You just can’t dig a safe moat around your castle these days. There is broad agreement that the network perimeter “castle and moat” security model is not effective. You’ve probably heard about the identity perimeter and zero trust, but what do they actually mean here in the real world? We’re facing other challenges as well, like authorizing access to APIs in a consistent and secure manner that security professionals can test and audit.
The identity perimeter is about securing who can access what, and it has three key parts. First, we need the ability to securely identify our users – this is where Multifactor is helpful. Second, we need to extend that identity to applications – this is where we use federation. Third, we must also require that identity to be used for access to everything so that we have a single point of control and ability to inspect the device – this is where an access proxy is helpful. The F5 Labs Report Lessons Learned From A Decade Of Data Breaches showed us that 33% of breaches initially targeted identities. It’s clear we have work to do.
Google’s BeyondCorp methodology identifies an access proxy as the function that enforces the single point of control. This makes it a critical part of a zero trustarchitecture. While some vendors have access proxy solutions, most are limited in what clouds they can be deployed in, what identity vendors they can consume from, or what controls they can enforce.
Broken authentication and broken access control are common and severe enough problems in web applications to feature in the OWASP Top 10. The threats are so common that auth bypass features heavily in attack script libraries as shown in F5 Labs' 2018 Application Protection report. Access proxies provide a consistent method of implementing the access controls and authentication requirements needed in front of applications. This removes the need to trust that every application developer is an authentication expert (not likely). We spend a lot of time talking about “time to market” but “time to secure” is just as important.
When implementing API authorization controls directly into your application, every language and framework has to be implemented a little differently. This makes it very challenging to assess and determine the efficacy of the controls and significantly increases the quantity of security controls that need to be patched, tested, and maintained. A single solution that works across clouds and is deployed the same regardless of application language is critical to successfully securing APIs.
F5 is releasing Access Manager to help customers solve these problems. Some key features are:
IDaaS and Federation Integration – Supporting SAML, OAuth, and OpenID Connect enables Access Manager to extend your identity to protectmore applications and maintain a single point of control. Major IDaaS vendors such as Okta andAzure AD are supported through guided configuration. Access Manager can also act as an identity provider or authorization server, providing a complete solution.
API Authorization – Access Manager provides a secure, consistent way of implementing authorization controls for your API with support for OAuth, OpenID Connect, Certificate Auth, and more.
Credential Protection – Attacks on identity don’t stop at the data center edge, so your protectionshouldn’t either. Access Manager extends identity protection to the user’s browser by encrypting credentials as the user enters them even before submission with F5 DataSafe.
Granular Policy Controls – Access Manager includes a visual policy builder that helps you control risk by creating granular controls on a per application, user, or device basis.
Guided Configuration – Distill complex tasks into easy steps with clear guidance. This enables security teams to quickly get a zero trustarchitecture in place, protect an API, extend the reach of their IDaaS solution, or grant access to an application.
As F5 looks ahead, we can see that new risk-based models of authenticating users are required to secure identity in ways that were impossible just a few years ago. It’s clear that integrating a proxy and consistent methods of securing authentication and authorization are critical. Look forward to new ways of securing the identity perimeter soon.