11.30.2018 - HTTP Header Session Protection
The HTTP protocol was designed as a transport protocol to fetch and return content and to display HTML or other functions. But, HTTP wasn’t designed with authentication security top of mind. Approximately 40% of data breaches originate from attacks on web apps. And many of these breaches are preventable. HTTP header session protection as a part of your SSO solution should be at the forefront of your mind. Access to web/SaaS applications obviously initially requires successful authentication. After your username and password are accepted, authentication between the user and web service (client/server) session is usually maintained by cookies. The cookie allows the server, after successful authentication, to identify and trust the client during the session to allow seamless access to the web service. Many web services are front ends to databases, consumer data and/or corporate user specific data. An attacker, therefore, would just need to steal the cookie to hijack the current authenticated session. HTTP headers provide another layer of security for employees and consumers to guard against a number of attack vectors — including man-in-the-middle attacks (MIM), many cross-site scripting (XSS) attacks, session hijacking, and more. Cross-site scripting (XSS) has been a popular attack vector. In fact, it’s reported that XSS is the most common exploited vulnerability in web applications. XSS are high risk vulnerabilities where a type of code injection is used to hijack a legitimate users’ session. This isn’t a password breach, but a breach in the web session where the user has already successfully authenticated and is interacting with a web service. The HTTP session is hijacked and the attacker is now impersonating a legitimate authenticated user. Users are vulnerable everywhere to these threats but are especially susceptible within public unsecured WiFi networks where attackers can easily extract session cookies. Certainly, you would always also prefer an HTTPS session over an HTTP session, but that won’t necessarily help mitigate some XSS security issues. You need multiple layers of protection. HTTP header session protection is an essential component of a secure web services session; however, HTTP header session protection won’t protect against weak and reused passwords, brute force attacks, phishing attacks and other attacks against the passwords themselves. To mitigate password threats, implement strong authentication using multifactor authentication (MFA). Optimal IdM has a rock solid, agile MFA solution that was named Best MFA Solution of the Year in the GSN Homeland Security Awards. Microsoft reports that only 4% of SaaS storage apps and 3% of SaaS collaboration apps support all HTTP headers session protection. It’s irresponsible for organizations to ignore such large, yet solvable, attack vectors. Today’s sophisticated threat landscape for web and SaaS SSO applications require a vendor who can support modern, strong authentication by leveraging multiple HTTP session protections. Optimal IdM is that vendor. Further, Optimal IdM’s SSO solutions session support protections and encrypt data in transit and at rest. Additional Recommendations ...
10.11.2018 - Identity Management Challenges for Retailers
07.5.2018 - Troubleshooting Federation with Fiddler
Fiddler is simply the best tool to debug federation issues. Optimal IdM has just released a White Paper on this which you can download on the left side of this page. In this blog we will cover how to use Fiddler to debug WS-Federation issues. The URI for a relying party or identity provider may be in the form of a URL (such as http://my.test.com) or a URN (urn:my.test.com). URIs (both URNs and URLs) are case sensitive when used for Federation. For URLs in the form of URIs, every “/” is part of the name as is the protocol. When used as a URI the URLs http://my.test.com, http://my.test.com/, https://my.test.com, and https://my.test.com/ would all be considered different URIs. ...
05.22.2018 - Protecting Your Patient’s PHI Data
For healthcare, there’s never been a more urgent time to reassess your cybersecurity and identity and access management strategy. Until recently, protected health information (PHI) was the most valuable merchandise on the Dark Web. Complete healthcare records were going for $75 to $100 dollars at the height of demand according to Institute for Critical Infrastructure Technology (ICIT). ...
05.2.2018 - Know Your Credentials: The Other KYC Requirement
The way people want to interact with their financial providers has changed quickly in the past few years. Now, account holders want control over their funds, and they don’t want to jump through hoops to exert that control. They expect a streamlined customer experience that lets them accomplish their tasks quickly, and there are great rewards to be reaped by institutions able to meet those expectations. For example, according to PwC’s 2017 Digital Banking Consumer Survey, 46 percent of consumers do all their banking online, a percentage that will grow even larger as the first generation of digital natives—those graduating high school around now—enter their adult lives and establish relationships with banks and investment firms. A delightful customer experience isn’t the only purpose of good identity and access management. Financial firms need to meet Know-Your-Customer (KYC) requirements from many regulatory bodies in order to avoid hefty fines. These institutions may assume that meeting KYC and other regulatory requirements means their sensitive data is safe ¾ but that would be a mistake. Hackers aren’t the only threat to Personally Identifiable Information (PII) and other sensitive data. A financial organization’s own employees can present a danger as well. Insider threats take many forms. In rare cases, the employee is a thief who has actively sought access to parts of a core system they have no business accessing. In some cases, the employee is an opportunist who borrowed someone else’s credentials for legitimate reasons and then stumbled onto a trove of data that was too tempting to leave alone. But far more often, the employee is an unwitting pawn who’s fallen for a phishing scam or been socially engineered into sharing credentials with a con artist. Yet regardless of an intruder’s motivation or means, the results for the employer are the same: data leakage, brand damage, and regulatory penalties. ...
04.25.2018 - Agentless SSO – What’s The Big Deal?
SSO, or single sign-on, as a desired end-state for the user experience as they connect to a diverse set of applications reaps many advantages. There are multiple methods and architectures for achieving SSO, but one that should interest just about every customer is agentless SSO. ...
03.26.2018 - Privileged Access Management 101
Privileged access management solutions will be beneficial if you use them correctly. This includes: ...
03.12.2018 - RealMe Integration Services from Optimal IdM
02.8.2018 - SharePoint for Government – Is Seamless AND Secure Authentication Possible?
SharePoint is a Microsoft-based web application platform that businesses use to simplify infrastructure by managing multiple applications data from a single location. This can streamline your processes and improve workflow. How does it work for government agencies, though? ...
