The importance of data security has not been left off anyone’s radar. And, in the wake of unauthorized access to the US Capitol building the approach for some is to wipe everything. Potentially malicious attackers on premise, able to access user data and user sessions left unlocked. The historical lack of sufficient technical experts in leading government areas have left reasonable controls out of the picture. The lack of attention to data security in some of the most critical areas results from a number of antiquated mindsets and overall deficit in talent.
However, many companies also find themselves, while not in possession of highly classified and confidential materials, equally sensitive and vulnerable to unauthorized access. Security experts will point to increased availability of cloud solutions with a bifurcation of security responsibility "Of the Cloud" and "In the Cloud". Cloud usage helps, that’s no longer a question, but it's only the beginning of the story. As an organization you are in control of your data, your security, and possible remediation strategies when there is a critical incident. But how will you help your users tackle these issues when something happens to them outside of your control?
A quick browsing through social media will expose just how many possible vulnerabilities where in place:
- Sensitive paper documents left laying around, in every office. The need to convert digital assets in 2021 to paper for manageable use, is inherently irresponsible.
- Physical devices left unlocked - Devices left in an unlocked state without attention to how long they were like that. Anyone walking by can immediately see, and in-depth peruse these devices for any available user content.
- Stolen devices - Having access to a physical device for a long period of time, allows even ones with tough security to be broken into, even with disk encryption.
- Identity impersonation - While knowledge of classified information exposure might not have been leaked, there's not telling of the ability to now impersonate the users having stolen their credentials. Or for that matter accessing sensitive and later classified materials using what attackers may have found with that data. Additionally, because of the lack of clear digital auditing, knowing who is accessing what from where remains a challenge.
- Overwhelming suggestions to wipe all data - While the mess that is made by political parties frequently migrating to and from office may be Herculean, blanket bankruptcy declarations don't solve anything. It's a patch to a problem of unknown size and complexity.
Having the appropriate security controls in place is important for a variety of reasons. While not everything protects your users' data inside your cloud solution, some of it helps protect your users' digital identity. We’ll iterate through the available options below to see what additional controls can be implemented.
The first layer is everything physical and connected to a network. This is known as endpoint management. Users log in to physical devices in a dedicated location or one that is treated as a zero-trust network. These endpoints need to offer basic protection:
- Integrated Login: Logging into these devices should require biometric authentication and be configured to integrate with realm providers providing transparent auth to external sites. Forcing users to remember passwords creates an attack surface. Notes under keyboards, or permanently unlocked devices.
- Idle Timeouts: Any device not used for longer than a short period of time should resort to being auto locked. Distractions happen and users walk (or run away), these devices should lock out usage until login is re-authenticated.
- Encrypted physical stores: Having direct access to hardware is usually a game over without the data at rest being encrypted. No physical hard drive should have unencrypted data on it.
- Application remote storage: Having data directly on the machine not only creates a vulnerable attack surface, but makes it difficult to retrieve, utilize, and protect that data. Always use remote storage of data, any solution that requires local data, such as installed applications should be discarded for their remote cloud counterparts. These are often provided out of the box by your OS provider. All you have to do is enable them. Setting them up is a requirement.
Once your users are past their device login, network and internet access have further protections. Many apps in 2021 still lack some of these basic protections, so when choosing what to use ensure that they follow these guidelines.
- Integrated openId connect based SSO: must be present in all applications. Using applications that require username and password should never be allowed. The number of google results of breached passwords or passwords listed in rainbow tables reported by ';--have i been pwned? is unfathomable. Don’t use them in apps and don’t log into apps using passwords. Users must use their trusted login, and that login must be a federated SSO that also has a biometric non-password based login. The standard here is WebAuthN.
- Temporary tokens: Federated logins must issue temporary tokens. Tokens issuance requires having Issued At time as well as Expiry time. Tokens that are unnecessarily exposed, either due to malicious malware or negligence, must lapse so that attackers are limited in their attempts to breach via this vulnerability. Suggested times are less than 7 days, and frequently should be 24 hours.
- Session tracking and verification: To prevent users from repeated login requirements, user sessions should be tracked, verified, and used to issue additional tokens. Logging via new sessions should be limited to a posteriori verification by previously approved sessions. These sessions should contain security information restricted to more secure data storage mechanisms.
- Session revocation: A user or a directive for a group of users, must be able to immediately invalidate all sessions. In the case that a physical device is breached the tokens even while securely stored will still be accessible, and sessions will still be valid. It is impossible for a login provider to invalidate tokens, but they must revoke all user sessions. Global logout must be enforced.
Many authentication SaaS providers have at least some of these features if not all of them. Building a custom login solution will always be less secure unless it contains at least these mentioned criteria.
Authorization or identity access management (CIAM) is critical for securing user connected applications. As we’ve seen above there are important areas missing from physical and authentication security that need to be closed.
- Token deny lists: Tokens issued to users that are known to be or possibly compromised must be denied access. Since the tokens themselves are still valid, revoke the permissions associated with the tokens.
- Principle of least privilege: Access to resources must provide resource, user, and permission specific granular level permissions. Assigning users ambiguous roles such as Supervisor, Admin, or Support frequently allow attackers access via unnecessary verbose permissions schemes. The CIAM solution must provide for permissions level for individual users and resources.
- Access audit trails: In the event of an issue, where tokens and sessions are still valid, it becomes necessary to know which resources were accessed. Authorization APIs will give this information. Who accessed what and when. You’ll know immediately what data was compromised and under which conditions, thereby allowing remediation to take a precision and tactical approach.
Using these different pieces together is the only way to ensure security amid data emergencies and not have to resort to drastic measures to clean up. Combining physical management with federated user login and authorization apis gives a full working security approach to almost any digital infrastructure. The solutions for teams and organizations that are responsible for these resources are available, all it takes is simply to implement them.
Interested in figuring out which auth and physical data security tools, checkout how to pick the best auth solution.