can send tons of fake requests to a server, hampering its ability to respond to real users. But just like in our example, detecting one fake client is easy; the server can just block all incoming requests from it. This type of attack is known as a denial-of-service (DoS) attack, the precursor of modern DDoS attacks. Now, let’s suppose there are multiple pranksters calling your burger joint. Your landline never stops ringing, and it’s virtually impossible to tell a real customer from a fake one. You can’t just block numbers either, as some of them may belong to actual customers. Your entire operation is paralyzed. This is exactly what happens when a server experiences a DDoS attack. Hackers make fake traffic coming in from multiple machines, look just like real, and a server/network/website inevitably breaks down. ## Why do DDoS attacks happen? Some of the main reasons for DDoS attacks are: - **Ransom:** Attackers usually demand ransom after conducting DDoS attacks. However, at times, a ransom note threatening an attack can also be sent beforehand. - **Hacktivism:** DDoS attacks are also used to voice opinion. Hacktivists can carry out a DDoS attack to show their support or opposition to a regulation, person, or company. - **Competition:** A 2017 survey revealed that over 40% of companies that were hit by a DDoS attack blame their competition for it. This seems even more plausible considering that you can now buy a [week-long DDoS attack for a mere $150](https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian-underground-101.pdf). ## Types of DDoS attacks Even though the end goal of a DDoS attack is always to overwhelm the system, the means to achieve the goal can differ. Three broad types of DDoS attacks are as follows. ### 1. Application layer attacks The application layer is where the server generates the response to an incoming client request. For example, if a user enters **http://www.xyz.com/learning/** on their browser, an HTTP request is sent to the server, requesting the _**learning**_ page. The server will fetch all the information related to the page, package it in a response, and send it back to the browser. This information fetching and packaging happens on the application layer. An application layer attack occurs when a hacker uses different bots/machines to repeatedly request the same resource from the server, eventually overwhelming it. The most common type of application layer attacks are the HTTP flood attacks in which malicious actors just keep sending various HTTP requests to a server using different IP addresses. One example of this is asking a server to generate PDF documents over and over again. Since the IP address and other identifiers change in every request, the server can’t detect that it’s being attacked. ### 2. Protocol attacks Protocol attacks look to exhaust resources of a server or those of its networking systems like firewalls, routing engines, or load-balancers. An example of a protocol attack is the SYN flood attack. Before two computers can initiate a secure communication channel – they must perform a TCP handshake. A TCP handshake is a means for two parties to exchange preliminary information. A SYN packet is typically the first step of the TCP handshake, indicating to the server that the client wants to start a new channel. In a SYN flood attack, the attacker floods the server with numerous SYN packets, each containing spoofed IP addresses. The server responds to each packet (via SYN-ACKs), requesting the client to complete the handshake. However, the client(s) never respond, and the server keeps waiting. Eventually, it crashes after waiting too long for too many responses. ### 3. Volumetric attacks Volumetric attacks are conducted by bombarding a server with so much traffic that its bandwidth gets completely exhausted. The most common example of a volumetric attack is the DNS amplification attack. In such an attack, a malicious actor sends requests to a DNS server, using the spoofed IP address of the target. The DNS server then sends its response to the target server. When done at scale, the delugeof DNS responses can wreak havoc on the target server. ## Stopping an in-progress DDoS attack To be able to stop a DDoS attack, you must know the most common symptoms. ### Usual DDoS symptoms - Large amounts of traffic coming from clients with same or similar characteristics. E.g. device type, browser type/version, IP or IP range, and location etc. - An exponential, unexpected rise in traffic at a single endpoint/server. - A server starts repeatedly crashing for no reason. - Your website is taking too long to respond to requests. ### Responding to a DDoS attack Once you have identified a DDoS attack, it’s important to act quickly as it gives you an opportunity to prevent serious downtime. If you wait too long, your server may start crashing, and full recovery may take hours. The hardest part about mitigating a DDoS attack is that often it’s virtually impossible to do so without impacting legitimate traffic. This is because attackers go to great lengths to masquerade fake traffic as real. With that said, here are some ways you can respond: - **Blackhole filtering:** Go through incoming traffic and determine a limitation criterion. Use the criterion to route malicious traffic into a blackhole, essentially dropping it. - **Casting:** Distribute the traffic across multiple servers, increasing your capacity, and decreasing the chances of individual servers getting overwhelmed. - **IP Blocking:** If you are noticing unexpectedly high traffic from the same range of IP addresses, block them. ### Is the breach notifiable? According to GDPR, you must [notify the Information Commissioner’s Office (ICO)](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/) if your breach poses a risk to the rights and freedoms of people. If you judge the risk to be unlikely, you aren’t liable to report it. However, if you decide not to report a breach, you should document your decision, as you could later be asked to justify it. ## Preventing a DDoS attack Stopping an active DDoS attack can be hard and may affect your legitimate users. This is why it’s important to take a preemptive approach. In addition to the preventive measures mentioned below, you should also create an emergency DDoS incident response plan, as even the best defenses can sometimes succumb to sophisticated attacks. - **Real-time packet analysis:** Analyze packets based on different rules, as they enter your system, discarding the potentially malicious ones. - **DDoS defense system (DDS):** A DDS can detect legitimate-looking content with malicious intent. It protects against both protocol and volumetric attacks, without requiring any human intervention. - **Web application firewall:** Web application firewalls (WAF) are a great tool to mitigate application layer DDoS attacks. They give you a way to filter incoming requests, based on different rules, which can also be added on-the-fly, in response to an attack. - **Rate limiting:** Limit the number of requests a server can entertain over a certain time period.

READ MORE

RBAC vs ABAC: Make the Right Call

Role-based access control (RBAC) and attribute-based access control (ABAC) are the two most popular ways to implement access control. Knowing what separates the two methods can help you choose what’s right for your organization. RBAC grants or rejects access based on the requesting user’s role within a company. ABAC takes into account various pre-configured attributes or characteristics, which can be related to the user, and/or the environment, and/or the accessed resource. ## But first – what’s access control? Think of a company’s network and resources as a secure building. The only entry point is protected by a security guard, who verifies the identity of anyone and everyone entering the building. If someone fails to prove their identity, or if they don’t have the necessary rights to enter the building, they are sent away. In this analogy, the security guard is like an access control mechanism, which lays the foundation of a company’s security infrastructure. It’s hard to overstate the need for access control. Every year data breaches cost companies [millions of dollars](https://www.statista.com/statistics/290525/cyber-crime-biggest-online-data-breaches-worldwide/), and a lot of these can be avoided by implementing better access control. In the following sections, let’s explore what RBAC and ABAC bring to the table and how they fare against each other. ## What is Role-Based Access Control (RBAC)? In an RBAC system, people are assigned privileges and permissions based on their “roles.” These roles are defined by an administrator who categorizes people based on their departments, responsibilities, seniority levels, and/or geographical locations. For example, a chief technology officer may have exclusive access to all the company’s servers. A software engineer may only have access to a small subset of application servers. Remote employees may get assigned a special role, which only lets them access the server they are actively working on. The levels of access may also differ based on roles. For example, a junior resource is only allowed to read information from a database; they can’t add or alter anything. However, a senior database developer has maximum privileges on all the databases. The duration of access might also be different for different roles. E.g., a third-party contractor is assigned the outsider role, which grants them access to a server for x hours. On the other hand, an internal software developer may be allowed indefinite access to the same server. It’s also possible for one user to be assigned multiple roles. For example, a software architect oversees different teams that are building different projects. They need access to all the files related to all these projects. To this end, the administrator assigns them multiple roles with each giving them access to files from a particular project. ## Types of RBAC The [NIST model for role-based access control](https://csrc.nist.gov/CSRC/media/Publications/conference-paper/2000/07/26/the-nist-model-for-role-based-access-control-towards-a-unified-/documents/sandhu-ferraiolo-kuhn-00.pdf) defines the following RBAC categories: - **Flat RBAC:** Each employee is assigned at least one role, but some can have more than one. If someone wants access to a new file/resource/server, they need to first obtain a new role. - **Hierarchical RBAC:** Roles are defined based on seniority levels. In addition to their own privileges, senior employees also possess those of their subordinates. - **Constrained RBAC:** This model introduces separation of duties (SOD). SOD spreads the authority of performing a task, across multiple users, reducing the risk of fraudulent and/or risky activities. E.g., if a developer wants to decommission a server, they need approval from not only their direct manager, but also the head of infrastructure. This gives the infrastructure head a change to deny risky and/or unnecessary requests. - **Symmetric RBAC:** All organizational roles are reviewed regularly. As a result of these reviews, privileges may get assigned or revoked, and roles may get added or removed. ## What is Attribute-based Access Control (ABAC)? In an ABAC environment, when a user logs in, the system grants or rejects access based on different attributes. These attributes can be related to the: - **User.** In ABAC terms, the requesting user is also known as the subject. User attributes can include designation, usual responsibilities, security clearance, department, and/or seniority levels. For example, let’s say Bob, a payroll analyst, tries to access the HR portal. The system checks their “department,” “designation,” and “responsibilities” attributes to determine that they should be allowed access. However, if Alice from the IT team tries to access the same portal, she won’t be allowed, because she doesn’t have the required attributes. - **Accessed resource.** This can include name and type of the resource (which can be a file, server, or application), its creator and owner, and level of sensitivity. For example, Alice tries to access a shared file which contains the best practices for software development. Since the “sensitivity level” attribute for the file is low, Alice is allowed access to it, even though she doesn’t own it. However, if she tries to access a file from a project she doesn’t work on, the “file owner” and “sensitivity level” attributes will prevent her from doing so. - **Action.** What is the user trying to do with the resource? Relevant attributes can include “write,” “read,” “copy,” “delete,” “update,” or “all.” For example, if Alice only has the “read” attribute set in her profile, for a particular file, she will not be allowed to update the source code written in that file. However, someone with the “all” attribute set can do whatever they want. - **Environment.** Some of the considered attributes are time of day, the location of the user and the resource, the user device and the device hosting the file. For example, Alice may be allowed to access a file in a “local” environment, but not when it’s hosted in a “client” environment. ## RBAC vs. ABAC: Pros and Cons RBAC Pros RBAC Cons Defining and implementing roles is much simpler and faster than assigning attributes to individuals. This is especially helpful for small-to-medium sized organizations. To establish granular policies, administrators need to keep adding more roles. This can very easily lead to “role explosion,” which requires administrators to manage thousands of organizational roles. Allows you to create access hierarchies, where managers automatically get all the permissions of their direct reports. In the event of a role explosion, translating user requirements to roles can be a complicated task. If role explosions can be avoided, costs associated with RBAC implementations are usually low. ABAC Pros ABAC Cons Define a granular access control policy. Administrators have the luxury of choosing from a large set of attributes, which helps them formulate highly specific rules. Can be hard to implement, especially in time-constrained situations. No need to modify existing rules to accommodate new users. All administrators need to do is assign relevant attributes to the new joiners. Recovering from a bad ABAC implementation can be difficult and time-consuming. When revoking or adding permissions, it’s much easier to modify attributes than to change or define new roles. Implementing ABAC often requires more time, resources, and expensive tooling, which add to the overall cost. However, a successful ABAC implementation can be a future-proof, financially viable investment. ## When to use RBAC or ABAC? Even though ABAC is widely considered an evolved form of RBAC, it’s not always the right choice. Depending on your company’s size, budget, and security needs, you may choose one over the other. ## Choose ABAC if you: - Have the time, resources, and budget for a proper ABAC implementation. - Are in a large organization, which is constantly growing. ABAC enables scalability. - Have a workforce that is geographically distributed. ABAC can help you add attributes based on location and time-zone. - Want as granular and flexible an access control policy as possible. - Want to future-proof your access control policy. The world is evolving, and RBAC is slowly becoming a dated approach. ABAC gives you more control and flexibility over your security controls. ## Choose RBAC if you: - Are in a small-to-medium sized organization. - Have well-defined groups within your organization, and applying wide, role-based policies makes sense. - Have limited time, resources, and/or budget to implement an access control policy. - Don’t have too many external contributors and don’t expect to onboard a lot of new people.

READ MORE

What is the Principle of Least Privilege?

What is PoLP? The principle of least privilege (PoLP), also known as the principle of minimal privilege or the principle of least authority, is an information security concept. It states that any user, device, workload, or process should only have the bare minimum privileges it needs to perform its intended function. The word _privilege_ in this context refers to system rights or data access. For instance, it determines which users can access a particular file or which devices can access a specific network. It is also used to define what users can do on a system. For example, some users may only be able to execute particular functions, while others may be able to do more such as restart the application or apply updates. Information security practice typically categorizes accounts as either privileged or non-privileged. Privileged accounts can refer to user accounts or system accounts with greater access to system functions or stored data. For example, a system administrator that can apply updates, add users, and restart an application is a privileged account. Similarly, an application's service account that can access confidential information in a database, such as customer credit card details, is another example of a privileged account. ## Benefits of Least Privilege Access for security & productivity The primary objective of the principle of least privilege is to enhance the security of an application, network, or technology environment. As threat actors follow the path of least resistance when trying to obtain unauthorized access to a system, PoLP fortifies systems by reducing the number of potential access points. Similarly, it protects an organization from downtime or data breaches due to user error. The following analogy illustrates the principle of least privilege in both scenarios. Consider a bank with general staff and a bank manager. Applying the principle of least privilege, the manager needs access to the safe. However, the other staff members do not. As a result, the manager is the only individual with the keys. If a bank robber enters a bank where everyone has access to the safe, robbing that bank would be far easier than another bank where only the manager has the keys. Similarly, if every staff member has keys to the safe, the likelihood of them falling into the wrong hands increases exponentially. As illustrated in the analogy, the principle of least privilege reduces the potential attack surface. The same rule applies to information security. The fewer people with privileged access to a system or data, the less risk to the system from an attack or user error. In addition to reducing the attack surface, PoLP limits the potential damage and improves the management and maintainability of a technology environment. For instance, it provides data security and audit capabilities, improving compliance and reporting. ## Additional PoLP concepts and terms Managing the information security of an environment by implementing the principle of least privilege is not an event but a process. As a result, system administrators need to monitor their environment and continuously ensure that PoLP is enforced in the strictest possible terms. The following terms and concepts relate to PoLP and define particular scenarios that relate to the implementation of an effective PoLP strategy. - **Privilege creep:** Privilege creep is the gradual accumulation of access rights. In many instances, the additional access rights are beyond what the users need to perform their duties. Privilege creep often occurs when individuals move departments within an organization. For instance, a user transferred from Finance to HR is given access to the HR system, but their access to finance is not revoked. As a result, the principle of least privilege is not being applied correctly as the user no longer needs access to finance to do their job. - **Privilege bracketing:** Privilege bracketing is an information security concept where a standard user is provided with elevated privileges for a brief moment. An excellent example of this is the Sudo command in Linux or the User Account Control (UAC) function in Windows. In both instances, when a user wants to install software or run a command that needs access to secure areas of the operating system, they are prompted to enter an administrative username and password. Once the privileged execution completes, the user no longer has elevated access. Privilege separation: The concept of privilege separation refers to a technique where the functionality of a system is divided into separate parts. The system then assigns access to each part to a different set of privileged users. For example, some users can load payments in many banking systems, and other users can release them. The users that can load payments do not have release privileges. Likewise, the users that can release payments do not have the privileges to load them. This segregation of duties reduces the risk of fraud or embezzlement as two separate individuals are needed to make one payment. - **Privilege escalation:** Privilege escalation is a form of cyberattack where an attacker gains unauthorized access to elevated rights or privileges. For instance, an application error may provide a regular user with access to administrative functions. Another example of privilege escalation is an external attacker exploiting a known system vulnerability to execute commands as administrator. ## Zero Trust and PoLP [Zero Trust](https://www.onelogin.com/learn/zero-trust) is an information security concept that states that an organization should deem any activity in its technology environment as untrusted. The model places data at its core and considers any workload, user, device, or network interacting with it as suspicious. Taking this prudent approach, the model states that organizations should authenticate and authorize every action and segment their environments. Finally, Zero Trust recommends that all data, whether in transit or at rest, should be protected with encryption. The principle of least privilege aligns with the concept of Zero Trust. However, the two are distinct concepts. You can implement PoLP without Zero Trust. For instance, you could limit access to a system or data based on user roles and not implement network segmentation or encryption. Conversely, it would be impossible to implement Zero Trust without enforcing the principle of least privilege. As the model deems any action as untrusted, logic dictates that you must limit access to systems or data. Furthermore, administrators should only grant access to users, devices, networks, or workloads that need it to perform an authorized function. ## PAM vs PoLP [Privileged Access Management (PAM)](https://www.onelogin.com/learn/privileged-access-management) is an information security mechanism that safeguards identities with special access or capabilities beyond regular users. It deals with the security processes and technologies required to protect privileged accounts. A PAM solution enables and enforces the principle of least privilege. However, implementing a Privileged Access Management solution does not mean you have implemented PoLP. It is only one of the components of an overarching PoLP strategy. While PAM provides administrators with the functionality, automation, and reporting they need to manage privileged accounts, it does not limit access to systems and data. You would need to use other technologies or built-in system capabilities to restrict access. ## Just-in-time Privileged Access and PoLP _Just-in-time access_ is a concept that stems from [Identity and Access Management (IAM)](https://www.onelogin.com/learn/iam). Its approach is to reduce the risk of 'standing privileges.' For instance, when an organization grants a user administrator access, it gives the individual elevated rights to systems and data. Typically, it statically assigns those elevated rights that remain in perpetuity. Just-in-time access is a solution that grants a user elevated privileges when they need to perform an administrative function and then automatically removes it once the individual completes the action. The concept of Just-in-time aligns with privilege bracketing. It is dependent on PoLP as you cannot implement Just-in-time if you do not have the principle of least privilege in place. ## PoLP example To illustrate the principle of least privilege further, let's use another analogy. In this example, we will use the scenario of a passenger aircraft. On the aircraft, there are passengers and crew. As the flight crew needs to manage the plane's functions, including flying it from point A to point B, they have the elevated privileges required to perform their duties. For instance, the captain and pilot can access the flight controls, but the flight attendants and passengers cannot. Likewise, the flight attendants have access to the galley to prepare meals and beverages, while the passengers are confined to the cabin. This scenario illustrates the implementation of an effective PoLP strategy. It defines and restricts each individual’s role on the aircraft, limiting them to the areas and capabilities each one needs to perform their duties. ## Strategies/best practices for implementation The principle of least privilege is a concept that is only as effective as its implementation. Therefore, organizations should consider the following best practices: - **Conduct an audit:** Before implementing PoLP, understanding the current level of access across all your systems is vital. Conducting a privilege audit can help you identify users with privileged access and if they need it to perform their duties. - **Enforce the separation of privileges:** Enforcing the separation of privileges will allow you to tighten security controls and identify areas where restricted access is required. - **Start all accounts with the least privilege:** Create all new accounts with no privileges and only add them when needed. Avoid privilege creep by removing access when users change job roles. - **Leverage Just-in-time privileges:** Leverage Just-in-time privilege solutions to strengthen the security of your technology environment. There are very few instances where an administrator will need perpetual access. - **Audit access:** Once you have implemented the principle of least privilege, it is vital that you continuously monitor your technology environment. Where possible, enable auditing so that you can trace individual accounts.

READ MORE

What is Serverless Computing?

Find out the pros and cons, how it works, and how secure it is.

READ MORE

U2F and Adaptive MFA

Universal Second Factor, or U2F, is an authentication standard that simplifies [multi-factor authentication (MFA)](https://www.onelogin.com/learn/what-is-mfa) by using physical devices as part of the user authentication workflow. After a user enters their login credentials, they simply press or tap a small device inserted in their computer’s USB port, which acts as their second factor. It’s convenient -- no driver installation required, just a supported browser. It’s also secure. U2F prevents attacks like keylogging, phishing, and man-in-the-middle. ## Where did U2F come from? U2F was created and released by the [FIDO Alliance](https://fidoalliance.org/), in an attempt to provide a safe and easy way for internet users to log in. Google was a cofounder of the U2F group inside FIDO and now supports adding U2F as a second factor. A new set of specifications, built on top of U2F, [FIDO2](https://fidoalliance.org/fido2/), was also recently released by the FIDO Alliance. ## Who supports U2F? Many prominent websites and applications support U2F, including, but not limited to: Facebook, Bitbucket, GitHub, Gmail, and YouTube. When it comes to browsers, the following currently provide U2F support: - Google Chrome, version 38 and above - Mozilla Firefox, version 57 and above - Opera, version 40 and above - Safari, on OS version 13.5.1 and above On iOS devices, U2F can be used via Safari, whereas on Android devices, the U2F support is offered by both Google Chrome and the default Android browser. ## How do you use U2F? The portable U2F hardware can take the form of a USB, a Bluetooth-LE, or a Near-field communication device. These devices can be used to securely log in to any website on the internet that supports the U2F protocol. Here’s how a typical two-factor authentication with U2F works: 1. The user visits a website (www.example.com), also known as the origin, that supports U2F. They open an account on the website and register their U2F device with it. 2. The device creates a pair of keys: a public key and a private key. It securely stores the private key itself and asks the website to associate the public key with the user account. This unique key pair can only be used to login at www.example.com. 3. After the user enters their login credentials at www.example.com, the website generates a unique challenge, using the user’s public key. The challenge can only be solved using the private key stored within the U2F device. 4. Upon receiving the challenge, the U2F device signs it, using the private key for www.example.com, and sends it back to the website. 5. The website verifies the unique signature, and allows the user to log in. Remember, this five-step process may appear complicated, but it all happens behind-the-scenes. As far as the end-user is concerned, they just have to insert the U2F device and press a button (or tap). ![U2F vs adaptive MFA](/assets/img/learn/u2f-amfa.svg) The same U2F device can be used to register at different sites on the internet. Think of a U2F device as your personal, virtual keychain. This allows you to seamlessly and securely log in to your favorite websites. ## Can U2F be hacked? No authentication mechanism is categorically impervious to hacking. With that said, thus far, no breaches or vulnerabilities have been reported in the U2F protocol. By design, it protects against phishing attacks. Even if a user is tricked into thinking that a fake website is real, the authentication will fail because of the public-private key mismatch. U2F is also very good at detecting man-in-the-middle (MITM) attacks. Let’s suppose someone tries to intermediate the communication between a website and a user during the authentication process. As soon as the man-in-the-middle interferes, the U2F device will stop responding because it will notice that the origin of the challenge is different from the registered one. ## What is adaptive multi-factor authentication (AMFA)? Not all authentication requests are created equal. _Adaptive multi-factor authentication_ uses the context of a login attempt to determine in real-time which authentication rules and policies to apply. AMFA uses various factors like consecutive login failures, level of requested access, IP address, location, device IDs, and time, etc. to tailor a user’s login experience. Only use MFA when a user is determined to be of a high risk, for instance, using multiple incorrect login attempts, the request originating from a device not officially registered, or a login request for a server with sensitive data after office hours. By using adaptive multi-factor authentication, companies can: - create a much-needed balance between _user experience_ and _strong security_ - make it easy for trusted, low-risk people to log in - make it incredibly hard for potential intruders ## How is AMFA different from MFA? MFA protects against password-related breaches by adding another layer of security. However, making end-users enroll for multi-factor authentication can sometimes be hard. And it makes sense. Waiting for and then entering a one-time password (OTP) can be a nuisance for people, especially if they have to do it multiple times a day. Users just want to browse their social media feed, read an article, or stream a TV show; they don’t see a point in adding a second authentication factor for these seemingly trivial activities. Sure, you can make MFA compulsory, but that will (often) come at the cost of customer unhappiness. Creating a fine balance between security and user experience is hard, but oh-so-important. This is where adaptive MFA can come in handy. With adaptive MFA, if the primary factor authentication for a user doesn’t look suspicious or high-risk, they often don’t have to provide a secondary factor. This enhancement of the traditional MFA approach makes life much more convenient for regular users. For example: **Scenario 1:** Consider a scenario where a customer, say Allan, logs in to a web portal. He is on the same laptop that he has been using ever since he registered on the website. His IP puts him in the same city as always. He got the password right in the first attempt. These, along with other factors, are used to determine that it’s indeed Allan who is trying to log in, and thus, the system doesn’t ask him to provide a second factor. **Scenario 2:** Now, imagine a hacker, say Adam, gets Allan’s login credentials. When Adam tries to log in, the system realizes that the login request has come from a new device and from a different geographical location. It classifies this request as high-risk and prompts Adam to provide a second factor. Since Adam can’t comply, the access is declined. ## Combining U2F and Adaptive MFA – Best of both worlds Adaptive MFA is a win-win for both end-user and service provider. The service provider is able to implement a rigorous-but-customer-friendly security policy and the end-user doesn’t have to provide secondary factors most of the time. But what if we combined U2F and adaptive MFA to form an even more customer-centric and impregnable authentication solution? On the rare occasion that a customer has to provide a second factor, all they have to do is tap or press a button on their U2F device. This is much more convenient than opening another app to retrieve a passcode or waiting for an OTP message to arrive. For the service provider, this is far securer as well since the device communicates directly with the browser and it’s virtually impossible to replicate the key signature. ## Final Word U2F reduces the risk of phishing, man-in-the-middle, and other dangerous cyberattacks while simplifying two-factor authentication. Adaptive MFA doesn’t ask regular users for secondary factors, but enforces it strictly at the first sign of suspicion. Using both together makes for a simple-yet-secure login.

READ MORE

SAML vs. OIDC

OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) are both authentication protocols that allow identity providers (IdP) to implement user validation and access control. Each defines its own mechanism to maintain virtual identities of verified users, which are then used to grant or reject access to protected applications. ## What are OIDC and SAML? An IdP maintains a database of user identity information. A service provider (SP) relies on this information to authenticate a user, sometimes only once for multiple applications (single sign-on). Both OIDC and SAML are standards that define just how this information is to flow between these two parties. The end goal for both is the same: user authentication. But the underlying methodology to achieve the goal is different. ## What does authentication mean? Authentication is a process by which the identity of a user, or a process, can be validated. This is usually done to restrict access to protected applications and/or resources. ## SAML SAML 2.0, which is the current version of the standard, has been around since 2005. It uses XML to format identity information. XML is an established information-formatting standard which encodes documents, such that they are easily understandable by both humans and computers. For transferring or receiving XML-encoded information, it uses basic SOAP or HTTP requests. The service requesting identity information is defined by the SAML contract, as a service provider (SP). Here’s what a typical SAML authentication flow looks like: 1. Before the SP can talk to the IdP for identity verification, the two parties must first get to know each other better. They do so by exchanging preliminary information, via metadata, which includes details like: - Public keys (used for encryption) - Supported encryption algorithms - Endpoint URLs (where to send SAML messages) - Supported connection methods, and - Supported XML attribute formats Once both the SP and the IdP know these specifics about each other, they reconfigure themselves accordingly. 2. As a user tries to log in, the SP sends an authentication request to the IdP. This request is known as SAML AuthnRequest. 3. The IdP checks the user identity, creates an encoded SAML response, known as a SAML assertion, and sends it back to the SP. 4. The SP parses the SAML assertion XML and, based on the response, either grants or rejects user access to the application. ![How SAML works](/assets/img/learn/saml-flow.png) ## OIDC A relatively newer, but well-maintained protocol, OIDC is built on top of the OAuth 2.0 framework. OIDC uses JSON-based web tokens (JWT) to structure data. JWT is an industry standard which defines the rules to represent and securely transfer claims between two parties. Think of claims as encrypted, sensitive user data, used to support identity management and verification. For transportation, OIDC uses default HTTPS flows. ## OIDC scopes OIDC _scopes_ define the _claims_ (the user attributes) that an application can have access to. The IdP maintains a list of acceptable scopes, and an application can choose which to request, depending on its needs. After a user explicitly consents to sharing their details (which includes the scopes), the IdP makes the scopes available to the application. To better understand how scopes work in a typical OIDC flow, let’s consider a web application that authenticates a user based on their username and password. Post-authentication, it also sends them a sequence of welcome emails. _(Note: OIDC supports a number of different authentication flows. Below is an example of the simplest OIDC flow, known as the implicit flow.)_ 1. Just like in SAML, the Relying Party (RP) and the IdP must exchange metadata before they can start communicating. For OIDC, however, the minimum metadata exchange requirements are relatively simpler. Both parties must agree on possible scopes, the IdP must assign a secret and client-ID to the RP, and the RP must share the endpoint it wants to receive codes and/or tokens on. 2. When a user logs in to the application, the application redirects them to the IdP. It includes the client-ID, along with the requested scopes, which in our case, will be the user’s email address. 3. The IdP, in turn, redirects the user to the login screen. 4. Once the user’s identity has been successfully verified, they are prompted to grant the application access to their data (specified by the requested scopes). 5. If the user grants the access, the scope values are made available to the application via the preconfigured endpoint. 6. The application can now use the user's email address to send them the welcome sequence. ![How OIDC works](/assets/img/learn/oidc-flow-20210603152719.png) ## What’re the differences between OIDC and SAML? - Since SAML is an older standard, it is very hard to use it for authenticating modern application types like single-page applications (SPAs) and smartphone applications. It simply wasn’t built for them. Conversely, OIDC is ideal for such apps. - OIDC uses JWTs, which are smaller in size, and require lightweight processing. On the other hand, the XML documents used by SAML are much larger, and relatively difficult to process. - OIDC supports user consent by default. The same can be achieved with SAML, but requires extensive manual development. - Since SAML has been around for much longer, it’s still trusted by a lot of organizations, including government entities. It’s certainly more feature-rich, but OIDC is now starting to catch up. - OIDC is much easier to set up, especially in a consumer-centric environment, where the basic identity features are required. ## Is OIDC more secure than SAML? OIDC was designed to be the modern replacement of SAML, as it replicated most of the fundamental SAML use-cases, while reducing the processing overhead caused by XML and SOAP based messages. Most security flaws don’t stem from intrinsic problems in any of the two standards, but instead, are caused by implementation mistakes. However, it can be argued that since SAML is a lot harder to implement than OIDC, it’s also more prone to implementation errors. Moreover, there are a lot of security threats and [vulnerabilities associated with XML](https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html) that must be avoided during SAML implementation, adding to the complexity. Conversely, since OIDC is based on OAuth 2.0, it incorporates a lot of the documented [threat model and security considerations](https://datatracker.ietf.org/doc/html/rfc6819). Encrypting JSON is also a lot easier than XML, which again, reduces the chances of implementation errors. ## Does OIDC protect privacy better than SAML? Via scopes, OIDC gives users the ability to choose the level of information they want to share with an application. E.g. an application only asks the user to share their email address, as opposed to sharing their entire profile. This establishes a win-win contract between the user and the application; the application gets what it needs to improve a user’s experience, and the user gets to only share bare-minimum personal information. Yes, this feature can be added to SAML-based systems as well, but it would require additional development, because SAML doesn’t support it, out-of-the-box. ## Does OIDC or SAML prevent phishing attacks better? Both OIDC and SAML can be used to implement single sign-on (SSO), which reduces the need to log in multiple times, and hence, decreases the probability of [phishing attacks](https://www.onelogin.com/learn/6-types-password-attacks). However, just because the probability is low, doesn’t mean that they can’t happen. The [Cofense Phishing Defense Center](https://cofense.com/mfa-bypass-phish-caught-oauth2-grants-access-user-data-without-password/) discovered a phishing tactic which manipulated OIDC to reveal user data, without a password, despite multi-factor authentication. Similar phishing attacks have also been carried out on [SAML implementations](https://securityboulevard.com/2018/07/owning-saml/) in the past. Once again, it’s difficult to answer whether one prevents phishing better than the other; a lot of it is dependent on the security considerations made during the implementation. ## Does OIDC or SAML prevent brute force attacks? Both SAML and OIDC can be used to implement single sign-on, which means that the user only has to remember one password to log in to the identity and access management (IAM) service. That single login can also be protected by requiring users to provide an additional authentication factor. Once users are securely logged into the IAM service, they can seamlessly access all protected applications, without having to enter any more passwords. This is big in preventing brute-force attacks, in which attackers repeatedly enter potential passwords, in the hope of eventually getting a match. No passwords = no chance of [brute force attacks](https://www.onelogin.com/blog/brute-force-attacks)! ## When should I use OIDC vs using SAML? OIDC and SAML are both powerful authentication technologies with unique features. Which one you choose for your organization, depends on your specific needs. If you: - Want to quickly set up an identity platform, choose OIDC over SAML, without thinking twice. Implementing a basic OIDC solution is much simpler, compared to SAML, which would require heavy-weight XML processing. - Have an API-centered architecture, with a lot of mobile and single-page applications, use OIDC. It will guarantee a much more efficient and interoperable experience. - Want to implement a mature standard, something that has been around for a long time, then choose SAML. It’s feature-rich, gets the job done, and has been a staple of enterprise networks for over a decade.

READ MORE

What’s the Difference Between OTP, TOTP and HOTP?

Providing secure access to applications and cloud-based software is a constant challenge for companies across all industries. Empowering users with simple but reliable security is critical to protecting user information and sensitive company data. One of the ways technology companies have counteracted password theft and other types of cyberattacks is through the use of one-time passwords (OTPs). OTP is a form of [multi-factor authentication (MFA)](/learn/what-is-mfa) designed to make it much harder for hackers to access protected information. MFAs require additional credentials beyond a simple password before the end user can gain access to an application or system. For example, an MFA that uses SMS will send the user a text with a numeric string that has to be entered before they are granted access. That code is a type of OTP. Both B2B and B2C companies have an incentive to protect their user and company data while maintaining a great user experience (UX), which means that whatever security solution they choose, it needs to be streamlined without drastically interfering with a user’s workflow. OTP authentication is an elegant solution to both security concerns and UX. There are two types of OTP: HOTP and TOTP. We’ll get into the differences of each below. But first, let’s dig a little deeper into OTP. ###What is OTP and How Does it Work? An OTP is like a password but it can only be used once, thus it stands for one-time password. It is often used in combination with a regular password as an additional authentication mechanism providing extra security. OTPs are exactly what they sound like: one and done. Once you’ve used that password once, it’s dumped, and the next time you need to get into that application, you will use another one. Doing this increases security and makes it a lot harder for bad actors to penetrate private accounts. Users can access an OTP for a given application or website through smartphone apps, a text message, or a proprietary token (such as a key fob). OneLogin Protect is an example of an OTP generator that you can use as an app on your phone. Any time you receive an SMS text with a code to help you get into a website or application, you’re using an OTP. There are a variety of industry standard algorithms, such as SHA-1, that generate OTPs. All of these algorithms use two inputs to generate the OTP code: a **seed** and a **moving factor**. The seed is a static value (secret key) that’s created when you establish a new account on the authentication server. While the seed doesn’t change, the moving factor does each time a new OTP is requested. How the moving factor is generated is the big differentiator between HOTP and TOTP. ###What is HOTP? The “H” in HOTP stands for Hash-based Message Authentication Code (HMAC). Put in layman’s terms, HMAC-based One-time Password algorithm (HOTP) is an event-based OTP where the moving factor in each code is based on a counter. Each time the HOTP is requested and validated, the moving factor is incremented based on a counter. The code that’s generated is valid until you actively request another one and it’s validated by the authentication server. The OTP generator and the server are synced each time the code is validated and the user gains access. Yubiko’s Yubikey is an example of an OTP generator that uses HOTP. ###What is TOTP? Time-based One-time Password (TOTP) is a time-based OTP. The seed for TOTP is static, just like in HOTP, but the moving factor in a TOTP is time-based rather than counter-based. The amount of time in which each password is valid is called a **timestep**. As a rule, timesteps tend to be 30 seconds or 60 seconds in length. If you haven’t used your password within that window, it will no longer be valid, and you’ll need to request a new one to gain access to your application. ###Limitations and Advantages While both are far more secure than not using MFA at all, there are limitations and advantages to both HOTP and TOTP. TOTP (the newer of the two technologies) is easy to use and implement, but the time-based element does have a potential for time-drift (the lag between the password creation and use). If the user doesn’t enter the TOTP right away, there’s a chance it will expire before they do. So the server has to account for that and make it easy for the user to try again without automatically locking them out. Since HOTP doesn’t have the time-based limitation, it’s a little more user-friendly, but may be more susceptible to brute force attack. That’s because of a potentially longer window in which the HOTP is valid. Some forms of HOTP have accounted for this vulnerability by adding a time-based component to their code, somewhat blurring the lines between these two types of OTP. ###A Final Word Regardless of which type of OTP you use, choosing an [OTP generator](/product/one-time-password) like an authenticator app or key fob is a safer way to use MFA than the SMS texting options. Scammers have found creative ways to intercept these SMS codes, whether it’s through SIM card fraud or some other type of hack that helps them gain access to your texts. While SMS-based MFAs might be better than no MFA at all, they’re a lot less secure than having an authenticator app on your phone or using a key fob code generator.

READ MORE

What is User Provisioning and Deprovisioning?

User provisioning and deprovisioning involves the process of creating, updating and deleting user accounts in multiple applications and systems. This access management practice can sometimes include associated information, such as user entitlements, group memberships and even the groups themselves. Many organizations have moved to automated user provisioning, which is the systematic creation and management of user data relative to users’ ability to access resources, such as applications, that are available in one or more systems. Accessible systems can be on-premises, cloud-based, or a hybrid of the two. ### User provisioning and deprovisioning key benefits Automated user provisioning is one of the main features of many identity and access management (IAM) solutions. Provisioning comes into play when an employee joins an organization, moves to a different department or division, or exits a company. This is known as the joiner/mover/leaver (JML) process. By integrating an IAM solution directly to HR and personnel systems, you connect the process of creating/updating/deleting user accounts with HR actions. Actions that result in changes to HR data, such as those related to employee onboarding and offboarding, can automatically result in changes to permissions for accessing systems and applications tied to corresponding employee accounts. User provisioning and deprovisioning provide the following key benefits: - **Easily onboard and offboard employees**: Create and maintain employees’ user attributes, such as usernames, roles, and profiles, and automatically assign access permissions and user accounts based on predefined roles and flexible entitlement rules. - **Streamline user management across applications**: Automatically import users from Active Directory (AD), Lightweight Directory Access Protocol (LDAP), and other apps. Provisioning enables you to continuously propagate user profiles to ensure that your systems have the latest updates. - **Increase security and reduce cost**: Use HR-Driven Identity Management (IM) to prevent former employees from having continued online access, to totally eliminate the possibility of zombie accounts sitting idle and at risk of being compromised. ### How do provisioning and deprovisioning work? In a basic automated provisioning workflow, you add users to apps based on specific [user roles](https://onelogin.service-now.com/kb_view_customer.do?sysparm_article=KB0010606). Whenever a user is assigned a role, that user is automatically created in the associated app and granted access permissions. In the diagram below, once a new user is provisioned, that user is added to the Sales role, and is therefore granted access to the apps associated with that role. In this example, the provisioned user can access to Salesforce, Office 365, and G Suite. When it's time to deprovision former employees from apps, you want a solution that lets you simply change the user’s status, so that the user's accounts in all apps will be deleted or suspended, depending on the configuration preferences that you set. Expanding on our example in the diagram, after deprovisioning the user, the apps associated with the employee’s role would no longer be accessible by the user. ### How do user provisioning and deprovisioning make companies more secure? The risk of costly security breaches for companies who fail to provision and deprovision, properly or quickly, is huge: the average cost of a data breach is $148 per record and $7.91 million per breach in the U.S. As a result, breached companies often underperform the market for years following a major breach, and 60% of small businesses fold within six months of a successful attack. Automated user provisioning helps keep your company secure by ensuring employees have access only to the apps they need. Automated user deprovisioning helps keep your company secure by ensuring that whenever an employee leaves, their access is automatically removed for all connected applications. In addition, all existing user sessions are removed to reduce security risk.

READ MORE

Be Sure Your Zero Trust Plan Gives Complete Coverage

So, you’re moving to a Zero Trust security plan. You know the principles of Zero Trust. Great. But you also need to ensure your Zero Trust plan covers all the bases. That means three areas: what your plan covers, when, and where. ### What do your Zero Trust protocols cover? Your Zero Trust plan needs to ensure you’re managing access to and from every type of entity. That means access management from: - All devices—That means computers, including desktops and laptops, but also mobile phones and other mobile devices. - All users—Employees, contractors, vendors, and customers. - To all types of data and applications—Your Zero Trust plan needs to manage access to your cloud applications and data as well as on-prem ones. It needs to handle databases, servers, software, and everything that could put your company at risk. ### When is your access plan applied? Key to Zero Trust is the idea that you don’t trust access attempts inside the organization any more than those coming from outside of it. So, when users inside the firewall try to access an application, you manage them largely like you would those outside the firewall. In addition, Zero Trust doesn’t make exceptions. Your high-security requirements apply whenever someone attempts to access an application or data. When pretty much means always. ### Where do you enforce Zero Trust? Traditional security methods are focused on the endpoints where cyber criminals initiate their attacks. Zero Trust applies everywhere: - Data access points - Cloud applications - On-prem and legacy apps - Ideally, the desktop, laptop, or phone—so that even the device login is protected ### The tools for Zero Trust Identity and access management tools, such as Single Sign-On (SSO) and, Multi-Factor Authentication (MFA), can help you address the what, when, and where. SSO improves both security and ease-of-use, eliminating passwords and using a vetted trust relationship for safe authorization. MFA adds an important level of security by requesting additional data from users to verify they are who they say they are. Add to this a good identity management system that provides role-based access control and easy provisioning capabilities; a system to protect devices through SSO; and, preferably, risk-based authentication that accounts for contextual information such as the user’s location, IP address, and login time to create user profiles and challenge risky login attempts. These tools, on top of a secure infrastructure with micro-segmentation, will help you implement Zero Trust security in a way that isn’t burdensome to users.

READ MORE

Zero Trust Security

## What is Zero Trust? Zero Trust means that organizations should not automatically trust anything or anyone trying to access their network, machines, IP addresses, etc. Rather, they should treat every user and every device as a threat and verify their access level before actually granting access. ## The Four Core Principles of Zero Trust Security Zero Trust relies on four key principles to secure the enterprise IT environment: **1. Never Trust, Always Verify** The idea of “never trust, always verify” means you should never trust that users are who they say they are. Instead, you should always verify their identity and access level. This increases the chances that you can stop a cybercriminal or malicious program before they access the organization’s sensitive information or cause other kinds of damage. **2. Threats Come from Inside and Outside** Traditional IT security focuses on protecting the organization from external threats to the network, applications, or devices. It assumes that insiders are “safe,” and therefore rarely considers them as threat sources. Recent surveys show that such thinking is inadequate, and even downright dangerous. In fact, between [2018 and 2020](https://www.proofpoint.com/us/resources/threat-reports/2020-cost-of-insider-threats), the number of insider incidents increased by 47%, proving that the risk from internal threats is also serious and on the rise. That’s why you must also acknowledge and deal with insider threats. And this is exactly what Zero Trust does. **3. Use Micro-Segmentation** Micro-segmentation is a method to create network segments or “micro-perimeters'' around specific assets. This reduces the attack surface and enables enterprise IT security teams to implement granular policy controls. The goal is to restrict the lateral movement of attackers and thus, protect the organization from breaches. **4. Principle of Least Privilege (PoLP)** According to the “[Principle of Least Privilege](https://www.onelogin.com/learn/least-privilege-polp)” or PoLP, any user, device, workload, or process is only given the bare minimum privileges it needs to perform its intended function. This protects enterprise assets from unauthorized users, both internal and external. ## Why Do I Need Zero Trust Security? Between Q1 and Q2 2021, the number of data breaches [increased by 38%](https://www.idtheftcenter.org/data-breaches-are-up-38-percent-in-q2-2021-the-identity-theft-resource-center-predicts-a-new-all-time-high-by-years-end/). In 2021, the [average cost of a data breach](https://www.ibm.com/security/data-breach) was $4.24 million, compared to $3.86 million in 2020. Further, by 2025, damages due to cybercrime are estimated to [exceed $10.5 trillion](https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/). To manage such threats, IT security investments have increased. And yet, [78% of IT security leaders](https://finance.yahoo.com/news/78-lack-confidence-company-cybersecurity-153000182.html?guccounter=1) believe that their organizations are not sufficiently protected against cyberattacks. To address this challenge, many enterprises are adopting the Zero Trust security model. The traditional trust model assumes that everything inside the organization’s network can be trusted. Zero trust security is radically different. It recognizes that “trust” equals “vulnerability.” To secure your organization’s network from threat actors, you must completely eliminate this vulnerability. And that’s why you need Zero Trust security. ## What is Zero Trust Architecture? According to the [National Institute of Standards and Technology (NIST)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf), Zero Trust Architecture (ZTA) is an enterprise cybersecurity architecture based on zero trust principles, designed to prevent data breaches and limit internal lateral movement. ZTA aims to strengthen an organization’s cybersecurity and protect its assets from threats. It acknowledges that threats exist both inside and outside the traditional network perimeter and assumes that security breaches are inevitable. More importantly, it allows users to access only what they need to perform their jobs. Finally, it identifies anomalous or potentially malicious activities to prevent cyberattacks from spreading across the network. ## President Biden’s Executive Order on National Cybersecurity and ZTA In May 2021, President Joe Biden signed the [Executive Order on Improving the Nation’s Cybersecurity](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/). This presidential executive order (EO) mandates all government agencies to adopt ZTA in a planned and coordinated manner. Malicious cyber campaigns threaten both the public and private sectors of the United States. The EO recognizes this and encourages the adoption of ZTA by agencies and federal contractors to identify, detect, deter, and protect against such threats. The federal government contracts with Information Technology (IT) and Operational Technology (OT) service providers to carry out several day-to-day functions on Federal Information Systems. Following this EO, all contracts between the government and federal contractors, including commercial off-the-shelf software providers, will likely include new built-in cybersecurity practices, such as ZTA. Under the EO, the NIST will publish guidelines for software supply chain security. These initiatives apply only to federal contractors. However, the private sector also may be expected to implement ZTA and other security measures in the future. That’s why all companies must pay attention to these guidelines and use them to improve their cybersecurity readiness. ## Zero Trust and Remote Work Remote work has become the new normal for thousands of organizations in a post-COVID world. However, this new model also creates serious cybersecurity challenges. When people work from home, they often use insecure home devices, remote channels, and collaboration tools. Cybercriminals take advantage of these weaknesses to attack organizations and steal their data. Between February and May 2020, hackers stole the personal data of [more than 500,000 video conferencing users](https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html) and sold it on the dark web. Since the start of the pandemic, ransomware attacks have increased by [nearly 500%](https://theconversation.com/the-increase-in-ransomware-attacks-during-the-covid-19-pandemic-may-lead-to-a-new-internet-162490). COVID-themed phishing attacks have also increased. At one point, such attacks [soared by 220%](https://www.f5.com/company/news/features/phishing-attacks-soar-220--during-covid-19-peak-as-cybercriminal) during the pandemic’s peak in 2020. Many organizations have implemented a [Virtual Private Network (VPN)](https://en.wikipedia.org/wiki/Virtual_private_network). A VPN enables remote workers to access the network assets and data they need to do their work. However, a VPN can compromise a company’s cybersecurity: - A VPN cannot completely protect enterprise networks, data, or employees from malware, hackers, or security breaches. - VPNs also cannot create or enforce policies to protect credentials, such as passwords. If third-party vendors have access to an organization’s network or data, malicious hackers can exploit weak VPN protocols to cause data breaches. - Even one compromised remote worker using the VPN can open the door to a cyberattack. As more remote workers use a VPN, the risk of cyberattacks also increases. To minimize this risk, Zero Trust architecture is essential. With a VPN, users can usually access large parts of the enterprise infrastructure. But with ZTA, they can only access the assets and applications they need to perform their function. In a ZTA, devices also are constantly monitored, so only authorized devices can access the corporate network. As an added security measure, all access attempts by users and devices are tracked. Thus, ZTA provides stronger, more reliable security than a VPN. ## Does Zero Trust Protect against Hacking? ZTA eliminates the element of trust. It confirms user identities every single time, limits which users and devices can access corporate resources, and creates smaller zones within the larger network. These principles are extremely important because if there is a breach, you can minimize the possible attack surface. You also can limit lateral movement within the network. This enables you to prevent the spread of malware across the network and limit the impact of a data breach. For full all-round security, you should implement: - Zero Trust Network Access - Zero Trust Application Access - Zero Trust Data Access Industries, such as oil and gas, utilities, and energy, have been slower to upgrade their cybersecurity infrastructure. They tend to use a mix of legacy and modern equipment, which makes them harder to secure. Further, they often lack updated and robust security controls to protect passwords, VPN, etc., and struggle to effectively identify, isolate, and address cyber threats. A good example demonstrating these shortcomings in industrial operations is the [Colonial Pipeline ransomware attack](https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password). In May 2021, hackers breached Colonial Pipeline’s IT network using a VPN and a single set of stolen credentials from a trusted insider. However, a ZTA might have prevented this attack, which is why Zero Trust is especially crucial for these industries. ZTA treats the identity of each machine, application, and user as an independent perimeter. This enables such organizations to secure their assets and prevent cyberattacks from spreading. ## How to Implement a Comprehensive Zero Trust Architecture To simplify ZTA implementation, the following tools are crucial: **Single Sign-On** [Single Sign-On (SSO)](https://www.onelogin.com/blog/what-is-single-sign-on) enables users to access all accounts and apps with a single set of credentials. SSO increases security by getting rid of passwords, while increasing usability and employee satisfaction. **Multi-Factor Authentication** [Multi-Factor Authentication (MFA)](https://www.onelogin.com/learn/what-is-mfa) is a critical [Identity and Access Management (IAM)](https://www.onelogin.com/learn/iam) tool that every organization should use to protect their critical IT assets. Unlike password-based systems, MFA requires users to use additional factors to access an account or app. For example, they may be required to provide a PIN or biometrics, in addition to a username and password. This ensures that only the right person can access the right applications or accounts. Ideally, try to combine MFA with SSO. Otherwise, your users will have to go through more steps to log into a system. This can be a painful and frustrating experience, especially when users must login several times a day. **Fast Provisioning Systems** When you move to Zero Trust, you will need a way to quickly provision and deprovision users. By implementing least privileged access, you might have to make exceptions regularly. So, if your current provisioning system is time-consuming, things are only going to get more complex when you move to Zero Trust. For hassle-free ZTA, make sure you implement a [fast provisioning system](https://www.onelogin.com/product/user-provisioning). **Device Protection** Any user device or “endpoint” is both the focal point of attack, as well as the first line of defense. So, always look for [device protection](https://www.onelogin.com/blog/safeguarding-company-laptops-here-s-what-you-need-to-know) tools that protect and monitor devices, so you can offset the danger at the source. **Adaptive Access Control** Adaptive Access Control continuously monitors user behaviors and updates access privileges in real-time. It also implements User and Entity Behavior Analytics to assess user risk based on their activity. Through continuous trust evaluation, Adaptive Access Control adjusts the trust level of users to adjust their access and thus, mitigate risk. **Security Ratings Platform** With a Security Ratings Platform, you can continuously scan your environment for new risks. The platform and its ratings system provide visibility into all access points and create a more complete risk picture. It also generates prioritized alerts with remediation suggestions, so your security team can take immediate action to enhance the organization’s security posture. **Security Information and Event Management** Security Information and Event Management (SIEM) should be an essential part of your Zero Trust strategy. A SIEM platform aggregates multiple data sources and alerts from across the enterprise IT infrastructure. It analyzes this activity to identify suspicious behaviors and also generates automatic notifications of security events. **Security Orchestration, Automation, and Response** Like SIEM, Security Orchestration, Automation, and Response (SOAR) also enables you to collect data about security threats. Further, it investigates threats, and automates incident response and remediation. Thanks to its automation capabilities, SOAR can reduce the time required to qualify and investigate threats and reduces the Mean Time to Repair (MTTR), a “failure metric” that indicates the average time it takes to repair and restore a system to functionality after a failure is detected. ## Conclusion As cyberattacks against organizations become more common, the traditional “trust but verify” view of network security is no longer appropriate or adequate. Security teams should know that implicitly trusting users and endpoints places their organization at risk from malicious attackers, unauthorized users, careless insiders, and compromised accounts. To secure the organization, a Zero Trust model is vital. This model’s “never trust, always verify” approach, as well as its principle of least privilege, provide better protection against the expanding cyberthreat landscape. With Zero Trust, organizations can implement better access control, protect their assets, contain breaches, and minimize the potential for damage.

READ MORE

SAML Explained in Plain English

SAML is an acronym used to describe the Security Assertion Markup Language (SAML). Its primary role in online security is that it enables you to access multiple web applications using one set of login credentials. It works by passing authentication information in a particular format between two parties, usually an identity provider (idP) and a web application. ## What SAML is and how it works SAML is an open standard used for authentication. Based upon the Extensible Markup Language (XML) format, web applications use SAML to transfer authentication data between two parties - the identity provider (IdP) and the service provider (SP). The technology industry created SAML to simplify the authentication process where users needed to access multiple, independent web applications across domains. Prior to SAML, single sign-on (SSO) was achievable but relied on cookies that were only viable within the same domain. It achieves this objective by centralizing user authentication with an identity provider. Web applications can then leverage SAML via the identity provider to grant access to their users. This SAML authentication approach means users do not need to remember multiple usernames and passwords. It also benefits service providers as it increases security of their own platform, primarily by avoiding the need to store (often weak and insecure) passwords and not having to address forgotten password issues. ### SAML benefits Due to its many benefits, SAML is a widely adopted enterprise solution. First, it improves the user experience as you only need to sign in once to access multiple web applications. Not only does this speed up the authentication process, but it also means you only need to remember one set of credentials. The organization also benefits from this feature as it means fewer Help Desk calls for password resets. In addition to improving the user experience, SAML also offers increased security. Since the identity provider stores all login information, the service provider does not need to store any user credentials on their system. Furthermore, as the identity provider specializes in providing secure SAML authentication, they have the economies of scale to invest time and resources in implementing multiple layers of security. For example, IdP’s have comprehensive identity security solutions that include built-in features such as multi-factor authentication (MFA) that protect against common password attacks. ### How does SAML work? SAML works by exchanging user information, such as logins, authentication state, identifiers, and other relevant attributes between the identity and service provider. As a result, it simplifies and secures the authentication process as the user only needs to log in once with a single set of authentication credentials. So, when the user tries to access a site, the identity provider passes the SAML authentication to the service provider, who then grants the user entry. Let's illustrate this concept with a real-world analogy. Organizations often need to confirm your identity before granting you access. A good case is the airline industry. Before you board an aircraft, the airline needs to confirm you are who you say you are to ensure the security of other passengers. So, they verify your identity with some form of government-issued picture identification. Once they confirm that your name on your identity matches the name on your airline ticket, they then allow you to board the aircraft. In the example above, the government is the identity provider, and the airline is the service provider. Your government-issued identification is the SAML assertion. When you apply for a government ID, you usually need to complete a form, have your picture taken, and in some circumstances, your fingerprints as well. The government (service provider) then stores these identifying attributes in their database and issues you with a physical ID associated with your identity. In the airline example, when you arrive at the gate, the airline (service provider) checks your ID (SAML) assertion. The airline accepts your ID as it contains your details, and the identity card or passport passes scrutiny as a valid document. After successful authentication, the airline then allows you to board the aircraft. ### What is SAML SSO? SAML Single Sign-On is a mechanism that leverages SAML allowing users to log on to multiple web applications after logging into the identity provider. As the user only has to log in once, SAML SSO provides a faster, seamless user experience. SAML SSO is easy to use and more secure from a user perspective as they only need to remember one set of user credentials. It also provides fast and seamless access to a site as every application they access does not prompt them to enter a username and password. Instead, the user logs into the identity provider and then accesses the relevant web application by clicking on its icon or navigating to the site via its URL. SAML SSO also offers other benefits in addition to an enhanced user experience. It improves productivity for both the user and the Help Desk. Users do not need to waste time logging into multiple web applications with a unique set of credentials for each one. Consequently, they do not inundate the Help Desk with password reset requests, freeing the service team to attend to other service-related issues. In addition to increased user satisfaction and improved productivity, SAML SSO also helps reduce costs. For example, Help Desks need to manage fewer calls. Instead of building a local authentication implementation for their solution, they can subscribe to an identity provider, reducing the labor cost of building and maintaining it internally. ### How does OAuth compare to SAML? OAuth and SAML are both protocols we use for allowing access. However, the primary difference between the two is that we use SAML for authentication and OAuth for authorization. If we revisit the airline analogy, the passenger's ID is the SAML assertion, and the ticket the OAuth token. The airline uses the ID to verify the passenger’s identity before allowing them to board the aircraft. However, once the passengers are on the plane, the flight attendants use the ticket to confirm the passengers' status and entitlement. For example, they may have a first-class ticket giving them access to seats and amenities not accessible by passengers in economy. ### SAML example SAML uses a claims-based authentication workflow. First, when a user tries to access a site, the service provider asks the identity provider to authenticate the user. Then, the service provider uses the SAML assertion issued by the identity provider to grant the user access. Let's illustrate the workflow with an example. 1. The user opens their browser and navigates to the service provider's web application, which uses an identity provider for authentication. 2. The web application responds with a SAML request. 3. The browser passesSAML request to the identity provider. 4. The identity provider parses the SAML request. 5. The identity provider authenticates the user by prompting for a username and password or some other authentication factor. NOTE: The identity provider will skip this step if the user is already authenticated. 6. The identity provider generates the SAML response and returns it to the user's browser. 7. The browser sends the generated SAML response to the service provider's web application which verifies it. 8. If the verification succeeds, the web application grants the user access. ### SAML tutorial OneLogin offers several [SAML toolkits](https://developers.onelogin.com/saml) developers can use to enable SSO for their app via an identity provider that offers SAML authentication. In addition, it provides resources on how to add your app to the OneLogin catalog, code your app to provide your users with SSO via OneLogin, as well as helpful best practices and FAQs. The OneLogin SAML Toolkit also offers online tools at https://www.samltool.com. For example, you can obtain a self-signed X.509 certificate you can use in a test environment. In addition, since SAML uses the Base64 encoding algorithm, the OneLogin toolkit resources offer an online service where you can encode and decode XML to Base64 and vice versa. The toolkit also supplies resources for encrypting nodes from XML, signing AuthNRequests, and validating your XML against the SAML XSD schema. In addition to the certificate support and XML encoding, decoding, signing, and validation services, the OneLogin SAML online tools also provide other helpful development resources. For example, you can build the XML metadata of a SAML identity provider. It also provides a tool that extracts the NameID and other relevant attributes from the assertion of a SAML response. Finally, the OneLogin SAML online tools also offer a service that converts an XML or SAML message into a human-readable format.

READ MORE

Is Your Enterprise Password Manager Good Enough?

An enterprise password manager or password vault is often the first step that companies take as they try to wrangle passwords and make them secure while also ensuring ease-of-use for employees. But not all enterprise password managers are the same. Here are the features that any such tool should have and extras that only some tools have but that your business might need. ### The basic enterprise password manager Any of the main enterprise password managers on the market does the basic task of storing user passwords in a secure password database, usually in the cloud. Quality password managers encrypt the data securely using ciphers like AES-256. Most of these tools also have built-in random password generators, making it easy to create secure passwords. When picking a business password vault, you’ll want to make sure you choose a tool that supports employee access across devices and syncs across them. That’s because employees typically use their phones as well as work machines, and may also use personal laptops. The top enterprise password managers will support all the common browsers and mobile operating systems. Now, for the extras. ### Enterprise password managers: extra security options Two items to look for in a password manager are the ability for automatic password resets and the ability to enforce password rules through the tool. Both will aid in security while also avoiding the burden on IT or your helpdesk. For security, it’s important that the enterprise password manager supports two-factor or multi-factor authentication (MFA). A password manager is a good first step in improving password security. But it’s rarely enough by itself. Password managers have been hacked and various types of attacks can still intercept and capture the password being entered. Make sure the enterprise password vault works with your MFA solution (or includes MFA) to require that users provide additional authentication factors when logging in, such as a pin from a phone app, a fingerprint, or facial recognition. ### Enterprise password managers: usability extras For the enterprise password manager to work, employees have to use it. For them to use it, it has to be easy. Look for these capabilities: - **Fill-in web forms**—Most enterprise password managers include the ability to detect a website and automatically fetch and fill in the login dialog for it. They don’t all do a great job or detect all sites equally well, though. - **App passwords**—Websites aren’t enough. Employees don’t distinguish between a website and an app—they are all just tools to get the job done. Not all password managers support apps. Look for ones that do. It’ll cut down on employee complaints and increase adoption. - **On-prem application support**—Even fewer enterprise password managers support on-prem applications. But, again, user’s don’t make a big distinction between web and on-prem systems. They just want to quickly login and get their work done. A password manager that doesn’t support your on-prem apps is only a partial solution to the password problem. ### What you probably won’t find in enterprise password managers Enterprise password managers may provide some basic reports but they rarely provide the kind of auditing tools needed for compliance with standards like PCI or SOX. They won’t give you the information you need to identify attack attempts, either. Enterprise password managers offer only basic synchronization with directories like Active Directory (AD). If you’re looking to implement security policies based on role, location, etc. with granular permissions using identity and access management (IAM), you’ll need a true single sign-on (SSO) system instead of a password manager. Similarly, if you onboard and offboard through AD, Workday, or other directories—or even multiple directories as in many organizations—a password manager is likely to prove unwieldy and become just another system you have to maintain. The right enterprise password manager can be a good first step to increase security for your company. But to maintain password security and keep employees happy, you’ll probably want to move to an IAM solution with SSO. That will enable users to log in just once and then easily access all their work websites and apps—whether cloud-based or on-prem—without having to login again. It means truly using just one password. And an IAM solution with SSO will integrate with your directories to provide the granular level of permissions and control that is the reason you use a directory like AD in the first place. So, consider an enterprise password manager as a first step on the path to greater security, but don’t expect it to be your last.

READ MORE

6 Types of Password Attacks & How to Stop Them

Password attacks are one of the most common forms of corporate and personal data breach. A password attack is simply when a hacker trys to steal your password. In 2020, 81% of data breaches were due to compromised credentials. Because passwords can only contain so many letters and numbers, [passwords are becoming less safe](/resource-center/infographics/poor-password-management-us). Hackers know that many passwords are poorly designed, so password attacks will remain a method of attack as long as passwords are being used. Protect yourself from password attacks with the information below. ##1. Phishing Phishing is when a hacker posing as a trustworthy party sends you a fraudulent email, hoping you will reveal your personal information voluntarily. Sometimes they lead you to fake "reset your password" screens; other times, the links install malicious code on your device. We highlight several examples on the OneLogin blog. Here are a few examples of phishing: - **Regular phishing.** You get an email from what looks like goodwebsite.com asking you to reset your password, but you didn't read closely and it's actually goodwobsite.com. You "reset your password" and the hacker steals your credentials. - **Spear phishing.** A hacker targets you specifically with an email that appears to be from a friend, colleague, or associate. It has a brief, generic blurb ("Check out the invoice I attached and let me know if it makes sense.") and hopes you click on the malicious attachment. - **Smishing and vishing.** You receive a text message (SMS phishing, or smishing) or phone call (voice phishing, or vishing) from a hacker who informs you that your account has been frozen or that fraud has been detected. You enter your account information and the hacker steals it. - **Whaling.** You or your organization receive an email purportedly from a senior figure in your company. You don't do your homework on the email's veracity and send sensitive information to a hacker. To avoid phishing attacks, follow these steps: - **Check who sent the email**: look at the From: line in every email to ensure that the person they claim to be matches the email address you're expecting. - **Double check with the source**: when in doubt, contact the person who the email is from and ensure that they were the sender. - **Check in with your IT team**: your organization's IT department can often tell you if the email you received is legitimate. ##2. Man-in-the-middle attack Man-in-the middle (MitM) attacks are when a hacker or compromised system sits in between two uncompromised people or systems and deciphers the information they're passing to each other, including passwords. If Alice and Bob are passing notes in class, but Jeremy has to relay those notes, Jeremy has the opportunity to be the man in the middle. Similarly, in 2017, Equifax removed its apps from the App Store and Google Play store because they were passing sensitive data over insecure channels where hackers could have stolen customer information. To help prevent man-in-the-middle attacks: - **Enable encryption on your router.** If your modem and router can be accessed by anyone off the street, they can use "sniffer" technology to see the information that is passed through it. - **Use strong credentials and two-factor authentication.** Many router credentials are never changed from the default username and password. If a hacker gets access to your router administration, they can redirect all your traffic to their hacked servers. - **Use a VPN.** A secure virtual private network (VPN) will help prevent man-in-the-middle attacks by ensuring that all the servers you send data to are trusted. ##3. Brute force attack If a password is equivalent to using a key to open a door, a brute force attack is using a battering ram. A hacker can try 2.18 trillion password/username combinations in 22 seconds, and if your password is simple, your account could be in the crosshairs. To help prevent brute force attacks: - **Use a complex password.** The difference between an all-lowercase, all-alphabetic, six-digit password and a mixed case, mixed-character, ten-digit password is enormous. As your password's complexity increases, the chance of a successful brute force attack decreases. - **Enable and configure remote access.** Ask your IT department if your company uses remote access management. An access management tool like [OneLogin](/product/onelogin-access) will mitigate the risk of a brute-force attack. - **Require multi-factor authentication.** If multi-factor authentication (MFA) is enabled on your account, a potential hacker can only send a request to your second factor for access to your account. Hackers likely won't have access to your mobile device or thumbprint, which means they'll be locked out of your account. ##4. Dictionary attack A type of brute force attack, dictionary attacks rely on our habit of picking "basic" words as our password, the most common of which hackers have collated into "cracking dictionaries." More sophisticated dictionary attacks incorporate words that are personally important to you, like a birthplace, child's name, or pet's name. To help prevent a dictionary attack: - **Never use a dictionary word as a password.** If you've read it in a book, it should never be part of your password. If you must use a password instead of an access management tool, consider using a password management system. - **Lock accounts after too many password failures.** It can be frustrating to be locked out of your account when you briefly forget a password, but the alternative is often account insecurity. Give yourself five or fewer tries before your application tells you to cool down. - **Consider investing in a password manager.** Password managers automatically generate complex passwords that help prevent dictionary attacks. ##5. Credential stuffing If you've suffered a hack in the past, you know that your old passwords were likely leaked onto a disreputable website. Credential stuffing takes advantage of accounts that never had their passwords changed after an account break-in. Hackers will try various combinations of former usernames and passwords, hoping the victim never changed them. To help prevent credential stuffing: - **Monitor your accounts.** There are paid services that will monitor your online identities, but you can also use free services like haveIbeenpwned.com to check whether your email address is connected to any recent leaks. - **Regularly change your passwords.** The longer one password goes unchanged, the more likely it is that a hacker will find a way to crack it. - **Use a password manager.** Like a dictionary attack, many credential stuffing attacks can be avoided by having a strong and secure password. A password manager helps maintain those. ##6. Keyloggers Keyloggers are a type of malicious software designed to track every keystroke and report it back to a hacker. Typically, a user will download the software believing it to be legitimate, only for it to install a keylogger without notice. To protect yourself from keyloggers: - **Check your physical hardware.** If someone has access to your workstation, they can install a hardware keylogger to collect information about your keystrokes. Regularly inspect your computer and the surrounding area to make sure you know each piece of hardware. - **Run a virus scan.** Use a reputable antivirus software to scan your computer on a regular basis. Antivirus companies keep their records of the most common malware keyloggers and will flag them as dangerous. ## Preventing password attacks The best way to fix a password attack is to avoid one in the first place. Ask your IT professional about proactively investing in a common security policy that includes: - **Multi-factor authentication.** Using a physical token (like a Yubikey) or a personal device (like a mobile phone) to authenticate users ensures that passwords are not the sole gate to access. - **Remote access.** Using a smart remote access platform like OneLogin means that individual websites are no longer the source of user trust. Instead, OneLogin ensures that the user's identity is confirmed, then logs them in. - **Biometrics.** A malicious actor will find it very difficult to replicate your fingerprint or facial shape. Enabling biometric authentication turns your password into only one of several points of trust that a hacker needs to overcome. .content-container ul { margin-left: 2em; }

READ MORE

Business Use of Cloud Password Managers

Password managers, password vaults, single sign-on—they’re all terms you’ve probably heard as a way to create and manage secure passwords using identity and access management technologies. But what are they and how do they differ? ### Password managers vs. password vaults Password managers and password vaults are just two terms for the same kind of product. These products are secure storage systems that encrypt and store user passwords for different websites or apps. Usually, an employee logs into the password manager with one password and then can access all the passwords they’ve created for their work apps and websites. Modern password managers do more than this, though. Most will generate strong, random passwords for the employee to use on websites or apps. And most now offer browser extensions that will fetch the credentials for the site the user is logging into, populating the login dialog to make it easier to login without having to remember all those passwords. ### Single sign-on vs. password managers Single sign-on (SSO) is a different technology that lets users securely authenticate to websites and apps by logging in just once a day with one password. After that, the user is automatically logged into any work app or site without having to re-enter credentials. SSO doesn’t rely on looking up the user’s password in a database. Instead, it relies on standards like SAML or OpenID Connect to log in using trust relationships. That means the third-party site (an app or website) trusts the SSO tool to verify that the user is who he or she says she is. ### Cloud password managers Most password managers these days are cloud-based. Of course, you can use a password manager that stores the database on the employee’s local machine, but that makes it hard to access passwords when the employee logs into a website from their phone or a different machine. That said, many password managers require that you install browser extensions or mobile apps in order to have access from every device and browser. A cloud-based password manager also helps ensure you don’t lose your passwords if there is an event on a server or machine. ### Is a cloud password manager the solution you need? For individuals trying to keep their personal passwords secure, a cloud password manager makes sense. It’s better than a spreadsheet or using the same password for every site (which is the most common tactic). When you’re looking for a solution to password challenges for your business, though, a cloud password manager may not be best. Password managers for businesses often store all the organization’s users’ passwords in one database. The password manager then just becomes another attack surface for hackers. That makes the recent news from ISE even more alarming. It showed that some major password managers expose user credentials in memory, even in a locked state. The master password for the password manager may even be exposed. One way to add to the security of password vaults or managers is to require multi-factor authentication (MFA). This ensures that cybercriminals who gain an account’s username and password still can’t log in. Unfortunately, not all password managers support MFA or support it in a seamless fashion. And password managers just don’t provide the level of security that single sign-on (SSO) does. They don’t let you manage role or location-based access rights within an application. They don’t let you refine access by, for instance, restricting access to confidential data or requiring more frequent authentication for apps with confidential access. They don’t let you implement smart authentication, such as restricting access to some apps or sites when users are logging in from locations deemed less secure. Unlike SSO, most password managers don’t synchronize with your cloud directory or your Active Directory system for role-based access to provide a seamless experience for IT and users. They also usually don’t provide the fine-grained control and auditing functionality that many standards require for compliance. SSO, on the other hand, lets you see who has logged in and where they’ve logged in from, even down to the IP. Lastly, most cloud password managers only work on websites and web apps. They don’t enable easy login on the desktop or on-prem applications. SSO tools, using LDAP and products like OneLogin Desktop, can give employees a single login experience that works the same across all their applications and devices. The result is greater employee satisfaction and productivity. Cloud password managers supplemented by MFA are a good first start for smaller businesses that aren’t ready to invest in single sign-on. But rapidly growing businesses and mid-size to larger companies will find they outgrow their cloud password manager quickly and need to look at more robust single sign-on tools to meet their evolving security and ease-of-use requirements.

READ MORE

Helpdesk Password Reset Best Practices

If your organization has a helpdesk or other staff handle password resets, remember that password reset tickets are an opportunity for hackers. When an employee, vendor, or customer forgets a password, their account is vulnerable. Your helpdesk processes can create more vulnerability if you aren’t following password management, and ultimately, identity and access management, best practices. So, don’t open the door to hackers. Make sure your helpdesk and its password reset processes are secure. ### Start with the password reset call or ticket First, make sure your helpdesk is secure. Helpdesks are often a target of attack. So be sure you have your own security house in order. That means secure machines, security training, and [NIST-compliant](/compliance/nist-cybersecurity-framework) processes. Then, when users call or email to say they’ve forgotten their password, start with user verification. I.e., verify that the user is the owner of the account. And make sure your verification process is hard for hackers to infiltrate. That means don’t use common security questions. Traditional questions like mother’s maiden name, the user’s high school, or the employee’s hire date—that’s information that can easily be discovered online by cyber criminals. Ideally, use [multi-factor authentication](/learn/what-is-mfa) (MFA) to verify users. MFA that requires a card key or that requires the user to respond to an email or text, i.e. device in hand, is preferred for efficient identity and access management. If that’s not possible, ask a series of questions that rely on personal information that’s not easy for a hacker to find. ### Helpdesk temporary passwords Some helpdesks respond to password reset requests by providing a temporary password. This isn’t the preferred approach because it means at least two people know the password and it requires conveying a temporary password, which opens an opportunity for infiltration. If you must use this approach, follow these guidelines: - Always use a unique password for each user. **Don’t** use the same temporary password for everyone—which would mean that a single mistake opens the door to multiple accounts. - Use long passwords, ideally sixteen characters or more. - Randomly generate the passwords. They should consist of random characters, not words. And nothing predictable like HiredateName. - Use a mix of uppercase, lowercase, numbers, and special characters. Avoid obvious and common substitutions like zero for the letter 0 or three for the letter E. If you do send a temporary password, you need a way to verify that the user changed his or her password from the temporary one that you provided. And your password requirements should ensure that whatever new password the user comes up with is also a strong one. ### Password reset emails If you respond to requests with an email, you still need a verification process to ensure that the reset request isn’t coming from a hacker. To be safe, make sure that you separately email or otherwise notify the user that there was a password reset request and/or that the password was reset. And include a way for the person to contact your helpdesk if he or she didn’t request that reset, so you can thwart any attack. In your response email, never send the new or temporary password. Don’t even send the account holder’s username in the email. Doing so provides an opportunity for hackers to intercept the email and gain half of the credential pair. Ideally, you will send a password reset link so that no temporary password is necessary and the user can reset his or her own password. When you do: - Make sure your email doesn’t look like a phishing email. The spelling should be correct and the email professionally formatted. - Set an expiration on the reset link and make it a one-time use link. That closes another potential door to cyber criminals. - Make sure you include instructions for how to contact support if the user needs more help or didn’t request the reset. For the reset link itself, be careful that the redirect or thank you page you go to after the reset doesn’t give away information about the user or the types of accounts that the user has. For example, don’t redirect to an administrator login or to a portfolio account login, revealing information to potential hackers about the person’s privileges or what they own. Lastly, use the reset as an opportunity to educate employees and customers. The more employees understand and work to increase security, the safer you are. Make sure they know why strong passwords, though harder to remember, are important and what might be at risk if their account is breached. ### A better way If you’re still doing password resets manually, you know it’s an expensive process. Today, there are many tools that make password resets easier. The best ones [remove IT/helpdesk from the password reset process](/blog/password-reset-it-middle-guy) entirely, by enabling users to do automatic password resets. Automatic password reset tools can still require multi-factor authentication and can enforce strong password requirements, but they eliminate the delays that frustrate users and many of the vulnerabilities inherent in a manual process.

READ MORE

What is Two-Factor Authentication (2FA)?

Cyber attackers are relentless. They hunt, phish, scam, and social-engineer everybody including privileged users to infiltrate your organization. Once inside, they look for opportunities to elevate privilege and appropriate resources. Every app is vulnerable. Without controlling cloud and on-prem application access, organizations are at risk of a security breach. Two-factor authentication helps thwart attacks and protect corporate data, as a key identity and access management (IAM) solution ### What is two-factor authentication? Two-factor authentication (2FA) adds an additional layer of security when users login to apps. Without additional authentication, users are asked to prove their identity by providing simple credentials such as an email address and a password. With 2FA, they are asked for a second factor (2F), usually by prompting the user to provide information via a physical token (i.e. a card) or a security question whose answer only they know. US Federal regulations recognize the following authentication factor options: ### How does 2FA make companies more secure? Having an additional authentication factor prevents someone from signing into a user’s account—even if they know the user’s password. Other factors are needed because passwords, by themselves, just aren’t safe. They can be compromised in a number of ways: - Most individuals choose an easy-to-remember password which is therefore easy to hack. For example, they use discoverable information such as a pet’s name, a birthplace, or an important date like their anniversary. - Most individuals reuse the same password for several applications. So, once a cyber criminal gets the password, he or she has access to more than one application. - Cyber criminals themselves use many different and increasingly sophisticated techniques to [compromise login credentials](/learn/what-is-cyber-security). That’s why more factors help. If authentication requires both a password and, say, a USB token with a digital certificate on it, a criminal would need to know the user’s credentials and be in possession of the USB token in order to sign into the user’s account. Without being in possession of both, any unauthorized access would fail and trigger a security event to let the admin know of a suspicious login attempt. Authentication can be made even stronger by combining additional identity and access management (IAM) factors to achieve [multi-factor authentication](/learn/what-is-mfa) (MFA). Multi-factor authentication allows you to add factors like a PKI certificate in the user’s browser or require a mobile app for authentication. And products like OneLogin Desktop increase security via an on-laptop certificate that delivers a second factor of authentication in the form of a trusted device. ### Strong authentication factors for 2FA There are a variety of second authentication factors that can be used for 2FA to secure application access. Here are some examples: - One-time password (OTP) – A unique password which can only be used once. This is typically a short string of numbers generated based on a secret stored in a physical device such as a USB token or a smartphone. Upon authentication, the one-time password is verified against the OTP vendor’s service in the cloud. Even if someone manages to steal the password, it cannot be used to login successfully without the OTP. - Time-based PIN – A sequence of digits which have to be entered within a short window, typically 30 to 60 seconds. The PIN can be generated by a software application or hardware device with a very precise clock. The security lies in the fact that the PIN is only valid for a short period of time. - Digital (PKI) certificates – A digital certificate, issued by a trusted certificate authority, is installed on the device or in the user’s browser. The identity provider can check for the presence of valid certificates as well as revoke them at any time. Only a browser with a valid certificate will be allowed to sign in. .diagram.desktop { display: block; }

READ MORE

The Truth About Passwordless Authentication

Passwordless authentication is a means to verify a user’s identity, without using a password. Instead, passwordless uses more secure alternatives like possession factors ([one-time passwords [OTP]](https://www.onelogin.com/learn/otp-totp-hotp), registered smartphones), or biometrics (fingerprint, retina scans). Passwords haven’t been safe for a long time. They are hard to remember, and easy to misplace. They are also the number one target of cybercriminals. So much so that 81 percent of breaches involve weak or stolen passwords. In the following article, let’s explore passwordless authentication in more detail. ## What are the types of passwordless authentication? Passwordless authentication can be achieved in many ways. Here are a few: **- Biometrics:** Physical traits, like fingerprint or retina scans, and behavioral traits, like typing and touch screen dynamics, are used to uniquely identify a person. Even though modern AI has enabled hackers to spoof certain physical traits, behavioral characteristics still remain extremely hard to fake. **- Possession factors:** Authentication via something that a user owns or carries with them. For example, the code generated by a smartphone authenticator app, OTPs received via SMS, or a hardware token. **- Magic links:** The user enters their email address, and the system sends them an email. The email contains a link, which when clicked, grants access to the user. ## How does passwordless authentication work? Passwordless authentication works by replacing passwords with other authentication factors that are intrinsically safer. In password-based authentication, a user-provided password is matched against what is stored in the database. In some passwordless systems, like biometrics, the comparison happens in a similar manner, but instead of passwords, a user’s distinctive characteristics are compared. E.g., a system captures a user’s face, extracts numerical data from it, and then compares it with verified data present in the database. In other passwordless implementations, comparisons may happen differently. E.g,. a system sends a one-time passcode to a user’s mobile, via an SMS. The user receives it and enters it into the login box. The system then compares the user-entered passcode to the one it had sent. Passwordless authentication relies on the same principles as digital certificates: a cryptographic key pair with a private and a public key. Although they are both called keys, think of the public key as the padlock and the private key as the actual key that unlocks it. Digital certificates work in a way in which there is only one key for the padlock and only one padlock for the key. A user wishing to create a secure account uses a tool (a mobile app, a browser extension, etc.) to generate a public-private key pair. The private key is stored on the user’s local device and can only be accessed using an authentication factor, e.g., a fingerprint, PIN, or OTP. The public key is provided to the system on which the user wishes to have a secure account. ## Is passwordless authentication safe? Whether or not passwordless authentication is safe depends on your definition of safe. If safe means harder to crack and less prone to the most common cyberattacks, then yes, passwordless authentication is safe. If by safe you mean, it is impervious to hacking, then no, it’s not safe. There’s no authentication system out there which can’t be hacked. Maybe there is no obvious way to hack it, but it doesn’t mean that the most sophisticated hackers can’t work their way around its defenses. With that said, passwordless techniques are inherently safer than passwords. E.g., to hack a password-based system, a bad actor may use a dictionary attack, which is often considered the most rudimentary hacking technique (keep trying different passwords until you get a match). Even the amateur hackers can perform a dictionary attack. Conversely, it takes a significantly higher level of hacking experience and sophistication to infiltrate a passwordless system. E.g., only the most advanced AI algorithms can enable a hacker to spoof a fingerprint. ## MFA vs passwordless authentication Passwordless authentication simply replaces passwords with a more suitable authentication factor. On the other hand, MFA (multi-factor authentication) uses more than one authentication factor to verify a user’s identity. For example, an MFA system may use fingerprint scanning as the primary authentication factor and SMS OTPs as the secondary. People sometimes confuse passwordless with MFA or use the two interchangeably. That’s because many traditional, password-based login systems have started using a passwordless technique as their secondary authentication factor. ## How do I implement passwordless authentication? Here’s how you could approach implementing passwordless authentication: **1. Pick your mode:** The first step is choosing your preferred authentication factor. Available options range from fingerprints and retina scans to magic links and hardware tokens. **2. How many factors?** It’s recommended to use multiple authentication factors with or without passwordless. Reliance on one factor, regardless of how safe it may seem, is not recommended. **3. Buy required hardware/software:** You may have to buy equipment to implement biometric-based passwordless authentication. For other modes, like magic links or mobile OTPs, you may only have to procure software. **4. Provision users:** Start registering people on your authentication system. E.g., for a face recognition system, you will need to scan the faces of all your employees. Implementing passwordless authentication in-house can be time-consuming and complicated. This is why many businesses prefer outsourcing to third-party IAM providers (like OneLogin) instead. This speeds up the process and significantly reduces maintenance costs and worries. ##Is the future passwordless? Even though passwords are far less prevalent than ever before, they are still being used worldwide. The primary reason is that a password-based login system is the easiest and the cheapest to implement. However, we expect passwordless to take over soon. In the last two years, we have had more cyberattacks than ever before. This is setting off alarm bells in many companies, with more and more investments being made into biometrics and adaptive authentication (more on this in the next section). Moreover, many companies have now realized that passwords are the primary reason for data breaches. The cost of implementing passwordless is nothing compared to the fines and losses incurred due to a data breach. Last but not least, passwords are a nuisance for users. Hard to remember and a pain to reset. On the other hand, passwordless techniques, like biometrics, are convenient and much more user-friendly. ## Combine passwordless authentication with adaptive (behavioral) authentication Even though passwordless authentication is a major improvement over using passwords, it’s still not infallible. Biometrics can be spoofed, OTPs can be intercepted, and hardware tokens can be stolen. This is why you need a system that goes beyond just authentication factors to verify identity, i.e. adaptive authentication. Adaptive authentication uses machine learning to develop patterns of typical user behavior. Any time the system notices a deviation from the pattern, it regards the login attempt as risky and takes appropriate actions. For example, let’s suppose a user logs in to the system, via their laptop, early in the morning, every weekday. Over time, the system establishes that this is their typical login behavior. Then one day, the user logs in to the system on a Saturday. They still used the same laptop, it was still early in the morning, and their geographical location was the same as well. The system calculates a relatively higher risk score for this behavior, which warrants the use of a secondary authentication factor, like an SMS OTP. A few days later, the system notices a login attempt from the same user, originating from a different country, and from a different device. It calculates an exponentially higher risk score, and blocks the user. It’s later found out that it was a login attempt from a cybercriminal who had spoofed the user’s identity. Combining passwordless with adaptive authentication can make your system much more resilient. It’s harder to hack passwordless factors, but not impossible; adaptive authentication helps you add another, AI-powered layer of protection.

READ MORE

Biometric Authentication: the Good, the Bad, and the Ugly

Up until a few years ago, biometrics were considered to be an impregnable means of passwordless authentication. But how do they fare today? Is biometric authentication infallible? Or are there ways to hack it? Should it be your authentication mode of choice? In this article, we’ll examine the good, the bad, and the ugly sides of biometrics for authentication. ## What is biometric authentication? Authentication is a way to verify, beyond a doubt, that a person is who they say they are. Biometric authentication performs this verification by checking distinctive biological or behavioral characteristics. An authentication system works by comparing provided data with validated user information stored in a database. In traditional systems, this information is passwords. In biometric authentication, this information is defined as physical or behavioral traits. For example, in a facial recognition system, different facial features are processed and converted into numerical data, which is stored in a database. When a person tries to log in, the system recaptures their face, extracts numerical data, and then compares it with what’s stored in the database. Other types of biometric authentication are: - Fingerprint scanning - DNA matching - Retina scanning - Vein scanning - Behavioral biometrics Behavioral biometrics verify identity by analyzing physical and cognitive behavior of a user. They use machine learning algorithms to determine patterns in user behavior and activities. These patterns are then used to detect whether someone is who they say they are. Examples of behavioral biometrics are: - Touchscreen use (how much area of the screen are they using) - Typing dynamics (keyboard shortcuts or typing speed) - Mouse activity ## Is biometric authentication hackable? The whole point of biometrics is that they are unique. Knowing that, you may think that biometric authentication can’t be hacked. But that’s not true. Just like any other system, biometric authentication isn’t hack-proof. Modern AI algorithms can be used to [generate fingerprints](https://fortune.com/2018/11/28/artificial-intelligence-fingerprints-security/), which can deceive fingerprint scanners. Moreover, several vulnerabilities have been observed in the data collection, processing, matching, and enrollment processes of even the most sophisticated biometric systems. ## What is multimodal biometric authentication? A unimodal biometric authentication system verifies only one distinct characteristic, e.g. a face or a retina. But as we just saw, such a system is susceptible to spoofing. This is where multimodal biometric authentication can help. It’s an approach in which various biometrics are checked during identity verification. This makes it much harder for a malicious actor to spoof. For example, a hacker may be able to find a person’s photo on the internet, which they use to successfully trick a facial recognition system. But if the system requires them to provide additional info, e.g. a video of the person saying their password, they are highly unlikely to find it. Additionally, combining physical and behavioral biometrics can also enhance your security posture. Even if a malicious actor manages to spoof a fingerprint, the system can detect change in behavior and deny entry. E.g., their speed of interaction with the system may be slower than the real user, or they are using keyboard shortcuts that the real user never used. ## The Good Biometrics are a much needed improvement over passwords. Passwords are very easy to hack. Sometimes, all a hacker needs are a person’s birthdate, and the name of their cat. Biometrics on the other hand, are much harder to obtain. You won’t find a person’s biometric data written on a sticky note, or auto-filled in their browser. Attackers thus find it much harder to break into passwordless biometric systems, especially those using multimodal authentication. A main reason for the popularity and prevalence of biometric authentication is that users find it much more convenient. No need to remember a complex password, or change one every other month. Just put your finger over a keypad, or look into an eye scanner, and you are in. Some systems, such as facial recognition, can even authenticate without the user consciously making a gesture. Simply moving into a room, or sitting in front of your computer, can suffice. Biometric authentication and zero-trust models go hand-in-hand. To build a true zero trust model, one where nothing is intrinsically trusted, you can depend on the resilient identity validation of biometric systems. ## The Bad Yes, biometrics are generally more secure, but they aren’t foolproof. Hackers can spoof biometric data by using various techniques like downloading or printing a person’s photo, using a fake silicone fingerprint, or a 3D mask. Such attacks are known as presentation attacks. Moreover, smartphone fingerprint scanners often rely on partial matches. Researchers have found that it’s possible to create “[master prints](https://ieeexplore.ieee.org/document/7893784)” that match partials of many people and can thus give access to a large number of user accounts. In addition to being hackable, biometric systems can also sometimes fail to recognize a valid user: someone could be wearing different makeup or new glasses, or the voice of a user might sound different when they are sick or have just woken up. So, it’s no surprise that quality biometric solutions cost more. In fact, [67% of IT professionals](https://businessinsights.bitdefender.com/more-organizations-are-adopting-biometrics-for-security-but-barriers-still-remain) cite cost as the biggest reason for not adopting biometric authentication. There are hidden costs, too, with 47% of those surveyed reporting a need to upgrade systems in order to support a shift to biometrics. ## The Ugly There are some serious ethical concerns surrounding many forms of biometrics. One of them involves bias. Facial recognition systems may not recognize persons of color or non-cisgender people as accurately. Moreover, many biometric systems have been trained primarily using white or white male photos. This incorporates in them an inherent bias that results in [difficulty recognizing women and people of color](https://www.cnet.com/news/why-facial-recognitions-racial-bias-problem-is-so-hard-to-crack/). Additionally, there are fears about how biometric data is shared. Is it acceptable for companies to sell or provide their biometric data to others, such as law enforcement, immigration enforcement, or repressive foreign governments? These privacy concerns have caused many US states to enact [biometric information privacy laws](https://www.honigman.com/blogs-the-matrix,recent-state-biometric-privacy-bills). For businesses, another ugly side of biometric data is its storage. Wherever biometric data is stored, it must be stored securely. Because it can’t be reset like a password. If biometric data is hacked, there’s no going back—a person can’t change their fingerprint or their iris. Companies that choose to store employees’ or customers’ biometric data are taking on a big financial and ethical responsibility. This is one reason to consider on-device storage: where the biometric data is stored on the device that authenticates the user like their smartphone or computer. This gives the user control over the data. It also restricts its location to a local device, reducing the likelihood of a single breach, allowing access to large sets of biometric data. While there are many sides to the biometric debate, one thing is for certain: the technology is here to stay. The good side of biometrics is still outweighing the bad and ugly sides, so much so that companies are expected to continue adopting biometrics for authentication.

READ MORE

How Single Sign-On Works

How does single sign-on work? What is single sign-on? Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials. How does SSO work? SSO works based upon a trust relationship set up between an application, known as the service provider, and an identity provider, like OneLogin. This trust relationship is often based upon a certificate that is exchanged between the identity provider and the service provider. This certificate can be used to sign identity information that is being sent from the identity provider to the service provider so that the service provider knows it is coming from a trusted source. In SSO, this identity data takes the form of tokens which contain identifying bits of information about the user like a user’s email address or a username. The login flow usually looks like this: 1. A user browses to the application or website they want access to, aka, the Service Provider. 2. The Service Provider sends a token that contains some information about the user, like their email address, to the SSO system, aka, the Identity Provider, as part of a request to authenticate the user. 3. The Identity Provider first checks to see whether the user has already been authenticated, in which case it will grant the user access to the Service Provider application and skip to step 5. 4. If the user hasn’t logged in, they will be prompted to do so by providing the credentials required by the Identity Provider. This could simply be a username and password or it might include some other form of authentication like a [One-Time Password (OTP)](https://www.onelogin.com/learn/otp-totp-hotp). 5. Once the Identity Provider validates the credentials provided, it will send a token back to the Service Provider confirming a successful authentication. 6. This token is passed through the user’s browser to the Service Provider. 7. The token that is received by the Service Provider is validated according to the trust relationship that was set up between the Service Provider and the Identity Provider during the initial configuration. 8. The user is granted access to the Service Provider. When the user tries to access a different website, the new website would have to have a similar trust relationship configured with the SSO solution and the authentication flow would follow the same steps. ### What is an SSO token? An SSO token is a collection of data or information that is passed from one system to another during the SSO process. The data can simply be a user’s email address and information about which system is sending the token. Tokens must be digitally signed for the token receiver to verify that the token is coming from a trusted source. The certificate that is used for this digital signature is exchanged during the initial configuration process. ## Is SSO secure? The answer to this question is “It depends.” There are many reasons why SSO can improve security. A single sign-on solution can simplify username and password management for both users and administrators. Users no longer have to keep track of different sets of credentials and can simply remember a single more complex password. SSO often enables users to just get access to their applications much faster. SSO can also cut down on the amount of time the help desk has to spend on assisting users with lost passwords. Administrators can centrally control requirements like password complexity and [multi-factor authentication (MFA)](https://www.onelogin.com/learn/what-is-mfa). Administrators can also more quickly relinquish login privileges across the board when a user leaves the organization. Single Sign-On does have some drawbacks. For example, you might have applications that you want to have locked down a bit more. For this reason, it would be important to choose an SSO solution that gives you the ability to, say, require an additional authentication factor before a user logs into a particular application or that prevents users from accessing certain applications unless they are connected to a secure network. ## How is SSO implemented? The specifics on how an SSO solution is implemented will differ depending on what exact SSO solution you are working with. But no matter what the specific steps are, you need to make sure you have set clear objectives and goals for your implementation. Make sure you answer the following questions: * What different types of users are you serving and what are their different requirements? * Are you looking for an On Prem solution or a Cloud Based solution? * Will this solution be able to grow with your company and your needs? * What features are you looking for to ensure only trusted users are logging in? MFA, Adaptive Authentication, Device Trust, IP Address Whitelisting, etc.? * What systems do you need to integrate with? * Do you need API access? ## What makes a true SSO system? It’s important to understand the difference between single sign-on and [password vaulting](https://www.onelogin.com/learn/password-vaulting) or password managers, which are sometimes referred to as SSO which can mean Same Sign-on not Single Sign-on. With password vaulting, you may have the same username and password, but they need to be entered each time you move to a different application or website. The password vaulting system is simply storing your credentials for all the different applications and inserting them when necessary. There is no trust relationship set up between the applications and the password vaulting system. With SSO, meaning Single Sign-On, after you’re logged in via the SSO solution, you can access all company-approved applications and websites without having to log in again. That includes cloud applications as well as on-prem applications, often available through an SSO portal (also called a login portal). ## What is an SSO software vs an SSO solution When researching SSO options that are available, you might see them sometimes referred to as SSO software vs an SSO solution vs an SSO provider. In many cases, the difference might simply be in the way the companies have categorized themselves. A piece of software suggests something that is installed on-premise. It is usually designed to do a specific set of tasks and nothing else. A solution suggests that there is the ability to expand or customize the capabilities of the core product. A provider would be a way to refer to the company that is producing or hosting the solution. For example, OneLogin is known as an SSO solution provider. ### Are there different types of SSO? There are a lot of terms that are used when we talk about Single Sign-On (SSO). * Federated Identity Management (FIM) * OAuth (specifically OAuth 2.0 nowadays) * OpenID Connect (OIDC) * Security Access Markup Language (SAML) * Same Sign On (SSO) SSO is actually a part of a larger concept called Federated Identity Management, thus sometimes SSO is referred to as federated SSO. FIM just refers to a trust relationship that is created between two or more domains or identity management systems. Single Sign-on is often a feature that is available within a FIM architecture. OAuth 2.0 is a specific framework that could also be considered part of a FIM architecture. OAuth focuses on that trusted relationship allowing user identity information to be shared across the domains. [OpenID Connect (OIDC)](https://www.onelogin.com/blog/openid-connect-explained-in-plain-english) is an authentication layer that was built on top of OAuth 2.0 to provide Single Sign-on functionality. [Security Access Markup Language (SAML)](https://www.onelogin.com/learn/saml) is an open standard that is also designed to provide Single Sign-on functionality. Same Sign On which is also often referred to as SSO is actually not the same as Single Sign-on because it doesn’t involve any trust relationship between the entities that are doing the authentication. It is more dependent on credentials being duplicated between systems and simply passing in those credentials when necessary. It is not as secure as any of the Single Sign-on solutions. There are also some specific systems that commonly come up when we are discussing Single Sign-on: Active Directory, Active Directory Federation Services (ADFS) and Lightweight Directory Access Protocol (LDAP). Active Directory, which nowadays is specifically referred to as Active Directory Directory Services (ADDS), is Microsoft’s centralized directory service. Users and resources are added to the directory service for central management and ADDS works with authentication protocols like NTLM and Kerberos. Thus, users that belong to ADDS can authenticate from their machines and get access to others systems that integrate with ADDS. This is a form of Single Sign-on. Active Directory Federation Services (ADFS) is a type of Federated Identity Management system that also provides Single Sign-on capabilities. It supports both SAML and OIDC. ADFS is primarily used to set up trust between ADDS and other systems such as Azure AD or other ADDS forests. Lightweight Directory Access Protocol (LDAP) is simply an industry standard that defines a way to organize and query directory information. LDAP allows you to centrally manage resources like users and systems. LDAP, however, does not define how you log into those systems, meaning it does not define the actual protocols that are used in authentication. It is, however, often used as part of the authentication process and access control processes. For example, before a user can access a particular resource, LDAP might be used to query for that user and any groups that they belong to in order to see if the user has access to that resource. LDAP solutions like OpenLDAP do provide authentication through their support of authentication protocols like Simple Authentication and Security Layer (SASL) ## What is SSO software as a service? Just as many other applications have moved to run within the Internet, so has SSO functionality. Platforms like OneLogin that run in the cloud can then be categorized as a Software as a Service (SaaS) SSO solution. ## What is App-to-App SSO? Lastly, you might have heard of App-to-App or Application-to-Application SSO. This is not quite an industry standard yet. It is more of a term that has been used by SAPCloud to describe the process of passing a user identity from one application to another within their ecosystem. It is somewhat similar to OAuth 2.0 but again it is not a standard protocol or method and is currently specific to SAPCloud.

READ MORE

What is Identity & Access Management (IAM)?

Identity and access management (IAM) ensures that the right people and job roles in your organization (identities) can access the tools they need to do their jobs. Identity management and access systems enable your organization to manage employee apps without logging into each app as an administrator. Identity and access management systems enable your organization to manage a range of identities including people, software, and hardware like robotics and IoT devices. ### Why do you need IAM? Companies need IAM to provide online security and to increase employee productivity. - Security. Traditional security often has one point of failure - the password. If a user's password is breached - or worse yet, the email address for their password recoveries - your organization becomes vulnerable to attack. IAM services narrow the points of failure and backstops them with tools to catch mistakes when they're made. - Productivity. Once you log on to your main IAM portal, your employee no longer has to worry about having the right password or right access level to perform their duties. Not only does every employee get access to the perfect suite of tools for their job, their access can be managed as a group or role instead of individually, reducing the workload on your IT professionals. ### Does IAM improve regulatory compliance? Security is also a matter of law, regulation, and contracts. Data protection standards like Europe's General Data Protection Regulation and HIPPA and the Sarbanes-Oxley Act in the U.S. enforce strict standards for data security. With an IAM solution, your users and organization can ensure that the highest standards of security, tracking, and administrative transparency are a matter of course in your day-to-day operations. ### How does IAM Work? Identity management solutions generally perform two tasks: 1. IAM confirms that the user, software, or hardware is who they say they are by authenticating their credentials against a database. IAM cloud identity tools are more secure and flexible than traditional username and password solutions. 2. Identity access management systems grant only the appropriate level of access. Instead of a username and password allowing access to an entire software suite, IAM allows for narrow slices of access to be portioned out, i.e. editor, viewer, and commenter in a content management system. ### What does IAM do? IAM systems provide this core functionality: Task Tools Manage user identities IAM systems can be the sole directory used to create, modify, and delete users, or it may integrate with one or more other directories and synchronize with them. Identity and access management can also create new identities for users who need a specialized type of access to an organization's tools. Provisioning/deprovisioning users Specifying which tools and access levels (editor, viewer, administrator) to grant a user is called provisioning. IAM tools allow IT departments to provision users by role, department, or other grouping in consultation with the managers of that department. Since it is time consuming to specify each individual’s access to every resource, identity management systems enable provisioning via policies defined based on role-based access control (RBAC). Users are assigned one or more roles, usually based on job function, and the RBAC IAM system automatically grants them access. Provisioning also works in reverse; to avoid security risks presented by ex-employees retaining access to systems, IAM allows your organization to quickly remove their access. Authenticating users IAM systems authenticate a user by confirming that they are who they say they are. Today, secure authentication means multi-factor authentication (MFA) and, preferably, adaptive authentication. Authorizing users Access management ensures a user is granted the exact level and type of access to a tool that they're entitled to. Users can also be portioned into groups or roles so large cohorts of users can be granted the same privileges. Reporting IAM tools generate reports after most actions taken on the platform (like login time, systems accessed, and type of authentication) to ensure compliance and assess security risks. Single Sign-On Identity and access management solutions with single sign-on (SSO) allow users to authenticate their identity with one portal instead of many different resources. Once authenticated, the IAM system acts as the source of identity truth for the other resources available to the user, removing the requirement for the user to remember several passwords. ### What is the difference between identity management and access management? Identity management confirms that you are you and stores information about you. An identity management database holds information about your identity - for example, your job title and your direct reports - and authenticates that you are, indeed, the person described in the database. Access management uses the information about your identity to determine which software suites you're allowed access to and what you're allowed to do when you access them. For example, access management will ensure that every manager with direct reports has access to an app for timesheet approval, but not so much access that they can approve their own timesheets. ### Cloud versus on-premises IAM In the past, most identity and access management was managed by a server on the physical premises of an organization, which was called on-prem. Most IAM services are now managed by a provider in the cloud to avoid physical maintenance costs to the organization, as well as to ensure uptime, distributed and redundant systems, and short SLAs. ### What is AWS identity and access management? Amazon Web Services (AWS) identity and access management is simply the IAM system that is built into AWS. By using AWS IAM, you can create AWS users and groups and grant or deny them access to AWS services and resources. AWS IAM is available free of charge. AWS IAM service provides: - Fine-grained access control to AWS resources - AWS multi-factor authentication - Analysis features to validate and fine tune policies - Integration with external identity management solutions ### What tools do I need to implement identity and access management? The tools needed to implement IAM include password-management tools, provisioning software, security-policy enforcement applications, reporting and monitoring apps and identity repositories. IAM tools can include, but are not limited to: - MFA Multi-factor authentication means that your IAM provider requires more than one type of proof that you are who you say you are. A typical example is requiring both a password and a fingerprint. Other MFA choices include facial recognition, iris scans, and physical tokens like a Yubikey. - SSO SSO stands for single sign-on. If your IAM solution provides single sign-on, that means your users can sign in only once and then treat the identity and access management tool as a "portal" to the other software suites they have access to, all without signing in to each one. ### What does an IAM implementation strategy include? As a cornerstone of a zero-trust architecture, an IAM solution should be implemented using zero-trust principles such as least privilege access and identity-based security policies. - Central identity management A key principle of zero trust is managing access to resources at the identity level, therefore having centralized management of those identities can make this approach much simpler. This could mean migrating users from other systems or at least synchronizing your IAM with other user directories within your environment such as a Human Resources directory. - Secure access Since securing at the identity level is key, an IAM should make sure that it is confirming the identities of those who are logging in. This could mean implementing MFA or a combination of MFA and adaptive authentication to be able to take into consideration the context of the login attempt: location, time, device, etc. - Policy-based control Users should only be given authorization to perform their required tasks and no more privilege than is necessary. An IAM should be designed to give users access to resources based upon their job role, their department or any other attributes that seem appropriate. As part of the centrally managed identity solution these policies can then ensure that resources are secure no matter where they are being accessed from. - Zero-Trust Policy A zero trust policy means that an organization's IAM solution is constantly monitoring and securing its users identity and access points. In the past, organizations operated on a "once you're in, you have access" policy, but zero-trust policies ensure that each member of the organization is constantly being identified and their access managed. - Secured privileged accounts Not all accounts in an access management system are created equal. Accounts with special tools or privileged access to sensitive information can be provided a tier of security and support that suits their status as a gatekeeper for the organization. - Training and support IAM providers provide training for the users who will be most engaged with the product - including users and administrators - and often provide customer service for the long-term health of your IAM installation and its users. ### IAM technologies An IAM system is expected to be able to integrate with many different systems. Because of this, there are certain standards or technologies that all IAM systems are expected to support: Security Access Markup Language, OpenID Connect, and System for Cross-domain Identity Management. - Security Access Markup Language (SAML) SAML is an open standard used to exchange authentication and authorization information between an identity provider system such as an IAM and a service or application. This is the most commonly used method for an IAM to provide a user with the ability to log in to an application that has been integrated with the IAM platform. - OpenID Connect (OIDC) OIDC is a newer open standard that also enables users to log in to their application from an identity provider. It is very similar to SAML, but is built on the OAuth 2.0 standards and uses JSON to transmit the data instead of XML which is what SAML uses. - System for Cross-domain Identity Management (SCIM) SCIM is standard used to automatically exchange identity information between two systems. Though both SAML and OIDC can pass identity information to an application during the authentication process, SCIM is used to keep the user information up to date whenever new users are assigned to the service or application, user data is updated, or users are deleted. SCIM is a key component of user provisioning in the IAM space. { "@context": "https://schema.org", "@type": "Article", "mainEntityOfPage": { "@type": "WebPage", "@id": "https://www.onelogin.com/learn/iam" }, "headline": "What is identity and access management?", "description": "An intro to identity and access management (IAM), what it does and how it can benefit an online business.", "image": [ "https://www.onelogin.com/assets/img/learn/authentication-authorization.svg", "" ], "author": { "@type": "Organization", "name": "OneLogin" }, "publisher": { "@type": "Organization", "name": "OneLogin", "logo": { "@type": "ImageObject", "url": "https://www.onelogin.com/assets/img/new-logo-onelogin.svg" } }, "datePublished": "2019-03-14" }

READ MORE

What is Cybersecurity & Why Do We Need It

Cybersecurity is the practice of defending technical assets and data from malicious attack. This includes protecting computers, servers, mobile devices, electronic systems, networks, and corporate data. Cybersecurity encompasses: - **Network security**, securing a computer network from intruders. - **Application security**, keeping software and devices threat-free, important because they can provide access to corporate data. - **Information security**, protecting data in storage and in transit. - **Operational security**, ensuring users have appropriate permissions when accessing a network and that data is stored and shared securely. - **Disaster recovery and business continuity**, planning for adequate response to security incidents, data losses, or outages, as well as recovery in those instances. Business continuity is the plan the organization uses to continue operating when dealing with an incident. ### What is a cyber attack? A cyber attack is an attempt to steal, alter, expose, disable, destroy, or simply gain unauthorized access to a computer system or network. Some common types of attacks include: **Distributed Denial of Service (DDOS)** In which attackers overwhelm the targeted resource (such as a website or network) with superfluous requests attempting to overload the servers in order to prevent some or all legitimate requests from being fulfilled. For example, the attacker may use many different IP addresses to send hundreds of thousands of contact us requests to a website, overwhelming the site and causing it to go down. **Phishing** In which attackers obtain a set of phone numbers/email addresses and send a compelling message to all of them hoping to get the user to click a link leading to a fake website where the user will enter his or her username and password. The attacker can then use it to log in and capture data, steal money, etc. **Spear phishing** In which attackers send carefully crafted and very believable messages to smaller groups of individuals. The messages are specifically relevant to this group of people and often include personal information the attackers have obtained (such as a colleague’s name or some event the individuals recently attended). The message than acts like a regular phishing attack. **Keylogger** In which attackers manage to install a program on the user’s machine which captures keystrokes including the usernames and passwords for specific sites, apps, etc. **Credential stuffing** In which attackers use stolen username/password pairs and try to use them on many different websites or apps, hoping the user has used the same credentials for multiple sites. (This works because users do frequently use the same credentials across websites.) **Brute force and reverse brute force attacks** In which attackers generate possible username/password combinations based on typical patterns that people use, and then programmatically try to use them on many websites/apps to try to gain access. **Man-in-the-middle (MITM) attacks** In which attackers insert a program between the user and an app or website. For example, the program might look like a public Wi-Fi login. The program then captures the user’s login credentials or hijacks the user’s session so it can take actions hidden from the user. ### What is a security incident and a security breach? A security incident is an event that violates an organization’s security policies or procedures. Verizon’s 2016 Data Breach Investigations Report defines an incident as a “security event that compromises the integrity, confidentiality, or availability of an information asset.” A security breach is an incident that meets legal definitions at the state or federal level such that it qualifies as a data breach. Many state, federal, and compliance regulations require specific notifications in the event of a data breach, such as letting affected individuals or regulatory organizations know. ### How do you implement cybersecurity? There are no cybersecurity silver bullets, but being proactive and attentive increases the chances of preventing or mitigating a security incident or breach. Protecting your business or organization from cyber attack requires coordinated activity on multiple fronts. The IT department in an organization generally “owns” cybersecurity, but every employee, vendor, supplier, and person who has access to corporate resources plays a role. Defending the organization requires efforts on at least three fronts: - **Technology**—The right technical security tools are, of course, critical. Technical solutions should be implemented to protect on-prem networks and systems, cloud systems and apps, and all endpoints, i.e. devices, internet of things (IoT), routers, and any other entry points to your networks and systems. A Privileged Access Management system and an Identity and Access Management (IAM) system are critical technologies. - **Processes**—Staying diligent and successfully addressing potential or actual cybersecurity events can only occur if you have taken the time to define and roll out processes that support cybersecurity. These processes must be verified and updated regularly. - **People**—If the people in your business ecosystem don’t implement the required processes and technology, you won’t be successful. Moreover, people are a frequent target of the most common types of cyber attacks. So educating everyone inside and who works with your organization and ensuring they follow best practices, such as around password security, is mandatory to protect your organization. These cybersecurity tools must be applied to a set of functions, as per the NIST Framework: - **Identify** potential cybersecurity risks and weak points in the organization. - **Protect** from attack using the information determined in the identify phase. - **Detect** any attacks or potential attacks in real-time. - **Respond** to attacks. - **Recover** from the impact of an event.

READ MORE

What is Identity Governance & Administration

Identity Governance and Administration (IGA) joins the list of acronyms along with IAM and PAM. The term gained acceptance in 2013 after Gartner merged two of its Magic Quadrants–one addressing Identity Governance and the other Identity Administration–into the Magic Quadrant for Identity Governance and Administration. IGA systems merge identity administration, which addresses administering accounts and credentials, provisioning, and managing entitlements, with identity governance, which addresses the segregation of duties, role management, logging, and analytics and reporting. IGA systems provide additional functionality beyond standard Identity and Access Management (IAM) systems. In particular, they help organizations meet compliance requirements and enable them to audit access for compliance reporting. They also automate workflows for tasks such as access approvals and provisioning/de-provisioning. ### Elements of IGA Systems Identity governance and administration tools help handle user identity lifecycle management. IGA systems generally include these elements for identity administration: - **Password management** Through tools like password vaults or, more often, Single Sign-On (SSO), IGAs ensure users don’t have to remember many different passwords to access applications. - **Integrations** Connectors to integrate with directories and other systems that contain information about users and the applications and systems they have access to as well as their authorization in those systems. - **Access request management** Workflows that make it easier for users to request access to applications and systems and get approvals. - **Provisioning** Automated provisioning and de-provisioning at both the user and application level. - **Entitlement management** Ability to specify and verify what people are allowed to do in various applications (such as add, edit, view, or delete data). ! IGA systems generally include these elements for governance administration: - **Segregation of duties** Create rules that prevent risky sets of access from being granted to a person. For example, the ability to both view a corporate bank account and transfer funds to outside accounts (which might enable a user to transfer money to a personal account). - **Access review** Tools that streamlines the review and verification (or revocation) of users access to different apps and resources. Some IDG tools provide discovery features that help identify entitlements that have been granted and surface them. - **Role-based management** Defining and managing access through user roles. - **Analytics and reporting** Tools that log activities, generate reports (including for compliance) and provide analytics to identify issues and optimizations.

READ MORE

SSO Checklist

It’s critical that your single sign-on (SSO) solution meets the basic requirements to support employees and IT needs. That means a secure solution, which is also easily usable. One that offers a seamless, one-stop authentication screen for all your applications and users. Use the checklist below to make sure that your SSO system offers the protection your company needs. Application integration Does the SSO solution seamlessly integrate with all your applications? Supports all your cloud and SaaS apps Supports all your on-prem apps Open standards support Does the SSO solution support the most common, widely-used protocols that enable a trusted relationship? SAML OpenID Connect OAuth 2 WS-Federation User community support Does the SSO solution support all your user communities? Workforce (employees and contractors) Partners/Vendors Customers Onboarding customers If your customers need access, does the SSO system support commonly-used consumer authentication methods? Facebook Google True SSO Does the SSO solution allow true single sign-on, as opposed to password vaulting? User only enters one username and password to access all apps/sites User only has to log in once per day or session to gain access to all corporate apps/sites Enterprise access Does the SSO solution integrate with your network access points? Integrates with VPN Integrates with Wi-Fi for app access Provides endpoints for integration with RADIUS and LDAP (commonly used authentication protocols) Reputation for security Does the vendor adhere to the recommended security standards? SOC 2 Type 2 ISO 27017 ISO 27018 ISO 27001 Skyhigh Enterprise-Ready CSA Star TRUSTe U.S. Privacy Shield GDPR EU Model Contract clauses NIST Cybersecurity Framework Internal security controls Does the vendor take their own security seriously? Performs penetration tests and vulnerability patching Implements network scans Sponsors a bug bounty program Availability and disaster recovery Does the SSO service consistently demonstrate high availability and prompt disaster recovery? Historical availability of over 99% Recent availability (last twelve months) of over 99% Uses multiple data centers in different regions Uses replication and redundancy across regions High usability Is the SSO user interface simple enough that employees will embrace it? Provides a single portal of apps Integrates with all the common browsers Streamlines the app access process Makes it easy for users to reset their own passwords Mobile ready Does the SSO solution provide dedicated support for mobile users? Provides SSO for mobile devices (via a native mobile app) Supports a variety of devices, via SAML and partnerships with MDM vendors Works with your multi-factor authentication (MFA) tool Flexible password rules Does the SSO system support and enforce password requirements in a usable and effective manner? Lets you set password expiration times Enables you to set password complexity (length, characters, etc.) Provides expiration notifications (helping to reduce support tickets) Provide end users with the means to reset their own passwords Enforces MFA requirements for password resets Federation Does the SSO solution allow you to continue using your existing, corporate identity providers? Microsoft Active Directory Amazon Active Directory LDAP Google Directory Human Resource Management Systems (HRMS), such as Workday or SuccessFactors Advanced authentication Does the SSO solution provide more than just plain authentication? Multi-factor authentication Adaptive authentication Automatic forced authentication for high-risk resources X.509–based certificates Reporting Does the SSO solution provide reports that enable you to meet compliance requirements and enhance your security, based on threat data? Ability to externalize authorization events to third-party SIEM solutions Out-of-the-box reports and audit trails Scalability Will the solution keep up with the growing and changing demands of your organization? Will it still perform efficiently if the number of users doubles? Does it support seamless integrations with any number of apps, without compromising efficiency? Advanced requirements Although any SSO solution should meet basic requirements, organizations making a successful digital transformation, usually choose solutions that meet advanced requirements. An advanced SSO solution ensures, from the start, that you aren’t behind the curve. Behavioral analytics Does the SSO solution use behavioral analytics to intelligently adapt and respond? Allows blacklist and whitelist of geolocations and IPs Enables you to set responses to high-risk login attempts Allows you to set certain apps to require re-authentication (such as through MFA) Lets you define policies to identify high-risk behavior Manage authorization Can the SSO solution manage authorization, through its integration with your identity provider(s)? Supports role-based access control (RBAC) access Supports seamless provisioning and deprovisioning of users, across different applications Developer support Does the SSO solution provide APIs and documentation, which can let you enable single sign-on for your internal applications and third-party systems? SSO registration and life-cycle management APIs Software development kits (SDKs) for major platforms and languages Supports OpenID Connect Conclusion A secure, user-friendly SSO solution can safeguard your applications and users, while also boosting productivity and convenience. But remember that SSO is only a small part of an identity and access management solution. Digital transformation today relies on Identity and Access Management (IAM) platforms, that include SSO, as well as other processes like MFA and directory integration.

READ MORE

Why is SSO Important?

Single sign-on (SSO) in the enterprise refers to the ability for employees to log in just one time with one set of credentials to get access to all corporate apps, websites, and data for which they have permission. SSO solves key problems for the business by providing: - Greater security and compliance. - Improved usability and employee satisfaction. - Lower IT costs. The proliferation of cloud apps and services in the enterprise—often in addition to on-prem ones—has created a significant fragmentation problem. Fragmentation in the enterprise is a challenge for IT and users. IT must manage the many apps in the enterprise, as well as deal with shadow IT. Employees have to use more and more apps each day just to complete their work, which means logging in to and switching between multiple apps and websites. SSO helps to solve the enterprise fragmentation problem. ### Security and compliance benefits of SSO Usernames and passwords are the main target of cybercriminals. Every time a user logs in to a new application, it’s an opportunity for hackers. SSO reduces the number of attack surfaces because users only log in once each day and only use one set of credentials. Reducing login to one set of credentials improves enterprise security. When employees have to use separate passwords for each app, they usually don’t. In fact, 59% use the same or similar passwords on multiple accounts. Thus, if a hacker gets access through one poorly secured website, they are likely to be able to access other corporate systems. SSO helps with regulatory compliance, too. Regulations, such as Sarbanes-Oxley, require that IT controls are documented and that organizations prove that adequate methods are in place to protect data. SSO is a way to meet requirements around data access and antivirus protection. SSO can also help with regulations, like HIPAA, that require effective authentication of users who are accessing electronic records or who require audit controls to track activity and access. Regulations, like HIPAA, also require automatic logoff of users, which most SSO solutions enable. When SSO is part of an identity and access management (IAM) solution, it utilizes a central directory that controls user access to resources at a more granular level. This allows organizations to comply with regulations that require provisioning users with appropriate permissions. UAM systems enable SSO with role-based access control (RBAC) and security policies. This type of SSO solution also deprovisions users quickly—or even automatically—another common compliance requirement meant to ensure that former employees, partners, or others can’t access sensitive data. ### SSO improves usability for employees With the move to the cloud, employees are using more and more apps in the workplace. Requiring separate usernames and passwords for each app is a huge burden for employees and, frankly, is unrealistic. Single sign-on reduces that cognitive burden. Signing in once also saves time, thus improving employee productivity. Given that 68% of employees switch between ten apps every hour, eliminating multiple logins can save a company considerable time and money. SSO solutions that are part of an identity and access management system usually have an app portal. To use an app, employees select it from the portal. If the user doesn’t have an app, he or she can request it through the portal and it’s added with SSO enabled. It all happens quickly, so users who might be discouraged from requesting or using apps are more likely to use them. ### How SSO lowers IT costs SSO lowers IT costs by saving time on password resets. When apps each require a different username and password for every employee, chances are high that employees will forget passwords—and that means help tickets for password resets pile up. With SSO, users have only one set of credentials to remember, reducing the number of help tickets. And most SSO solutions allow users to reset their passwords themselves, eliminating the need for IT involvement. SSO that is part of a unified access management system takes advantage of a central directory to provision and deprovision users, making the process faster and cheaper. Policies can be defined based on user role, location, and other user traits. And employees, partners, and customers can be quickly provisioned across multiple applications in one action, rather than having to separately provision each application. Similarly, IT saves time on deprovisioning, which can be done in minutes instead of hours. When enterprises implement a quality SSO solution, it adds security, improves usability, and saves time and money for the IT department.

READ MORE

Password Vaulting

A password vault, password manager or password locker is a program that stores usernames and passwords for multiple applications securely, and in an encrypted format. Users can access the vault via a single “master” password. The vault then provides the password for the account they need to access. Since users have to remember only one password, they’re more likely to use complex passwords that cannot be easily stolen or compromised. ## Why Do I Need a Password Vault? In organizations worldwide, people still use weak passwords, or reuse the same password across multiple accounts. Such practices enable cybercriminals to steal passwords to easily breach enterprise networks. Passwords with privileged access are particularly attractive to cybercriminals, since they can use this one single “key” to access many resources for malicious purposes. The risks of such attacks increase when organizations don’t properly manage their passwords. A password vault is one way for organizations to minimize the risk of password-based cyberattacks. ## Password Vaulting and Privileged Access Management (PAM) A password vault is a key element of [Privileged Access Management (PAM)](https://www.onelogin.com/learn/privileged-access-management). It is ideal for organizations that need to securely protect user accounts in a centralized manner. The application is user-friendly, since users don’t have to remember multiple passwords. It also helps enforce password best practices, and protects the enterprise from outside threats. PAM is best-suited for enterprises that need to monitor, manage and protect privileged accounts. PAM isolates the control and use of privileged accounts with granular Role-based Access Control (RBAC) to minimize the risks of accidental or malicious credential misuse. PAM also enables organizations to automatically create audit logs, and meet the compliance requirements set forth by GDPR, ISO/IEC 27001, etc. PAM consists of a _password manager_, an _access manager_ to manage user access, and a _session manager_ to detect, prevent and terminate suspicious activities. When implemented as part of a broader cybersecurity strategy, PAM can reduce the overall attack surface, and mitigate security risks. ## Benefits of Using a Password Vault The average cost of a data breach due to [compromised credentials](https://www.onelogin.com/blog/5-reasons-passwords-disaster) is [$4.37 million](https://www.ibm.com/security/data-breach). To prevent such catastrophes, organizations need better ways to store their passwords. Here’s where a password vault comes in. - **Safely store enterprise passwords.** A password vault is a secure way to manage and store enterprise passwords. Some vaults can auto-generate strong, secure and unique passwords to protect applications. - **User-friendly.** Users don’t have to remember multiple passwords to log into multiple accounts, just the one strong master password that unlocks the vault. - **Prevent account compromise and data breaches.** Passwords are randomly generated, making them much more difficult to hack, and protecting accounts from credential abuse or breaches. - **Easy password resets.** It’s easy to reset or change passwords if an account is hacked or if a password is compromised. - **Multiple login methods.** Some password vaults include built-in multi-factor authentication (MFA), so even if the user forgets their master password, they can still log into the vault via a one-time password (OTP), a fingerprint, etc. - **Threat alerts.** Certain vaults alert users about potential phishing attempts, so they can avoid clicking on malicious links or downloading malicious attachments in spoofed emails. - **Sync across devices.** Some password managers sync credentials across multiple operating systems and devices, further simplifying the login process. ## Drawbacks of Using a Password Vault - **Single point of failure.** If a cybercriminal gets hold of the master password, they can steal all passwords in one go, and ultimately compromise multiple accounts. - **Vulnerable to malware.** If the main password is used or saved on a computer affected by malware, it may compromise all other passwords controlled by the vault. ## What is an Enterprise Password Manager? An [enterprise password manager](https://www.onelogin.com/learn/enterprise-password-manager) is a centralized system with built-in security controls to prevent cybercriminals from abusing the organization’s passwords for malicious purposes. RBAC restricts password access based on a person's role, so employees can only access the accounts they need to perform their job. Enterprise password vaults encrypt passwords using standards like AES-256, include built-in random password generators, support automatic password resets, and allow administrators to enforce password policies. Some tools also come with MFA to provide added security. Enterprise password vaults are of two types: 1. **Desktop-based.** Desktop-based vaults securely store passwords locally on one device. So, if the device is damaged, stolen or lost, the user will lose all the passwords stored on it. 2. **Cloud-based.** A cloud-based password manager encrypts and stores passwords in the cloud, so users can access the vault from any device or browser. ## Browser-based Password Vaults vs Dedicated Password Vaults Web browsers ask users to create a master password before adding the logins to specific apps or services supported by the browser. After setting up the master password, the user can log into the browser’s password vault to access all their accounts instantly. The vault stores the password for the duration of the session, synchronizes passwords across multiple devices, and auto-fills passwords as required. One drawback of these vaults is that they don’t integrate automated password generators, so the user must generate their own passwords. Users who require auto-generated strong passwords are better off using dedicated password vaults. A browser-based vault is convenient, but not very secure. So, if a cybercriminal gets access to the user’s device, they can log into all accounts and apps. Unlike a dedicated password vault, a browser-based vault cannot proactively check for vulnerabilities, or raise alerts if the account is breached. ## Can Password Vaults be Hacked? Although a password vault is a secure way to store passwords, these passwords are still vulnerable to brute-force, phishing, keyloggers, and other attacks. Further, the loss or compromise of the master password can lead to a compromise of all accounts secured with that password. A password vault may be hacked if the device is infected with malware that records the master password when typed. Cybercriminals can then gain full access to the device and account. Password vaults with poor encryption and lack of MFA are particularly vulnerable to hacks and credential compromise. ## Consequences of Losing the Master Password If a user loses their master password, they may be able to access the vault. But this depends on the vault itself. Some vaults don’t allow users to access the vault at all. So, if the user forgets their master password, they are required to delete the vault (after taking a backup), create a new vault, and protect it with a new master password. Some vaults allow users to access the vault with an OTP and the associated email account. They must then reset the master password. If they can’t access the email account either, they must delete the vault – and thus lose all their passwords – and create a new vault. The best way to prevent such problems is to store the master password in a physically secure place. Some password managers also provide backup codes to change the password or to get back into the vault. But again, it’s crucial to store these codes in a safe location outside the vault. ## The Advantages of Single Sign-on over Password Vaults When businesses start implementing stricter password policies, they often start with password managers so employees can store their passwords in an encrypted, relatively secure environment. One reason is that employees must add password management to their to-do list. Moreover, password vaults still require users to log into each app, which can add up to a lot of wasted time. For these reasons, most organizations quickly outgrow password managers. [Single Sign-on (SSO)](https://www.onelogin.com/learn/how-single-sign-on-works) is a secure solution that allows users to log into multiple accounts –both on-prem and cloud – just once using one set of credentials. It thus provides more seamless and secure access across multiple systems. SSO is usually part of an [Identity and Access Management (IAM) solution](https://www.onelogin.com/learn/iam) that uses the company’s directory, such as Microsoft Active Directory, Azure Active Directory, or a directory provided by the SSO solution. It also uses standard, widely accepted protocols, such as SAML or OAuth, and technologies like digital certificates to provide enterprise-level security. SSO is more secure than password vaults, since it reduces the frequency of logins and the number of credentials stored. Further, passwords are not passed around. Instead, after login, SSO passes tokens to the app or website requesting authentication. It thus reduces the attack surface and minimizes the possibility of cyberattacks. SSO is also easier to use than password vaults, and eliminates the need to maintain multiple passwords, thus easing the burden on users.

READ MORE

What Type of Attacks Does MFA Prevent?

In 2020, cybercrime cost the world over $1 trillion, 37% of organizations were affected by ransomware attacks, and [61% were affected by malware attacks](https://www.comparitech.com/antivirus/malware-statistics-facts/). These facts show that organizations have to deal with many serious cybercrimes. To protect their networks, systems and data, they need robust cybersecurity controls and methods like [Multi-Factor Authentication (MFA)](https://www.onelogin.com/learn/what-is-mfa). But what types of cyberattacks does MFA protect against? - Phishing - Spear phishing - Keyloggers - Credential stuffing - Brute force and reverse brute force attacks - Man-in-the-middle (MITM) attacks ## MFA for Stronger Cybersecurity Traditional single-factor authentication systems require users to provide only one verification factor, i.e. the password, to access a system or application. Hackers can easily steal these passwords, and hack into an enterprise system. MFA systems require two or more factors to verify a user’s identity and grant them access to an account. MFA provides reliable assurance that an authorized user is who they say they are, thus minimizing the possibility of unauthorized access. For these reasons, MFA is much more effective at protecting systems compared to passwords. ## How Do Different Kinds of Cyberattacks Work? To understand how MFA protects against cyberattacks, let’s first review how these cyberattacks work: **Phishing** In 2020, [75% of organizations worldwide](https://www.proofpoint.com/us/resources/threat-reports/state-of-phish) experienced a phishing attack. Phishing was also the most common attack seen in data breaches. In a phishing attack, email is used as a weapon. The cybercriminal pretends to be someone the intended victim would normally trust such as a government organization or bank. The attacker then creates a fake email with a malicious attachment or link that looks like it came from the trusted organization. The purpose is to fool the victim into taking some action that benefits the attacker. For example, they may be told to log in with their credentials and make some transactions on the provided (fake) link. The attacker steals the user’s credentials, logs into the real website while pretending to be the user, and steals the user’s money. In _Spear Phishing_, the attacker targets specific individuals or organizations with well-crafted, believable and relevant messages. They often use personalized content, such as the user’s name, or refer to a recent user action (e.g. online purchase) or event (e.g. wedding) to make the message more believable. Like phishing, spear phishing emails also include a compelling call to action, usually to trick users into providing sensitive data, e.g. their account credentials or financial information. _Whaling_ is a type of focused spear phishing that targets a senior or high-profile victim, such as a C-suite leader. Such individuals tend to be more cyber-aware, so “normal” phishing tactics usually don’t work on them. As a result, adversaries use more sophisticated methods and tailored fraudulent messages that are personally addressed to the victim. The attackers use urgency to compel the victim to take some action, such as open an attachment that installs malware, or trigger a wire transfer. **Keyloggers** A _keylogger_ is a type of monitoring program or spyware. Cybercriminals install keyloggers on a victim’s device, often via a virus. The program captures every keystroke the victim makes and records their usernames, passwords, answers to security questions, banking and credit card details, sites visited, and more. Cybercriminals then use this sensitive information for malicious purposes. **Brute Force, Dictionary and Credential Stuffing Attacks** In a _Brute Force attack_, the cybercriminal uses a program to generate and use many possible username/password combinations, hoping that at least one will help them gain access to an enterprise system. Brute force attacks are very common and provide many benefits to cybercriminals: - Place spam ads on websites to make money when the ad is clicked or viewed - Infect a site’s visitors with activity-tracking spyware, steal their data, and sell it to marketers (or on the dark web) - Hack into user accounts to steal personal data, financial data, or money - Spread malware or hijack enterprise systems to disrupt operations In a _reverse brute-force attack_, the attacker tries common passwords, e.g. “password” or “123456” to try to brute-force a username and gain access to many accounts. _Dictionary attacks_ are a common type of brute force attack, where the attacker works through a dictionary of possible passwords and tries them all to gain access. A _credential stuffing attack_ is a type of brute force attack that also takes advantage of passwords. Many people often use the same username and/or password on multiple accounts. Attackers take advantage of this fact to perpetrate credential stuffing attacks where they steal credentials, and try to use them to access many accounts. Sometimes they may obtain credentials from one organization, either through a data breach or from the dark web, and use them to access user accounts at another organization.They hope that at least some of the same credentials will enable them to: - Sell access to compromised accounts - Steal identities - Perpetrate fraud - Steal sensitive enterprise information, e.g. business secrets, Personally Identifiable Information (PII), financial information, intellectual property, etc. - Spy on the enterprise (corporate espionage) **Man-in-the-Middle Attacks** In an MITM attack, the attacker eavesdrops on a user’s connection with another party. They observe or intercept communications between these parties to steal the user’s credentials or personal information, corrupt data, or hijack the session to sabotage communications. ## How MFA Combats Common Cyberattacks All these cyberattacks involve obtaining account credentials. MFA requires users to provide additional information or credentials to gain access to an account. So, even if an attacker does manage to steal passwords, it’s unlikely that they will also be able to steal or compromise the additional authentication factors required in MFA. That’s why MFA can thwart cybercriminals and successfully combat many types of cyberattacks, including: **Phishing, Spear Phishing and Whaling** An attacker may launch a phishing attack to steal a user’s credentials. But, if the user’s account is protected by MFA, the attacker won’t be able to access it. This is because a phishing email won’t provide the other authentication factors, such as one-time passwords (OTPs) sent to a different device (e.g. a mobile phone), fingerprints, or other biometric factors required to gain access to the system. In attacks where the attacker tries to trick a user into entering their credentials, certain types of MFA such as WebAuthn require the user to enter a yubikey or fingerprint from the system they’re logging in from. These details cannot be captured by the attacker, thus protecting the system and user. **Keyloggers** Keyloggers can capture any passwords entered into a system. But if MFA is enabled, it’s not enough for the hacker to simply get access to the password. In order to log in, they also need access to the other authentication factors. For instance, if MFA is set up with a mobile authenticator app, the authorized user simply needs to sign in with the mobile device and accept the auth request. Without access to this secondary device, cybercriminals cannot hack in, even with a keylogger installed on the user’s system. **Credential Stuffing** MFA is a very effective approach to neutralize credential stuffing attacks, in which cybercriminals automatically and simultaneously try a list of stolen usernames and passwords on multiple sites. But with MFA, the cybercriminal would need additional pieces of information for authentication and login. Since they won’t have access to this information, they cannot gain unauthorized access to the organization’s systems. **Brute Force Attacks** An attacker may manage to find a working username and password with a brute force, reverse brute force attack, or dictionary attack. However, they don’t know or have the other authentication factors required by the MFA system, so they cannot access the system. **MITM Attacks** MFA can also combat more sophisticated attacks, such as MITM. Even if a hacker or malicious program inserts itself into the interaction between users and applications and captures the information users enter, MFA would require users to supply credentials from a different device. This can prevent eavesdroppers from intercepting or manipulating communications between the user and application. Push-based authenticators such as mobile phone authenticators are well-suited to provide a secure MFA mechanism without inconveniencing users. For example, suppose a user has logged into an account from her laptop, which has been compromised by a MITM program. But since the business has set up MFA, the user must use a phone app, such as [OneLogin Protect](https://www.onelogin.com/product/one-time-password) to complete her login. The native mobile authenticator app sends a code from the phone to the authentication system to securely complete the login. Since the hacker doesn’t have access to the user’s phone or the one-time code generated by the app, the breach is prevented. The Web Authentication API (also known as WebAuthn) provides an extra layer of security when users try to access web applications. Authentication is backed by a Hardware Security Module, which can safely store the private key that only the authorized user has access to. WebAuthnN relies on strong public-key cryptography instead of weak passwords to authenticate authorized users, and mitigate the threat of MITM attacks. ## How Does MFA Prevent Ransomware/Extortionware Ransomware (extortionware) is another growing cybersecurity problem for organizations. For example, in the US, cybersecurity attacks increased by 139% between 2019 and 2020. In fact, there were a staggering 145.2 million cases in Q3 2020 alone. Ransom payouts also increased by 311% to touch nearly [$350 million in cryptocurrencies](https://blog.chainalysis.com/reports/ransomware-ecosystem-crypto-crime-2021). Ransomware is a type of malware, which an attacker stealthily installs on a user’s system. The program encrypts the user’s files or data. To decrypt these locked files and restore the user’s access, the attacker demands a ransom from the victim. In addition to combating common cyberattacks, MFA is also effective at preventing ransomware attacks. Ransomware attacks start when an attacker gains access to account credentials. But with MFA, the attackers don’t have the additional required information to access the target account. This keeps them out of the system and prevents the attack. Further, any unauthorized login attempts will raise an alert when IT admins start getting unexpected MFA authorization requests. They can then take immediate action to keep these attackers out. By using MFA, organizations can prevent ransomware attacks and protect themselves from expensive extortion demands. For this, context-aware, adaptive MFA solutions like [OneLogin’s SmartFactor AuthenticationTM](https://www.onelogin.com/product/smartfactor-authentication) are highly effective. SmartFactor Authentication analyzes a broad range of inputs, such as user location, device, and behavior to adjust the number of authentication factors needed to log in. Equally important, it assesses the risk level for each login, and then dynamically adjusts the authentication requirements in real time. It thus reliably secures the organization from ransomware attacks. ## Conclusion MFA cannot guarantee foolproof security or stop all cyberattacks. However, it can help protect high-value systems and accounts, secure email access, and limit the usefulness of stolen credentials. Most importantly, MFA adds additional layers of authentication to protect systems and combat many types of cyberattacks. MFA is also critical to achieving [Zero Trust](https://www.onelogin.com/learn/zero-trust), the most reliable cybersecurity approach in the modern cyberthreat landscape.

READ MORE

What is Adaptive Authentication?

Standard authentication methods, including Multi-Factor Authentication (MFA), ask users for specific credentials whenever they try to log in or access corporate resources. Adaptive Authentication asks for different credentials, depending upon the situation—tightening security when the risk of breach is higher. When users always log in with standard credentials, such as a username and password, it makes them vulnerable to cyberattack. Authentication tools for identity and access management, such as MFA provide better security by requiring additional credentials, such as a code generated from a smartphone app. More factors help, but it’s still too easy for cybercriminals to acquire or hack the user’s various credentials and then use them to gain access. Adaptive authentication intelligently changes the requirements, making it much harder for a hacker to gain access to the enterprise because some of the signals that are used are difficult for an attacker to circumvent. #### How does adaptive authentication work? When you implement risk-based authentication in your organization, you determine the baseline login requirements for a given user or set of users. You might have stricter requirements for users in certain locales or users in roles that permit them access to sensitive information. Adaptive authentication works by creating a profile for each user, which includes information such as the user’s geographical location, registered devices, role, and more. Each time someone tries to authenticate, the request is evaluated and assigned a risk score. Depending on the risk score, the user may be required to provide additional credentials or, conversely, allowed to use fewer credentials. For example, if a user tries to access applications via an unregistered device, they may be prompted to register it. If the user logs in from a geographical location other than their office, they may have to answer a security question. IT determines the response to requests with different risk scores. In any given scenario, the user may be allowed to authenticate, may be prevented from accessing, or may even be challenged to prove his or her identity. #### Adaptive authentication and machine learning Most risk-based authentication solutions use machine learning. The algorithms in these tools monitor and learn user behavior over time to build an accurate profile of a given user’s login patterns. They may track devices, typical user login times, or usual work locations. They check IP addresses and network reputations, in addition to threat data for those networks. Adaptive authentication solutions assign a risk score based on behavior and context, and they respond to the perceived risk based on the rules established by IT. These rules may vary by risk score, user role, location, device, and more. Using artificial intelligence (AI), advanced authentication is evolving to monitor in real time and to identify anomalies in the user’s authentication patterns or even threats in the authentication path (such as compromised networks). The most advanced adaptive authentication solutions automatically adjust the authentication requirements based on the risk score and IT policies. They might require few or no additional challenges for users whose risk score is low. They might add multiple challenges—a one-time password plus biometrics, for instance—for someone whose risk score is high. These advanced solutions may even restrict or deny the user access based on the risk score and as per IT policies. #### Benefits of adaptive authentication As well as adding security, adaptive authentication reduces the friction for users trying to get their work done. Standard MFA defines login requirements that may be onerous—requiring the user to always enter a name, password, and a code from an app, or requiring users to answer a security question when authenticating outside the office. Adaptive authentication can request less information from users who are recognized and behaving in expected ways. It only queries users for more information occasionally, when circumstances suggest a greater security risk. This means fewer interruptions for users, lower barriers of entry, and greater security.

READ MORE

MFA Checklist

It’s critical that your Multi-Factor Authentication (MFA) solution meets the basic requirements for secure identity and access management (IAM) solutions in a hybrid environment. Digital transformation today relies on a Unified Access Management (UAM) platform that includes at least basic MFA. Use the checklist below to make sure that your MFA solution offers the protection your company needs. #### User Community Support Does the MFA solution support all the user communities that access your sensitive data? Workforce (employees and contractors) Partners/Vendors Customers #### Application Integration Does the MFA solution work with the cloud and on-premises apps that are critical to your organization? Integration with cloud applications Integration with on-premises applications Integration with Human Resource Management Systems (HRMS), such as Workday or SuccessFactors Directory integration, such as Active Directory or LDAP #### Enterprise Access Does the MFA solution support the network access systems your organization uses or might use? VPN access Wi-Fi access SSH/RDP access RADIUS integration #### Authentication Methods Does the MFA solution support the authentication tools that your organization uses? Native mobile OTP authenticator (push-based) Offline time-based verification codes (TOTP) Hardware tokens, such as Yubico YubiKey X.509–based certificates Legacy authentication methods, such as SMS, security questions, or email #### Flexible Authentication Policies Does the MFA solution enable flexible and sophisticated authentication policies at a granular level? Granular policies for different identities, apps, devices, and contexts Allows for definition of different policies for various identities communities or applications Customizable authentication flow Risk-based decisions #### Developer Support Does the MFA solution provide APIs and support for integration with your custom applications and third-party systems? MFA registration and life-cycle management APIs SDK for major platforms and languages #### Open Standards Support Does the MFA solution support these popular, modern standards for secure connections to web applications? SAML OpenID Connect OAuth2 #### Reporting Does the MFA solution provide reports that enable you to meet compliance requirements and enhance your security based on threat data? Ability to externalize authorization events to third-party SIEM solutions Out-of-the-box reports and audit trails Ability to effect system change based on authorization events Real-time information about access attempts ### Advanced Requirements Although any MFA solution should meet basic requirements, organizations making a successful digital transformation usually choose solutions that meet advanced requirements. MFA is evolving quickly. An advanced MFA solution ensures, from the start, that you aren’t behind the curve. #### Behavioral Analytics Does the MFA solution use behavioral analytics to intelligently adapt, and does it require different authentication factors? Familiarity signals Attack signals Anomalies (user behavior and context signals) Continuous authentication #### Device Trust Does the MFA solution take into account information about the device being used for authentication? Device health, including version, tampered, lock, encryption, browser plug-in, and more Device reputation X.509–based certificates Integration with mobile device management (MDM) #### Users and devices Does the MFA solution support user access via multiple devices, and does it account for different types of users and user roles? Support for multiple devices Support for different user communities, such as employees, contractors, partners, IT administrators, and customers #### General considerations Can you integrate the MFA solution with your custom apps and in your organization without having to replace or significantly modify existing solutions? Enables integration into your custom apps via an API Enables incorporation of MFA without the need to rip and replace other solutions

READ MORE

What is a Webhook?

How Apps Communicate Apps need to communicate with each other to save time, reduce errors, and improve user experiences. There are several ways apps can communicate. You may be familiar with one such method called an API (Application Programming Interface). Web APIs allow you to make a request over the internet to check for and send new data from one system to another. APIs can be used to perform certain actions, such as signing in with your social media account, completing a transaction with the “Pay with PayPal” option on a third-party site, and more. Another related, but very different, method that transfers information between several different applications is using webhooks. What is a Webhook? Apps use webhooks to communicate events automatically between each other. Unlike an API, webhooks do not require the administrator to manually submit a request when new information is needed. Instead, a webhook automatically broadcasts information to third-party systems which can then be used to make event-driven decisions. A common way to use a webhook is how OneLogin leverages a webhook to stream events to Security Information and Event Management (SIEM) tools. This enables IT admins to automatically receive updates on login activity as well as risky user logins without having to make an API request. How Does a Webhook Work? The first step is to enter the URL on your web application where you want the webhook to send HTTP requests. Once an event occurs in the originating service, the webhook sees the event, collects the data, and sends it to the app via the URL you specified in real-time. This is similar to when you provide an email address or phone number to receive notifications on upcoming sales from your favorite brands. You can use webhooks to: - Receive an alert when a particular event occurs - Ensure data synchronization across multiple web applications - Customize or modify functionality in an application based on a specific event What is an Example of a Webhook? Using webhooks can save you time, increase accuracy, and improve user satisfaction. instead of having to retype user or event information, a webhook can automatically: - Stream login events to your SIEM and analytics tools, like SumoLogic and Splunk - Post event notifications to Slack - Send an email notification when a new user logs in with a new device - Sync new members or membership updates with your CMS The Future of Webhooks Webhooks are a very useful method to communicate events, such as login activity, from one application or system to another. However, this is primarily a one-way flow of information and requires setting up a server to catch, filter, and act on these webhooks. The burden is on IT & developer teams to not only maintain their own servers, but also to scale performance as login activity increases. As we move more towards cloud orchestration and greater demands for customization, teams need a low-code approach to make event-driven decisions at scale and remove the burden of maintaining the infrastructure necessary to support them. OneLogin Smart Hooks OneLogin Smart Hooks is an exciting new concept that introduces next-gen extensibility. Unlike webhooks, Smart Hooks allow you to alter functionality within the OneLogin platform based on the occurrence of a specific event, rather than simply broadcasting a login event to a third-party application to take some action. Another benefit to Smart Hooks is that they are serverless, meaning OneLogin hosts and runs the custom code for you. No need to maintain additional servers or worry about performance or scale. Smart Hooks automatically scale with your user growth, providing greater customization and platform extensibility for even the most complex requirements. For example, you can use a Smart Hook to dynamically assign a user policy that requires users to submit a biometric factor when they attempt to sign in from a mobile device. Another example may be to require an additional authentication factor when a user is using an older browser, or even deny access for specific browser types. Perhaps you only want to allow specific factors when a user is traveling outside your home country, or need more granular control over factor enrollment workflows–all of this is now possible with Smart Hooks. We also have a growing list of sample hooks in our Postman collection, which includes a library of code examples, so that IT teams can quickly implement changes with minimal developer support required. In summary, there are several different approaches to customizing and integrating your identity and access management platform with other systems or applications. Whether it’s through traditional webhooks or API, each should be evaluated based on the available resources on your team and the goal you are trying to achieve. With Smart Hooks, you can build custom workflows and integrations using serverless code to meet your businesses’ access security needs faster. To learn more about OneLogin Smart Hooks, visit our Smart Hooks product page.

READ MORE

Secure Cloud-Native Computing with IAM

Cloud-native computing refers to creating and running software that leverages the unique benefits of cloud computing. Unlike traditional software built to run on a server, software developers architect cloud-native apps to run on cloud-based services. Since a 'decoupled' architecture forms the central theme of a cloud-native solution, [Identity and Access Management (IAM)](https://www.onelogin.com/learn/iam) plays a vital role. Following a [Zero Trust](https://www.onelogin.com/learn/zero-trust) approach, a secure cloud-native application needs to authenticate and authorize every workload and component that forms the solution. ## What is cloud-native computing? The core theme of cloud-native computing is building applications with the intent of running them on cloud services. This architectural shift from traditional application development means developers can leverage the advantages that come with cloud-based services. For instance, the cloud-native development philosophy incorporates the concepts of development and operations (DevOps), continuous integration and continuous delivery (CI/CD), microservices, and container-based architectures. An excellent example of a cloud-native computing solution is Netflix. As the service offers its [207 million paid subscribers](https://www.statista.com/statistics/250934/quarterly-number-of-netflix-streaming-subscribers-worldwide/) a complex set of features, it takes advantage of a host of cloud-based technologies. Due to its unique requirements to provide streaming services to an exponentially increasing user base, Netflix embarked on a cloud migration strategy in 2008. A significant database corruption was the catalyst as they realized the only way to keep providing quality services to an expanding subscriber base was to leverage the highly reliable, scalable, and distributed system the cloud offers. Moving Netflix to a cloud-native application also allowed the company to evolve rapidly and add new features. For instance, it uses artificial intelligence and machine learning algorithms to personalize its subscribers' user experience with recommendations and subtitle translation. ## What is a cloud-native app? As its name suggests, a cloud-native app is an app built to run on cloud services exclusively. This capability allows developers to architect a decoupled solution where different application components run on the relevant cloud service. For instance, if we consider the Netflix example, the relevant user-facing capabilities would run on the cloud platform's web application services. Likewise, its network streaming would leverage the cloud platform's networking solutions, and its recommendation engine would use the machine learning service. This architecture differs from a traditional legacy application where all the logic and functionality run on managed infrastructure owned by the organization. With a cloud-native app, the various components run on highly available and scalable services that the cloud platform manages on your behalf. ## What is cloud-native architecture? A cloud-native architecture uses a cloud-first model to architect technology solutions. When formulating solutions, architects take a modular approach to leverage the various cloud services their application will consume. If we compare a cloud-native architecture to a traditional software application design, the differences lie with the infrastructure and services that host the application. For instance, let's use the example of a regular web application that has a front-end, a business logic layer, and a database. In a traditional architecture, the developers will write code that will allow each of these components to run on a separate server or set of servers. With a cloud-native architecture, the architect will break down each application layer into a set of services. For example, the front-end may consist of a web page built with HTML, CSS, and JavaScript. It may also contain a collection of images and some functionality that enables a user to log in to the app. The logic layer may consist of several components that each process information or call external services. Using a cloud-native approach, the architect will build the solution and align each functional part with a relevant cloud service. Conversely, a traditional architecture will have all of these components residing on the same infrastructure managed by the organization. The table below illustrates the differences between a cloud-native and a traditional architecture for the same type of app. Architectural Layer Traditional Architecture Cloud-native Architecture Front-end Web front end technologies (HTML, CSS, and JavaScript), and images hosted on the same web server. Web Front end code deployed to cloud managed platforms. For instance, HTML, CSS, and Javascript code deployed to a managed web app service. Images deployed to a Content Delivery Network. Business Logic and Integration A single server or cluster of servers hosts the code that runs the business logic. Integration code runs on the same server or cluster of servers sending and receiving data from external services. The organization typically manages all aspects of the infrastructure, including the operating system and hardware. The business logic functionality is aligned with the relevant cloud service that meets each object’s requirements. For example, you may have Java code running on a serverless function app, and Python code running in a container. The cloud provider manages the underlying infrastructure. The organization is only responsible for its code, and the configuration of the cloud service. Database The solution’s database and all data-related functionality is hosted on a dedicated server or cluster of servers. The organization manages every aspect of the infrastructure, including the hardware, operating system and software. The solution’s data component is hosted on the relevant cloud data service. For example, an SQL service will host the relational database component, and any reporting will leverage the cloud provider’s reporting platform. The cloud provider manages every aspect of the infrastructure, including the hardware, operating system and software. The organization is only responsible for its data and the configuration of the cloud data service. ## Business benefits By building, deploying, and managing cloud-native apps, organizations can take advantage of the cloud's inherent benefits. For instance, cloud services give you the flexibility to only pay for services you consume. This computing model is far more cost-effective than hosting apps on traditional on-premise hardware. Furthermore, cloud services also provide on-demand elasticity allowing you to scale resources as demand from your users increases or decreases. For example, if your front-end needs more computing resources as the demand increases, cloud platforms allow you to quickly and easily add additional infrastructure. You could also automate this process to scale up resources when demand increases and scale them back down when it dissipates. In addition to pay-per-use and elasticity, cloud services offer increased automation and simplify the change management process. Together these benefits allow organizations better management over complex solutions and give them the ability to deliver features and enhancements with improved velocity. For instance, since a cloud-native solution typically uses a modular decoupled architecture, making a change or adding a capability poses less risk than in a traditional application. It is also far more straightforward. As the part you are changing is decoupled from the rest of the application, you can apply the new code quickly and only test the points and features that integrate with it. In a traditional application, you need to refactor the code and then retest it end-to-end as it is architected as a single solution. Because of the modular approach used in its architecture, a cloud-native app also allows for much greater flexibility. As you can deploy your app across a range of disparate services, technology lock-in is not a risk. For instance, you could deploy some of your code on a Java function app and other parts of your solution on a container running Python. You could even leverage a multi-cloud approach running some workloads on one provider's platform and others on a different cloud. This unlimited flexibility allows organizations the freedom to innovate and deploy new features quickly. By not being tied to a particular technology or platform, they can leverage any cloud service that meets their requirements. ## Is cloud-native computing secure? Due to its decoupled nature, cloud-native computing requires a holistic, integrated approach to security. Architects that create cloud-native solutions need to consider securing every component and layer of their architecture. These components include the network, the various containers, microservices, and databases hosting the app and the data and the app itself. Ideally, the architect should configure the security for each component and layer so that each solution module can run in isolation with complete protection. One of the core benefits of a cloud-native app is its flexibility in that you can move various components to different services as the need arises. This flexibility dictates that you need to ensure the security of a particular element accompanies it to any platform. Furthermore, as cloud-native computing relies on thousands of connections between standalone services with complex automation, the security architecture must secure the transit points. It needs to protect the data in transit as well as the endpoints. This complexity increases further if your application is also consuming data from other third-party cloud services. So, even though cloud-native has several advantages that make it the model for software development moving forward, securing it requires a fresh approach. Instead of securing the traditional perimeter as you would with legacy architecture, you need a decentralized security model that secures each component independently and the solution as a whole. ## The role of IAM in cloud-native computing As mentioned, as each component works independently in a loosely coupled fashion, ensuring the confidentiality and integrity of your application and its data is vital. For example, every connection to or from a service needs authentication. Furthermore, once authenticated, the connecting service or component also requires authorization to ensure it can only access the relevant features it needs for its function. Since the entire model of a cloud-native application is decentralized, the solution that manages its authentication and authorization should also be independent. A cloud-based, independent, IAM solution offers the features that can help you manage the security in a cloud-native architecture. It can centrally manage the identity of resources such as users or devices that are accessing the various components that together form your cloud-native solution. From a DevOps perspective, a cloud-based, decentralized IAM solution can also help automate your cloud-native app's identity, authentication, and authorization services. For example, it can help you provision and deprovision users and offer a central console to manage every identity. Furthermore, with extensive reporting, your IAM solution can provide insights into the security of your cloud-native architecture, giving you more control and allowing you to mitigate any risks proactively. An independent, decentralized IAM platform can also help you manage access to the cloud infrastructure you leverage to host your cloud-native app. For instance, OneLogin with AWS Control Tower integration gives architects the ability to easily govern their multi-role, multi-account AWS environment. These examples illustrate that when it comes to securing your cloud-native app, there are multiple use cases where an IAM solution is invaluable, It can help you manage identities accessing your various cloud services, integrate into your solution as its identity provider, provide the relevant reporting, and even integrate with the cloud platform allowing you to manage access to the services hosting your app’s components.

READ MORE

Secure All Your Apps, Users, and Devices