Protect Your Data with SAML Authentication

Achieve Platform Independence and FedRAMP Compliance

Modern Data Security Means Authentication

Today's information security and privacy requirements are not just compliance exercises; they are an integral part of a comprehensive, strategic and continuous risk-based governance program. Cybersecurity threats are more prevalent and dangerous than ever, and breaches can have huge financial and mission-oriented implications when they occur.

Data governance is vital to organizations, especially those using analytics applications that access and share large amounts of data among different departments and functions. Our Data Governance Benchmark Research found that improved regulatory compliance is a benefit for more than one-half (60%) of organizations, with one-half or more of respondents citing better protected data and information assets (52%) and reduced risk from fraud (50%). In this era of heightened awareness, organizations are striving to improve their security posture while also meeting all their regulatory and internal compliance requirements.

Two of the most vital information security processes that administrators use to protect systems and information are authentication and authorization. Authentication verifies the identity of the user, and authorization allows the user to access the data or applications appropriate to their profile. There are three basic authentication factors:

• Knowledge-based, such as a username/password or PIN
• Property-based, such as a smartphone
• Physical, such as a fingerprint or retina scan

There are a variety of authentication processes an organization can use to ensure the identity of users, some more common than others. At a minimum, authentication should involve asking for a username and password. Alternately, single sign-on (SSO) allows users to sign-in to all their applications and cloud services at once by using an identity provider (IdP) to check user identity without storing the identity itself. While SSOs are convenient, organizations may require the additional layer of security provided by multi-factor authentication (MFA). In fact, this is becoming the norm for many types of applications. Not all authentication processes are created equal, however. Whether an organization operates in the cloud or on-premises, via the web or mobile applications, can help determine which authentication protocols are best suited to protect their business from the potentially ruinous financial consequences and damage to their reputation that a security breach might cause.

Platforms Evolve Toward Multi-Cloud

Our research shows more than three-quarters (77%) of organizations are using cloud-based data and analytics software and two-fifths (42%) of those are multi-cloud deployments. Cloud-based SaaS applications tend to maintain independent authentication and authorization directories, thus complicating the issue. Yet, many applications and organizations still rely on legacy authentication methods such as Windows Authentication that were developed primarily for use on-premises. Perhaps that is why security is the most common concern among organizations that choose not to use cloud computing for data and analytics. Windows Authentication also brings with it risks, which have been addressed in more modern approaches. For example, depending on configuration settings, usernames and passwords may be stored in clear text in Active Directory. In addition, while the hashing algorithms in Windows Authentication have been updated, older legacy hashing techniques can be configured for backward compatibility, potentially opening the door to bad actors.

Due to Microsoft’s presence in the market, software vendors have attempted to adapt and extend Windows Authentication to support cloud-based and multi-cloud configurations. Lightweight Directory Access Protocol (LDAP) can be configured to connect Linux-based and macOS-based devices to Active Directory. However, Windows Authentication still requires an on-premises or self-managed component and is best suited for an intranet environment where client computers and web servers are in the same domain and can be connected to Active Directory. Incorporating LDAP to support all the devices typically found in organizations today requires extra work and results in inefficiencies for IT and is more likely to lead to failures and vulnerabilities. Organizations end up managing multiple directories rather than just one centralized directory for authentication.

Platform-Independence Preferred

With an eye toward providing maximum protection against security breaches, organizations have adopted a better approach to authentication. Rather than relying on multiple authentication directories, chief information security officers (CISOs) are pushing their organizations toward platform-independent authentication methods. Security Assertion Markup Language (SAML) is an umbrella standard that covers identity management, authentication and federation. SAML-based authentication is designed to allow a user to access multiple unrelated web services using a centralized IdP.

The SAML standard provides a request/response for exchanging XML messages between the roles of End User, IdP and Service Provider (SP) in the form of assertions. These assertions are requested, created, communicated and used according to the standard defined by the Organization for the Advancement of Structured Information Standards (OASIS), and contain proof that a certain user has been authorized to access a specific resource. As a result, organizations can be more confident that their information and systems are protected from the attacks they face on a daily basis.

The benefits of SAML range from convenience to customizable login experiences to the ease of integrating an open standard process.

 Along with providing a consistent level of security, the benefits of SAML range from convenience to customizable login experiences to the ease of integrating an open standard process. Indeed, SAML is widely used by organizations, has strong vendor support across government and industries, and is designed for cross-domain support, which allows for multiple applications or services hosted on different domains or networks. SAML simplifies operations easing the administration burden of managing system access freeing up IT resources to focus on more valuable activities. SAML also reduces the risk of data breaches and other security threats by eliminating the need to transmit usernames and passwords repeatedly and can be strengthened further by adding MFA to prevent a bad actor from gaining access to an active session.

 For organizations looking for an alternative to SAML, Open ID Connect (OIDC) accomplishes a similar result through different means. Built on top of the OAuth 2.0 authentication framework, OIDC authenticates the user to access resources owned by the SP. The SAML SP is generally a website, whereas OIDC can more easily integrate with mobile applications. With SAML, the user is redirected from the SP to the IdP for sign in. OIDC trusts the channel used to obtain the security token, redirecting the user from the relaying party to the OpenID Provider for sign in.

Meeting Stringent Government Requirements

One way organizations can reduce risk and exposure to attacks is to rely on approved standards that have been widely adopted. In the United States, FedRAMP compliance is essential for any organization providing cloud-based services that intends to do business with the federal government as it emphasizes the role of both privacy and security in the Federal information life cycle. FedRAMP standardizes security requirements for cloud services and ongoing cybersecurity, provides conformity assessment programs and defines NIST-based guidelines and standards for authorization packages. SAML and OIDC conform to these standards.

Many organizations seek FedRAMP certification for themselves or do business with other organizations or agencies that require it.

Many organizations seek FedRAMP certification for themselves or do business with other organizations or agencies that require it. FedRAMP defines specific policies, based on Federal Identity, Credential and Access Management (FICAM) governance regarding identification and authentication for accepting third parties. FICAM establishes a federated identity framework for the federal government and provides government-wide services for common Identity, Credential and Access Management (ICAM) requirements. Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM-authentication protocols, such as SAML 2.0, OpenID 2.0 or other protocols.

To govern agency user interactions, certain security controls may need to be included in the task order. As an example, a system can utilize SAML 2.0 architecture to integrate with an existing agency directory service for agency user account management and authentication. When configuring user authentication processes related to Federal information, an organization should use an MFA SSO protocol to maintain compliance with FedRAMP requirements. Any SAML 2.0 compliant IdP can integrate for the purposes of SSO, and organizations can configure SSO/SAML authentication in FedRAMP containers to enable provider-initiated SSO.

Governments around the world have privacy regulations similar to FedRAMP that must be met. Examples include Australian Privacy Principles (APP), Brazil's LGPD, California's Consumer Privacy Act (CCPA), Europe's General Data Protection Regulation (GDPR), South Korea's PIPA and Virginia's Consumer Data Protection Act (CDPA). User information itself must be managed in a way that complies with these regulations. Since Active Directory stores information about user accounts such as names, passwords, and phone numbers and so on, it is at risk from nefarious users who are authorized on the network but not authorized to access this information. Conversely, platform-independent authentication systems such as SAML and OIDC work with identity providers, separating the management of this information from the authentication process.

Industry Benefits of Platform Independence

SAML and OIDC are being adopted across various industry segments to meet specific regulatory requirements. These are the very industries most vulnerable to attack because of the sensitive information they manage. Banking and financial services industries must comply with the Payment Card Industry Data Security Standard (PCI DSS). Managing multiple locations while adhering to PCI DSS is also a challenge faced by retailers. Solutions that require retailers (or others) to coordinate multiple directories create administrative nightmares. To address these challenges, the PCI Security Standards Council suggests authentication should be based upon industry standards such as SAML and OIDC.

The Health Insurance Portability and Accountability Act (HIPAA) in the United States requires that healthcare organizations keep protected health information such as medical records, billing records and doctors’ notes secure. Software vendors are using SAML/OIDC to comply with HIPAA’s Security Rule, which requires access control.

Telecommunications vendors are adopting SAML/OIDC as part of standardization and interoperability efforts. For example, the European Telecommunications Standards Institute (ETSI) has standards for interoperability involving both protocols. The oil and gas industry and manufacturing industry have also been identified as industries where SAML is prevalent.

Adopting Effective Authentication

With attacks a nearly constant occurrence, security and privacy requirements are no longer seen as compliance exercises, but as critical elements of comprehensive, strategic, and continuous risk-based programs. They could mean the difference between whether an organization survives or not. Through 2025, the primary concern for more than three-quarters of Chief Data Officers will be governing the reliability, privacy and security of their organization’s data. Authentication and authorization are vital to this effort, but many applications still rely on legacy authentication methods such as Windows Authentication. A better approach is to adopt platform-independent authentication methods like SAML and OIDC.

Benefits found in platform-independent authentication include:

• Customizable login experiences
• Easy integration with an open standard process
• Strong vendor support across government and industries
• Authentication designed for cross-domain support
• Simplified operations and freed-up IT resources
• Reduced risk of data breaches and other security threats
• Meeting specific regulatory requirements and FedRAMP compliance

Legacy authentication methods face challenges, some of which include:

• Increased security risk due to the Active Directory and legacy hashing methods
• IT inefficiencies
• Being better suited for on-premise or intranet environments

Organizations still relying on legacy authentication methods should explore alternatives such as SAML or OIDC to improve the security of their data and more effectively govern authentication across their data infrastructure.