12.10.2020 | Thomas Bühler
Central Authentication and Authorization Management - An Opportunity for the Future
Nowadays, IT architects are faced with the challenge of having to meet the diverse requirements of the business department, security and regulators. The topics range from cloud integration and multi-factor login to app integration, and all of this in light of the constantly increasing need for protection, which in turn requires new approaches.
Let’s take the example of risk-based authentication, in which the security of a logon is taken into account by including other parameters such as device configuration, environmental information, rooms, noise, nearby WiFi, IP address, WiFi SSIDs, geolocation and biometric characteristics of the user. Although this can significantly increase overall security, the infrastructure requirements increase considerably. The idea that each specialist application has to independently check the criteria of a risk-based login shows the limits of decentralized solutions.
In general, increasing the degree of centralization of the components of an authentication and authorization infrastructure avoids redundancies, increases efficiency and enhances user-friendliness. Di Temet has extensive expertise in this area. We are happy to support customers in setting up and optimizing their authentication and authorization infrastructure.
Long history
In 1965, P. A. Crisman first described the requirement for user authentication in his book “The Compatible Time-Sharing System - A Programmer’s Guide (2n edition)” at M. I. T. and in 1970 Lance J. Hoffman thought about how access systems could be centrally organized. These two milestones are considered the birth of authentication and authorization management in IT. In 1976, IBM introduced the first commercial application based on the mainframe System/370 with a login and authorization system, commonly known as the “Resource Access Control Facility (RACF)”. Microsoft followed suit with Windows NT 3.51 in 1995. From this point onwards, it was common practice for users to be clearly identified and rights to be managed centrally.
General topic overview
Nowadays, most companies rely on centralized management of their identities, roles, rights and workflows in the form of an Identity Access Management System (IAM). A classic IAM system also includes the provision of information and processes for authentication and authorization. For example, most solutions offer options for resetting a password, which is required to technically ensure authentication on an individual target system. The actual execution of user authentication and the implementation of rights in the target system is controlled by the respective specialist application. The classic models have weaknesses that are primarily due to the design of non-functional requirements. For example, an IAM system must hoc manage confidential credentials that are susceptible to integrity violations and make them accessible to the target systems in an appropriate form. If replication mechanisms are used, for example, passwords must be available in plain text or private keys must be distributed decentrally. If the IAM system performs authentication and authorization itself, the availability requirements of the management system increase significantly. If, on the other hand, directory services are used as authentication and authorization proxies, the principles of reconciliation are violated and a loss of control of the actual implementation status in the applications is the result Further disadvantages arise in the area of single sign-on and with regard to the fact that each application must control the execution of the login itself. It is therefore advisable to separate the management of identities and the relevant operational authentication and authorization infrastructures.
Centralization as the key to success
IT architects today are faced with the challenge of having to meet the diverse requirements of the business department, security and regulators. The topics range from cloud integration and multi-factor login to app integration, taking into account the constantly increasing need for protection, which in turn requires new approaches. Let’s take the example of risk-based authentication, which ensures the security of a login by including other parameters outside of the actual basic credential. Examples of this include device configuration and environmental information such as rooms, noises, nearby WiFi, IP address, WLAN SSIDs, geolocation, biometric properties of the user or time of day. This can significantly increase overall security. The device configurations and environmental information are of particular importance with regard to the aspects listed above. When configuring the device, it is often decisive whether the device is administered by the carrier itself or whether it is a bring your own device (BYOD). In the case of BYOD, higher authentication requirements usually apply than for internal devices. In general, the software version used, the patch status, current virus protection, root or jailbreak detection for mobile devices, the browser used and its settings as well as the resolution of the device can provide information on whether authentication should be recognized or not. The main purpose of the environmental information is to secure the other parameters by means of an additional check criterion. For example, the geolocation information can be validated by analyzing the ambient noise, as the example of comparing a GPS coordinate in the Swiss mountains with that of a major Indian city illustrates. Furthermore, the MAC address of a WLAN router can be used to restrict the location to the surroundings of a room. The consistency of the information can be checked using GPS synchronization and unwanted VPN tunnels can be bypassed. Profiling Nearby WiFis in turn makes it possible to determine the usual location in combination with the time. It must be noted here that each specialist application must independently control the checking of the risk-based login criteria. This example clearly illustrates why centralization of authentication and authorization management is essential for mapping such requirements.
Conclusion and outlook
Flexibility with regard to authentication and authorization infrastructures is an essential basic requirement for the operation of modern IT environments. In this respect, it is important to clarify the extent to which an overall architectural concept can be optimally combined into a single unit, taking into account current requirements in terms of security, efficiency and user-friendliness. With regard to authentication and authorization infrastructures, a middle way should therefore be found between the conflicting priorities of requirements, downward compatibility, flexibility and avoiding known problems with existing solutions. Modern architectural approaches also make it possible to benefit from technological achievements such as risk-based login. These solution concepts can only be achieved through centralization. In general, increasing the degree of centralization of the components of an authentication and authorization infrastructure avoids redundancies, increases efficiency and improves user-friendliness. In addition, the reusability of these components enables synergy effects beyond the boundaries of the institution and contributes to the simplification of the architecture.
Temet core competence in authentication and authorization management
Temet has numerous specialists who have repeatedly demonstrated their expertise and many years of experience in setting up and developing authentication and authorization infrastructures and have played a key role in shaping customer projects in recent years. These include significant contributions in the area of electronic patient files (EPD), in the context of the Federal Act on Electronic Identification Services (eID Act) and in the area of education. Temet was also significantly involved in the development and operation of one of the most important identity platforms in the Swiss insurance sector. As a member of the OpenID Foundation and the FIDO Alliance, we also follow developments on the market directly.
Identity Federation Security Architecure Strong Authentication