As businesses expand their mobile and cloud services, the increased complexity of identity management represents both development costs and security risks. Each new service costs developer time and requires secure management of that application’s identity concepts. Redundantly implementing identity management strategies also requires excessive maintenance, and each instance potentially introduces flaws which lead to security failures. By adopting patterns which eliminate redundancy and consolidate responsibility for identity management, IT security can decrease exposure to attack and reduce cost of ownership. This presents IT security with the opportunity to increase access while reducing development costs, security flaws and exposure to attack.
For each application server accessing enterprise data, user identities are established when the server has sufficient authenticating information. Not all of this information must be directly exchanged between user and application. Anyone may make claims, or statements about identity whose trustworthiness can be accepted or rejected, about a user or other entity. These claims are packaged into tokens by a Security Token Server (STS) which exchanges this information with other trusted participants.
Having trusted third parties available to make identity claims simplifies the responsibility of establishing identity. Designing applications which accept identity claims from other providers allows applications to rely on unified identities understood by multiple parties, known as federated identities. By using claim data provided by trusted parties, one can centralize the design of authentication methods and increase the flexibility of claims.
Identity management solutions simplify authentication further by assigning a trusted intermediary to establish and interpret user identity information. For this illustration, let’s assume our use case is an employee accessing a cloud service via the web, using identity information stored in an enterprise directory service. An intermediary which translates between web authentication and enterprise domain services is doubly desirable; it acts as both an added security layer for the enterprise and a valuable interpreter of enterprise-specific identity information.
For this use case, an enterprise might use Active Directory Federation Services (ADFS) as an intermediary which accepts authentication requests on behalf of Active Directory and returns usable identity information, which in turn enables access to Windows Azure services. By taking a look at how ADFS and Windows Azure authenticate users and validate claims, we can learn how to create secure multi-user authentication services by assigning the components of identity management to trusted delegates. While AD FS and Windows Azure represent a specific solution, the underlying model can be applied generally to businesses using their enterprise identities to remotely access applications and services.
For a more technical discussion of Windows Azure and ADFS, click here.
JW Secure specializes in strong authentication and federated identity management. Contact us for a free consultation.