The increasing scope and complexity of enterprise applications make it difficult to manage user identities and accesses.  

In this analysis, please note that we will define identity as the set of attributes, roles, rights, and application accesses linked to a user. 

With this framework in place, we can quickly understand why identity is becoming the cornerstone of security in a new environment imposed on everyone by the evolution of uses. Whether it is the arrival of the Internet, personal equipment, or even the health crisis we are facing, user expectations evolve very quickly towards greater mobility and openness. To meet these expectations, we must also rapidly evolve our security systems. 

The companies' different approaches to the cloud have had substantial positive impacts on how IT is treated: more agility and less technical constraints with SaaS (Software-as-a-Service) solutions. 

However, this also brings its own set of constraints. Digital transformation through the cloud cannot be achieved overnight: on-premises infrastructures still need to be managed and administered. 

In the age of the General Data Protection Regulation (GDPR), it is no longer just a question of knowing how to manage and secure its users' identities and knowing what their sensitive data is. 

IAM (Identity and Access Management) and, in particular, CIAM (Customer IAM) is challenged on the following points: 

Access to user data: The GDPR sets strict requirements for personal data processing in the form of protection against unauthorized and unlawful processing. A centralized and unified IAM platform effectively achieves this through multi-factor access and authentication policies. This requires an effort of agility for companies accustomed to highly regulated IAM processes that are not very resilient to such significant changes. 

Processing of personal data: Article 32 of the GDPR stipulates the security requirements for personal data processing. It induces, among other things, the means to: 

• Ensure the continued confidentiality, integrity, availability, and resilience of processing systems and services; 

• Restore availability and access to personal data promptly in the event of a physical or technical incident. 

The enterprise must demonstrate both the ability to implement these requests and the effectiveness of the actions chosen. IAM solutions reduce the risk of data loss and unauthorized access by restricting access to enterprise cloud resources and protecting identities. 

Securing user processing: The GDPR requires consent, which is defined as any freely given, specific, informed, and unambiguous indication of his or her wishes by which the data subject signifies his or her agreement to personal data being processed by a declaration or an explicit affirmative action. This has significant implications for IAM because most customer consents - especially for cloud services - are made via user profiles or identity attributes. Thus, the IAM platform provides a record of the granted consents and the possibility of the user withdrawing all or part of the consents granted. 

The sovereignty of user data: In another register than the GPDR, the issue of interoperability and portability of user data within cloud environments spread over several countries or continents involves questions relating to the sovereignty of data. For example, in France, some entities, such as the OIVs - Operators of Vital Importance - are strongly constrained on this point through the Military Programming Law. A regulation that requires them to store their non-sensitive data (Secret Defense and Confidential Defense data cannot be stored in a public cloud) in Europe and process it. The underlying infrastructure is critical for security, performance, sovereignty, and issues such as the geographical location of the services used. 

Data protection: technical approach  

Data must be protected both when it is stored and when it is transferred. The protection protocols for data transfer are usually TLS 1.3 or IPSEC. The encryption method used, as well as the management of encryption keys, must be specified. 
We prefer: 

• The ECDHE-ECDSA key exchange and authentication system with forwarding secrecy. 
• Regarding encryption, the AES-GCM algorithm has proven itself. 
• For data integrity, the HMAC-SHA256 algorithm meets current cryptographic requirements. 

We ensure that all stored data is systematically encrypted, stored on disk, in databases, files, or even in RAM. The encryption of data in RAM is made possible by the latest generations of microprocessors. Key management must allow the use of specific keys for each tenant and ensure that a third party cannot use them. 

How to manage two repositories simultaneously? 

While several approaches are possible, it is advisable to centralize identity management in two environments to designate the "master" repository for changes. This repository will be the authoritative source of user access to the enterprise repositories. To allow the IAG application to manage the applications of both repositories, gateways, and application proxies are necessary. 

Cloud and on-premises identity division 

Conversely, it is possible to manage separate IAM repositories depending on the application targets (on-Premises or cloud applications). Beware, this type of implementation has heavy technical impacts; it will be necessary to simultaneously manage the two repositories and even integrate a synchronization system  

Managing multiple targets and languages 

SaaS solution offerings' plethora is increasingly leading identity management applications to talk with a growing number of players and applications. Authenticating, managing accounts, and even defining user access is a real challenge in homogenization to avoid cacophony. This observation has given rise to two movements: 

1. the definition of standards and protocols allowing to authenticate users in a unique way (SAML, Oauth, OpenID Connect); 

1. Identity and user account management across different enterprise cloud domains SCIM (System for Cross-domain Identity Management) 

Control of the application of safety rules 

Regular checks ensure that these protection rules are correctly applied. The method used and all the checks carried out are documented, and regular audits of these controls guarantee their effectiveness. 

Monitoring the service 

It is advisable to verify the security elements deployed by the supplier. The supplier must provide a document detailing all the security criteria and the organization that guarantees these criteria' achievement. All security aspects must be covered in this document. 

The technical elements must be listed in detail: 

• protocol version, 
• encryption algorithms, 

• third-party solutions used, 
• geographical location. 

The impact of a compromise of identities and associated access is multiplied tenfold in the cloud. The increase in "self-service" access via SaaS-type application portals requires new methods for securing identity and permit: 

• monitoring of service connections, 
• connection information such as geographic location, 

• the authentication method used, 
• connection time or system used to connect, store and analyze. 

Unusual behavior or known threat patterns should cause the connection to be blocked and trigger a security alert. The provider should be transparent about such incidents and detail in its documentation how it communicates them to its customers. 

Cloud: how to create an identity? 

The creation of identity remains a crucial issue. 

• What information is needed to create it? 
• What is the process by which the identity will be created? 
• Who is the authority for creating an identity? 

To do this, several options are available: 

• creation by the user, 
• the use of a third-party identity via social networks, 
• creation by an external power supply. 

Creation by the user 

A user-generated identity is a new approach to the enterprise, straight from the Internet and most online services. This method is commonly implemented via CIAM (Customer Identity & Access Management) to provide an experience consistent with user habits. 

This is a real challenge to the way organizations operate. The web portal becomes a prerequisite for establishing contact with the organization, whereas selecting a connection was a prerequisite for accessing the web portal. To this can be added an a posteriori validation giving access to an additional level of service. This paradigm shift also means that the burden of creating/modifying the identity is shifted to the end-user, which is a significant point when dealing with large volumes. 

Use of a third-party identity 

To limit the number of identities of a single user, the use of a third-party identity is a possibility. Many Internet users already have an identity on social networks that will be re-used; this model known as Bring Your Own Identity is the BYO Device counterpart. 

How many services have you already accessed using Facebook authentication? It's fast, efficient, and saves you from having to remember many different passwords. The B2B world has been slower to adopt BYOI than BYOD. At first, for technical reasons but primarily for security reasons. 

Today, the technical constraints are progressively falling, but some security risks remain: 

• How to certify the third-party identity? 
• If there is certification, how can we trust the signatory of this certificate? 

Creation by automatic feeding 

Some companies are used to creating their identities from an HR repository or a provider database. The SCIM 2 standard offers a standardized web interface to push user creations to cloud systems. Like the LDAP directories, this standard defines a basic user schema, extensible according to the needs, with the protocol to perform the identities' operations. This protocol is based on web standards such as https and json and offers an API universally recognized in the IAM world. 

How to ensure the identity of a user? 

Verifying users' identity when they log on to online services is crucial for trust in these systems. The regular use of passwords is insufficient to ensure an acceptable level of security. To face the diversification of online services, more and more sensitive, and the massive use of personal data, the protection of which is essential to extend them, new authentication solutions have emerged. Mature, they are ready to be widely deployed for better usability while improving security. These methods considerably reinforce the trust in online services. 

Multi-factor authentication 

Multi-factor authentication (MFA) is an account security process that requires several distinct steps for a user to prove their identity. To complete the multi-factor authentication process, specific credentials must be provided, or certain requirements must be met at each stage. There are five factors: 

• knowledge (what you know); 
• Inherence (what you are); 

• possession (what you have); 
• location; 
• the hour. 

The most effective solution uses a one-time password. This password is generated by an application installed on the phone or is sent to the user by email or SMS. 

After use, this password becomes unusable. However, this ubiquitous technology has shown some weaknesses in the last years: there is a risk of password interception. The use of this technology is still complex, but it encourages the implementation of even more robust solutions without any password. 

The push request 

Push authorization is a straightforward alternative for the user while ensuring a high level of security. When connecting to a service, a notification is sent to the user's phone. The authenticity of the request is verified by validating or rejecting the connection. 

Used in addition to the usual password, this authentication method is becoming more and more widespread. Its simplicity has facilitated its adoption, but the use of the password persists. 

Authentication with FIDO 2 token 

To eliminate the use of passwords while ensuring maximum security level, physical tokens have been developed. The FIDO 2 standard, widely adopted by all the major players, makes it possible to eliminate the use of a password. This technology relies on a physical device which can be a USB, Bluetooth, or NFC key without a battery. 

This technology provides end-to-end security between the online service and the token. The use of the token on a compromised device also remains secure. This system is commonly coupled with advanced authorization to implement multi-factor solid authentication without the use of passwords. 

Tell me what your user is doing; I'll tell you if he is threatened 

The tightening of new regulations increasing data access sensitivity implies securing user access periodically and in real-time. 

With the centralization of user access and IAM solutions' profiles, it is now possible to analyze connection and data access behaviors. Geographical and temporal patterns of connections, types of applications accessed, or even devices used are new signals for detecting suspicious user behavior. According to rules applied to a context, these signals allow to set up access conditions to one or several applications according to restrictions applied to a context. 

Who, how, where, why, when: certify user access 

Today, securing data is becoming increasingly complex, mainly due to the massive migration of assets to the cloud and the multiplication of methods (terminals, location) and actors (employees, service providers, suppliers, etc.) with access to applications. In a context where all resources are accessible, misunderstanding sometimes takes precedence over control: 

• Who accesses what data? 
• How did he gain access? 
• When and for what purpose(s)? 
• Over what period? 

Access recertification in the cloud is essential to regain control over user rights in applications and data. These access reviews are even more accessible in the cloud because they can be conditionally enabled with the same detection signals described earlier. 

Cloud IAM is growing as fast as the services it is trying to secure. Two types of players are competing in this segment. Pure-players specializing in identity federation and SSO see it as an extension of their services. Cloud infrastructure providers are taking advantage of the cybersecurity market explosion to supplement their hosting services with IAM functions. 

Furthermore, the shift to new cloud-based IAM security technologies is still low; companies tend to limit themselves to deploying the necessary solutions for managing user access. The integration of new paradigms such as BYOI - Bring Your Own Identity - or FIDO tokens is adopted by the market. 

Authors: Mehdi Mtimet, Tristan Martin and Emmanuel Balland, IAM business unit, Orange Cyberdefense France