Four Keys To Securing Your Identity Management Platform

By Rajat Bhargava Posted June 14, 2016

Not long ago, the most valuable assets in the world were precious metals.

Today’s most valuable assets are digital.

Think about LinkedIn. When they suffered a serious security breach in 2012 and subsequently 117 user passwords were compromised, it was more painful to them than if someone had just stolen a safe full of gold out from under them.

Four years later, LinkedIn is still suffering from the effects of the breach, as reports surface from CNN that the passwords are still being bought and sold on the black market. Their public image and trust has been compromised indefinitely.

Don’t Let this Happen to You

Identities are the keys to your kingdom.

You may not have 117 million users like LinkedIn, but your digital assets are still big and important to you, to your co-workers, and to the boardroom. All it takes is one identity to be compromised to have permanent consequences – consequences that sometimes result in lost customers and lost jobs (hopefully not yours).

At JumpCloud, we’ve talked to a lot of very smart managers and IT admins who were never that worried about identity security… until it happened to them. That’s when they came to us, asking about our capabilities when it comes to Multi-Factor Authentication, automatic password rotation, and one-way salting and hashing of passwords.

Hindsight is always 20/20. But we’re here to tell you that that it’s much better to focus on security before a breach, not after. Once the genie is out of the bottle, there’s no putting it back.

Understanding Identity Security

There are multiple layers of security for an identity management program.

The innermost layer is how the credentials are protected when inside the identity solution. The next layer centers on how to protect the system itself within the network. Then the third major layer is how to teach end users to protect their credentials.

Of course, after all of these layers are created and executed, the next step is vigilant monitoring of the entire identity system.

Let’s go into a little bit more detail about each layer of security.

Credential Security

Storing credentials inside of a user directory is always a tricky task. That’s because the system, by definition, becomes a high value target for hackers.

Historically, the central user management system would live on-premises and be protected by the moat that IT has created around internal systems. With the move to the cloud, the perimeter is being deconstructed so IT admins can’t count on that moat protecting their credentials. The path forward is to ensure that the credentials themselves are stored in a secure way.

The best method is to create a one-way hashing and salting mechanism which makes it impossible to deconstruct the password. If for some reason you aren’t able to one-way hash the password, then strong encryption mechanisms should be used when the data is at rest.

Obviously, with a one-way hashing mechanism, you don’t have to worry about private keys being vulnerable to compromise.

Systems Security

Whether your identity management platform is hosted internally or SaaS-based, there should be strong security around the system.

Specifically, traffic to and from the system should be encrypted with strong in-flight security mechanisms. If Mutual TLS security is available that would be preferable to simple SSL security.

General traffic to the system should be blocked via firewall over all ports except from what is necessary with your secure tunnel. The hardware and software should always be up-to-date and patched to ensure that common exploits can’t be used against you. And, of course, ironically, access to the identity management platform needs to be tightly controlled.

End User Protection

Even if IT has done everything right in protecting their systems, errors on the part of a user can cause a compromise.

The most common method takes advantage of people’s tendency to reuse the same credentials across numerous sites or applications. When one of those sites/apps is compromised, then the hacker tries the credentials in other locations until they find a match.

This is why the credentials from the LinkedIn breach are so valuable on the black market – not because hackers want to go in and edit someone’s résumé without their consent, but because they want to try their same credentials across bank and business accounts.

This sort of thing is so frustrating, because it’s a case where IT organizations could do everything right and still end up compromised. That’s not entirely true though. There are protective measures that IT can take to make a password reuse breach much less likely.

Strong identity management systems will insist upon rotating passwords, building complex passwords, and locking out users if they attempt to login too many times. Password vaults are a common mechanism and can be used in conjunction with the core user management system to help increase the level of security.

But perhaps the most effective mechanism that can be leveraged to increase the security of credentials is to also add in multi-factor authentication (MFA). By asking for something the end user has in addition to something they know, a compromised credential becomes only half of the equation. This will stop most potential breaches that stem from password reuse.

They don’t mean any harm, but end users can be one of the biggest security threats to your organization. Only through smart systems and well-administered training can they become good stewards of their online credentials.

Security Monitoring

Even with the three strong layers of security described above, you’re work in securing your identity management platform isn’t complete. In a way, it’s never complete.

“Eternal vigilance is the price we pay for liberty.”

– Thomas Jefferson

Proper monitoring is an ongoing process that is the final key to true identity security. The idea is to know who is logging into your systems and applications, when they are doing it, and from where. Then, when there are deviations, you’re ahead of the curve and able to stop a problem before it starts. If that sounds like a lot of work, then you’ll be happy to hear that part of our mission at JumpCloud is to help automate admin monitoring.

Attackers are becoming far more sophisticated every year. So even with all of the layers of security listed above, a strong monitoring program is still key. Think of it as the cherry on top of the sundae.

The Key to Better Identity Security is in Your Hands

For the modern business, nothing is more important than the security of your individual identities and your identity management platform as a whole. Only the right people should have access to your most critical assets. And, this isn’t just for compliance reasons which is important itself. If the right credentials are compromised, that could lead to catastrophic consequences for just about any organization.

The IT department has been given the tall task of protecting the identity management platform. We hope that the four keys above have been helpful for you in understanding how that is possible, but if you have any questions you can check out our Knowledge Base or contact us directly through this page.

Many of the measures we discussed above are made easier through JumpCloud’s own Directory-as-a-Service®. Our fully-featured, cloud-based directory can automate password rotation, set stringent password requirements, enable MFA, and – of course – store credentials securely with one-way hashing and salting. We would love to help you improve your identity management security and we’re free to try for your first ten users.

Learn more about Directory-as-a-Service here.

Rajat Bhargava

Rajat Bhargava is co-founder and CEO of JumpCloud, the first Directory-as-a-Service (DaaS). JumpCloud securely connects and manages employees, their devices and IT applications. An MIT graduate with two decades of experience in industries including cloud, security, networking and IT, Rajat is an eight-time entrepreneur with five exits including two IPOs, three trade sales and three companies still private.

Recent Posts