Like a ship transporting valuable goods across a dangerous sea, enterprises have a duty to protect their own precious cargo: their user identity stores. These are the central repositories of sensitive information necessary for operation. However, if they become compromised, your enterprise becomes trapped in a terrible data breach situation. When the storm hits, either from hardware failures or bad actors, will your identity stores weather the storm?
This critical component of IAM systems can be protected through proper precautions. Names, passwords, email addresses, and other private information housed in user identity stores must not fall into the wrong hands. The consequences of such a data breach are substantial. Consequences range from federal fines to a permanent tarnishing of your brand, complete with customer lawsuits.
By understanding the greatest threats posed to identity store security and how to counteract them, your enterprise becomes more likely to successfully combat them.
Types of Identity Stores and Authentication Methods
User identity stores, and the methods used to access them, come in two main forms. The most common of these are basic databases and Lightweight directory access protocol (LDAP). Databases act as simple storage for identities. However, these databases must be augmented with separate programs to have their information accessed. As a result, most identity stores instead use LDAP, a protocol which pairs identity storage with the capability to quickly query and retrieve information stored.
An LDAP solution stores data in the directory and authenticates users to access the directory. This allows for greater interconnectedness between different parts of an enterprise’s systems. Because the protocol is both the data store and the query method, it is well-suited to features like multi-factor authentication and single sign-on. However, a need for better support of these features requires new architecture. SAML and OAuth 2.0 are the two main authentication schemas used for this purpose.
SAML relies upon a standardized identity protocol, allowing a single set of credentials to be “read” and accepted by multiple endpoints using the same language. A user is authenticated at a single point, and that authentication status is then accepted by other applications using the same SAML assertion. This allows users to use a wide variety of services through one set of credentials, making it ideal for SSO. OAuth 2.0 takes a different approach, allowing applications to interact via temporary access tokens instead of sensitive details. This allows for necessary application privileges to be authorized without disclosing credentials to multiple services, greatly reducing the potential attack surface.
The Dangers of Unsecured Identity Stores
The ubiquity of LDAP as an identity store has led to intense focus upon it as a vector for data breaches. The most common of these attacks is the dreaded LDAP Injection. Because LDAP runs search and access requests, an unsecured query entry system can be used to run commands. If an attacker knows the right information, they can compromise the most basic coding of a database. This can allow for unauthorized access to an account or even the escalation of privileges. One insidious aspect of LDAP injection is how long it can go unnoticed, as was the case with the 2017 Joomla vulnerability which had lasted for eight years before being patched.
While protocols like SAML are intended to increase the security of an identity store, a misconfigured setup leaves gaps which can serve as new vectors. The most common of these is an XML Signature Wrapping attack. A signature wrapping breach relies upon a method like an injection attack, where a hacker takes advantage of an unsecured command-entry line to spoof credentials and alter privileges. DarkReading estimates that 74% of Q1 malware in 2021 was undetectable via signature-based tools, highlighting the danger this vector poses to the security of user identity stores.
Despite its stated goal of creating a security-minded minimization of attack surfaces, OAuth2 has fallen prey to several vulnerabilities. These range from leaked access tokens to insufficient validation measures. Because the protocol is so flexible, many companies fail to take proper security precautions when implementing OAuth2. This results in vulnerabilities which allow hackers to generate access tokens and compromise user data stores. Even tech giant Microsoft fell prey to an OAuth2 vulnerabilities in early 2024 despite issuing a warning just a month prior to the incident.
Maturity in Identity Solutions
If these protocols intended to increase security are being used to undermine it, what can users do to protect their user identity stores? By intentionally moving towards a more mature implementation and upkeep of identity stores and their associated systems, enterprises can achieve the safety these systems were meant to provide. The first step is to answer these critical questions:
- How many employees and non-employees work at the company? Are there any third-party users with access to internal systems?
- How effective is the onboarding/offboarding process? Does your identity solution leverage automation to cut down on J-M-L processes?
- How many redundant copies of user identity data create risks and inefficiencies? Do you have policies for dealing with orphaned and overprovisioned accounts?
Answering these questions marks an important milestone in the pursuit of secure identity stores. Enterprises should look to implement a robust IGA and PAM solution in conjunction to their identity stores. The monitoring and governance capabilities of these identity pillars serve as both a preventative measure and as a remediation control. Your enterprise should focus on simplifying identity and access management. You should also consolidate siloed identity data into unified stores to gain holistic governance and visibility.
However, as seen in previous examples, shoddy implementation is the root cause of many vulnerabilities. As such, enterprises should strongly consider contracting to a managed identity service. An expert team can analyze the most likely vulnerabilities in your user store and authentication systems. Furthermore, the best teams provide these improvements at a fixed cost and timetable, enhancing your ability to plan ahead.
Contact a Simeio Identity Advisor now and learn what a mature identity store solution looks like.