You just can’t dig a safe moat around your castle these days. There is broad agreement that the network perimeter “castle and moat” security model is not effective. You’ve probably heard about the identity perimeter and zero trust, but what do they actually mean here in the real world? We’re facing other challenges as well, like authorizing access to APIs in a consistent and secure manner that security professionals can test and audit.
What is the Identity Perimeter?
The identity perimeter is about securing who can access what, and it has three key parts. First, we need the ability to securely identify our users – this is where Multifactor is helpful. Second, we need to extend that identity to applications – this is where we use federation. Third, we must also require that identity to be used for access to everything so that we have a single point of control and ability to inspect the device – this is where an access proxy is helpful. The F5 Labs Report Lessons Learned From A Decade Of Data Breaches showed us that 33% of breaches initially targeted identities. It’s clear we have work to do.
Why Access Proxy is Critical
Google’s BeyondCorp methodology identifies an access proxy as the function that enforces the single point of control. This makes it a critical part of a zero trustarchitecture. While some vendors have access proxy solutions, most are limited in what clouds they can be deployed in, what identity vendors they can consume from, or what controls they can enforce.
“An access proxy is an essential part of adopting a Zero Trust architecture and extends the benefits of investment in IDaaS. Combining F5 and Okta enhances both offerings to improve security and user experience wherever your apps are deployed.”
- Chuck Fontana, VP of Okta Integration and Strategic Partnerships
Broken authentication and broken access control are common and severe enough problems in web applications to feature in the OWASP Top 10. The threats are so common that auth bypass features heavily in attack script libraries as shown in F5 Labs' 2018 Application Protection report. Access proxies provide a consistent method of implementing the access controls and authentication requirements needed in front of applications. This removes the need to trust that every application developer is an authentication expert (not likely). We spend a lot of time talking about “time to market” but “time to secure” is just as important.
APIs – the Gateway to Your Data
When implementing API authorization controls directly into your application, every language and framework has to be implemented a little differently. This makes it very challenging to assess and determine the efficacy of the controls and significantly increases the quantity of security controls that need to be patched, tested, and maintained. A single solution that works across clouds and is deployed the same regardless of application language is critical to successfully securing APIs.
What is F5’s Approach?
F5 is releasing Access Manager to help customers solve these problems. Some key features are:
- IDaaS and Federation Integration – Supporting SAML, OAuth, and OpenID Connect enables Access Manager to extend your identity to protectmore applications and maintain a single point of control. Major IDaaS vendors such as Okta andAzure AD are supported through guided configuration. Access Manager can also act as an identity provider or authorization server, providing a complete solution.
- API Authorization – Access Manager provides a secure, consistent way of implementing authorization controls for your API with support for OAuth, OpenID Connect, Certificate Auth, and more.
- Credential Protection – Attacks on identity don’t stop at the data center edge, so your protectionshouldn’t either. Access Manager extends identity protection to the user’s browser by encrypting credentials as the user enters them even before submission with F5 DataSafe.
- Granular Policy Controls – Access Manager includes a visual policy builder that helps you control risk by creating granular controls on a per application, user, or device basis.
- Guided Configuration – Distill complex tasks into easy steps with clear guidance. This enables security teams to quickly get a zero trustarchitecture in place, protect an API, extend the reach of their IDaaS solution, or grant access to an application.
Looking Forward
As F5 looks ahead, we can see that new risk-based models of authenticating users are required to secure identity in ways that were impossible just a few years ago. It’s clear that integrating a proxy and consistent methods of securing authentication and authorization are critical. Look forward to new ways of securing the identity perimeter soon.
About the Author
Related Blog Posts
The everywhere attack surface: EDR in the network is no longer optional
All endpoints can become an attacker’s entry point. That’s why your network needs true endpoint detection and response (EDR), delivered by F5 and CrowdStrike.
F5 NGINX Gateway Fabric is a certified solution for Red Hat OpenShift
F5 collaborates with Red Hat to deliver a solution that combines the high-performance app delivery of F5 NGINX with Red Hat OpenShift’s enterprise Kubernetes capabilities.
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.