The Weekly Hotwash: May 1, 2020


Estimated Reading Time: 3 minutes

A Major Step in Federated Identity Management

If you have followed my blog for any amount of time, you know that I am a firm believer that user account federation and identity management is the last bastion of hope that we have in securing our environments. For reasons I don’t quite understand, there was very little fanfare about some news this week that, in my ever-so-humble opinion, is a watershed moment for each and every one of the password haters out there, including, or perhaps especially, all of you security folks.

If you have ever looked into deploying a federation solution within your enterprise, you have come to learn about the inordinate complexity of interconnecting systems in order to get a functional single sign-on process up and running. System administrators loathe the multitude of copy-pasting between systems, field translation, certification creation, and connectivity challenges that need to be overcome to have an Identity Provider (IdP) exchange information with a Service Provider (SP) in a consistent, functional way.

On Wednesday, Brian Rose of Sailpoint, announced an open-source implementation of FastFed, the OpenID effort to simplify and expedite the adoption and deployment of enterprise User Federation leveraging OpenID Connect, SCIM, and SAML. Originally announced by Darin McAdams of AWS and Erik Gustavson of Google at Identiverse in June 2019, the FastFed SDK provides a foundation for all administrators to leverage when building an enterprise federation service.

Why cant work be like Facebook (or Google) ?

If you take a moment and consider our end users, the vast majority of them access most of their many social media accounts through a shared user ID. The “Sign In with..” page allows them to leverage their Facebook, Google, Twitter, or Microsoft accounts to register and log in with an account they already know (and trust). No longer do they need to step through yet another registration process that includes all of the same information that all of their other accounts do. Gone are the days of worrying about password changes, synchronizing between accounts, or replacing devices. One account opens up their entire social media world.

But more importantly, gone are the days of users logging in over… and over… and over again.

Federation in a ‘Modern’ Enterprise

The fact of the matter is, the harder security is on our users, the more they will do to subvert it. Forced password changes, overly complex password schemas, and the need for different passwords for different applications drive our users to re-use passwords they remember from their personal accounts. In fact, a recent Google study shows that 65% of users admit to some type of password reuse.

Password reuse

From an enterprise perspective, this practice undermines virtually all of the other security controls we have in place, from the network layer up through the application layer. The ability to federate user access, not only across internal applications, but SaaS, cloud, and third-party applications is a critical foundation on which we can build the next generation of secure infrastructures. Unfortunately, today’s ‘modern’ enterprise is fraught with incompatible infrastructure, legacy applications, and out-of-date security controls.

The release of the FastFed SDK should go a long way in alleviating many of these headaches. While we will likely always have those antiquated systems that cannot be easily integrated, removing the password burden from 80%-90% of our infrastructure would be very welcomed by our users.

So, if you’re enterprise is ready, you should take a long, hard look at the OpenID effort and the FastFed SDK. Not only will your administrators thank you, but ultimately, you will become invisible to your users while increasing the overall security of your enterprise.

At the end of the day, isn’t that why we’re all here?

The Chronicles of a CISO Weekly Hotwash is a recap of critical stories and news that occurred over the past week. The goal is to hopefully share some insight and perspective on how these stories may impact our industry, our careers, or our companies.

Copyright © 2002-2021 John Masserini. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *