By John Callahan, Chief Technology Officer, Veridium
The 2020 pandemic and resulting work-from-home experience yielded an important conclusion regarding cybersecurity: identity is the new perimeter. Sixty-three percent of all data breaches exploit weak credentials, and incidents like SolarWinds highlight the need to focus cybersecurity on identity and access management (IAM) systems. Many organizations used the pandemic to accelerate their digital transformation projects with a focus on identity, but met additional challenges such as:
Bring-Your-Own-Device (BYOD): employees (new and existing), contractors, and freelancers require flexibility regarding the types of devices used and their capabilities to ensure proper identity verification, authentication, and credential storage.
Passwordless authentication: some devices are capable of securely storing credentials that can be used for proof-of-possession by an individual. This can be a convenience and productivity boost and reduce cybersecurity risks.
Biometrics: with new use cases for remote identity verification, and to further ensure proper identity binding to device-based credentials, biometrics can be combined with proof-of-possession to enable passwordless authentication.
Software-defined perimeters: in addition to or instead of virtual private networks (VPNs), multiple authentication flows can be combined to secure authorized access to specific resources within a perimeter. This can prevent data breaches, even in cases of VPN compromise (as in the SolarWinds attack), while enabling fine-grain audit for data protection compliance.
These challenges can make digital transformation a daunting challenge for many CISO and IT managers already under pressure to maintain their status quo password-based IAM systems. Luckily, the new concept of “auth journeys” lets them move beyond the limitations and complexities of existing AD and LDAP-based approaches. “Auth journeys” combine both authentication (authn) and authorization (authz) into processes defined at the user experience (UX) level instead of low-level auth protocols like OAuth, OIDC, SAML, etc.
An authentication journey is a workflow comprised of multiple steps in authentication and authorization processes available within an enterprise. Such steps include multi-factor authentication (MFA), biometrics, geolocation, PIN, credential checks, and even traditional methods (e.g., username & password). Most IAM systems are never fully replaced but include old and new systems and are carefully migrated over rollout periods that last weeks or months. Journeys provide a mechanism to define rollouts, migrations, deprecated methods, upgrades, and credential recovery paths. Journeys are full lifecycle processes that include onboarding, offboarding and internal steps like Active Directory conditional access checks. IT departments can define minimal journeys for all users, specific roles, and then let users choose their own devices and options for MFA via self-service portals, which allows convenience for users. Some additional benefits of authentication journeys include:
- Compliance & auditing: KYC/AML laws vary globally, so journeys can be customized as remote onboarding becomes more widespread. Onboarding processes can be assessed at various IAL levels and resulting credentials tied to auth processes to directly link the IAL and AAL levels. If logging is part of the journey (as an internal step), auditing can be directly associated with both onboarding and auth processes.
- Reduction in costs & complexity: A wealth of powerful and effective authentication and authorization technologies are available in the market, but most are complex to manage from a system-level perspective. The security context is lost when dealing with sessions, roles, tokens, and other protocol-specific mechanisms at a low-level of process programming. By managing journeys as high-level definitions of authn and authz processes, CISOs can elevate management of access risks of associated resources above the machine-level programming of OIDC and JWT tokens used to implement such processes.
- Better vulnerability management: explicit auditing, vulnerability analysis, threat modeling and accessibility enablement that actually improves security and reduces help desk password-reset costs. As in the cyber world, IAM vulnerabilities should be managed, shared and fixed at the journey level, not at the level of a specific protocol implementing a security policy incorrectly.
- Credential-based onboarding and authorization: new verifiable credentials permit on-demand provisioning for new employees, contract and temporary freelancers who can present such trusted credentials upon signup instead of requiring out-of-band, a priori enrollment in AD/LAP registries. Such credentials, which have expirations and explicit privileges, can also encapsulate capabilities to be used in authorization flows.
- FIDO: allows storage of encrypted credentials across many devices and modalities including security keys, biometrics, mobile phones, tablets, laptops and desktops with a password. FIDO allows developers to focus on high-level journeys in the IAM perimeter while providing device and security policy options.
- Privacy, Accessibility, Inclusion and Diversity: Ultimately, such flexibility regarding authentication journeys allows each user to choose their own devices, biometric modalities, and credentials for access to specific resources within their enterprises. Such flexibility enables new paths that help protect user privacy, enable accessibility, and promote inclusion and diversity.
Journeys let users define their own authentication methods that comply with GRC requirements while making choices explicit for IT managers. The IAM landscape may seem to be getting more complex, but only because we’re trying to fit a square peg in a round hole. Old methods tied strictly to AD and LDAP registries with groups and their associated roles are only a narrow keyhole from the past into which we can view a broader IAM future. These systems will continue to be used in many enterprises but form only part of the many journeys available to users within the new IAM landscape.
John Callahan is currently serving in the capacity of Chief Technology Officer (CTO) at Veridium. He has previously worked as Senior Computer Scientist at John Hopkins University – Applied Physics Laboratory and as Chief Technology Officer at Sphere Software Corporation. John is an alumnus of the prestigious University of Maryland, College Park.