Posted by:
admin
12 years, 8 months ago
Lori MacVittie has a great post over Devcentral at F5 about the current state of Identity for Cloud. It is well worth a read.
I agree completely with Lori's post, especially this quote:
From a technical perspective what’s necessary is a better method of integration that puts IT back in control of identity and, ultimately, access to corporate resources wherever they may be.
It is the wherever they may be part in relation to your authentication server that I have been pondering. Lori suggests using identity bridging to connect SaaS services to corporate identity management services. This is essentially the setup when you add WiKID two-factor authentication to Google Apps for your Domain. The user logs into a corporate identity server (the WiKID server) and the WiKID server vouches for the user via Google's SAML interface. (We do not perform SSO functions, though.)
So let's say you are a corporation moving "entirely to cloud services". In this instance, let's say Google Apps is the only SaaS service you need for now. You're worried that all your corporate data is out there on the Googles. You've decided that Google is better at managing uptime and security, but the lack of control is irksome. (Kind of like the move from IPSec to SSL-VPNs.)
So, you have decided to add two-factor authentication to your SaaS services. Where do you put your authentication server? In the cloud? At home? I think the biggest determinant is what resources do you have at home. In particular, do you have any resources that rely on RADIUS for authentication, such as a VPN? Unlike SAML, RADIUS is not encrypted. Of course, you can tunnel it, but that would increase the complexity of the setup. If you are running your authentication through Active Directory using the Microsoft RADIUS plugin NPS, do you want that traffic coming from the Internet?
So, for me, I would tend to keep the keys to kingdom at home. What about you?
Share on Twitter Share on FacebookRecent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)