Identity Management And Identity Fraud

Published Date: 02 Nov 2017

Kriti Sharma

5000 Forbes Avenue

Pittsburgh PA 15213

[email protected]

Abstract

Enterprises across the globe have been increasingly adopting Identity Management schemes to centrally manage the identities and their provisioning to enterprise applications and resources. Identity Management helps reduce administrative costs, implement fine-grained security policies and improve regulatory compliance. However, commercial Identity Management solutions increase the complexity of IT systems by introducing additional application, data and network components. Particularly, the centralized nature of all identity-related data may be an attractive and profitable target for an attacker. This paper seeks to explore the security flaws in typical Identity Management deployments to analyze their effect on possible identity fraud. The paper shall analyze the robustness of Identity Management schemes in dealing with corporate security incidents and suggest future improvements to mitigate any significant threats that the analysis identifies.

Keywords: Information Security, Identity Management, Identity Fraud

Introduction

With the ever-growing complexity and scale of applications, systems and compliance requirements, organizations are finding it increasingly difficult to manage the information related to their people, processes and technology. (1) Identity Management allows enterprises to centrally manage the identities of employees, groups and processes. It allows centralized authentication and authorization of identities to end applications and resources.

Typical Identity Management deployments

There are a number of vendors that provide enterprise Identity Management products and services. Oracle, IBM Tivoli, Novell(now NetIQ) and CA are the popular vendors that provide entire suite of products related to Identity Management, Single Sign On, Access Management and other integrated applications.

The central component of Identity Management deployments is the identity repository which could be either a database or a LDAP-compliant directory. For instance, Oracle Identity Management system stores all schema, identities and metadata in Oracle database. Oracle also provides LDAP-compliant Oracle Internet Directory or OID and Oracle Virtual Directory or OVD to enable organizations with disparate data sources to have a unified data view. (2) NetIQ, on the other hand, uses the Novell e-Directory for its ‘Identity Vault’. (3)

Identity Management schemes comprise of a ‘trusted’ or ‘authoritative’ source which may be an Enterprise Resource Planning application such as SAP HR or PeopleSoft. This ensures that all employee information emerges from a single source. There will be multiple end applications and resources like Microsoft Active Directory, Exchange mailbox, Microsoft SharePoint that an identity shall need to be provisioned to. User information is stored in disparate sources. For instance, employee address may be stored in both ERP application and Active Directory. The identity system will ‘trust’ the employee address from ERP application and push or reconcile all changes to the address to the Active Directory account of the employee. The systems allow for configuring fine-grained rules to enable role-based access control. Some of the other features that the enterprise Identity Management systems provide are – approval workflow design, audit and compliance report generation, centralized administration, assignment of proxies or delegates and self-service password change capabilities.

The basic architecture of an Identity Management, thus, consists of - a trusted source, identity repository and target applications. Employee records are reconciled into the identity repository from a trusted source such as an ERP system. Existing applications and records belonging to the identities are reconciled into identity system based on the pre-configured rules. New entitlements to end applications are added to identities based on role-based access policies. The identity system is configured based on the technology and business requirements.

The physical infrastructure for an Identity Management deployment consists of additional servers for applications, database, proxy servers and other identity components. Additional firewalls, Virtual LANs, Demilitarized Zones or DMZs are also included.

Security benefits from Identity Management

Identity Management provides the following security benefits to the enterprise.

Reduced manual administration - With the use of Identity Management schemes, the risk from manually enabling and disabling access to multiple resources is reduced considerably. Since the workflow is automated, an incoming employee will be automatically granted timely access based on the joining date from ERP system while the access would be immediately revoked for an outgoing employee. By removing the manual step in granting/revoking access, this scheme reduces the risk of an outgoing employee with retained access to enterprise systems.

Improved compliance - With fine-grained access policies, approval workflows, alert notifications and the ability to view detailed compliance reports, organizations are able to better implement their access policies and audit the access across the organization. Since they can centrally manage the identities and their entitlements, organizations can reduce their compliance issues.

Reduced redundancy - Identity Management schemes reconcile all changes to identity information. Any change to an employee’s personal details in the ERP application will be pushed to all accounts. Also, any change to an employee from an end application can also be pushed back to the ERP application to maintain concurrency of data.

Security risks with Identity Management

Identity Management solutions have specific security issues that are presented in this section.

Firstly, the identity management solutions require a lot of configuration before deployment. If the underlying security configuration is chosen insecurely, the entire solution will be rendered weak. Further, the problem with lost or compromised passwords and login credentials is not solved through Identity Management. Weak authentication policies, despite a careful Identity Management deployment, will compromise the security of the enterprise. Secondly, by centralizing all identity information, the scheme poses the risk of a possible single point of failure. The centralized nature of all important information also makes the scheme more attractive to hackers. Thirdly, no Identity Management solution can be fully automated as some amount of manual administration is always required. A malicious insider with manual administrative access can jeopardize the security of the entire enterprise.

Potential for Identity Fraud

With increased dependence on the internet for banking, financial and personal activities, there has been a large rise in online identity theft. According to a study by Javelin Strategy and Research, there were more than 12 million identity fraud victims in the United States in 2012. (4)

As per a recent FBI report, "identity theft has emerged as a dominant and pervasive financial crime that exposes individuals and businesses to significant losses". (5)

The Identity Management system contains details of all employees. The identity system allows employees access to all enterprise resources, within the office or even remotely. An attacker may gain access to enterprise applications through compromised identity accounts. In the absence of appropriate security controls, a hacker may gain access to the central identity management system including the identity repository. In federated identity management systems where one or more organizations, vendors or third-party organizations share common identity schemes, weak security in one organization may compromise the security of another organization. Thus, these systems are attractive targets for identity fraud.

Identity Management solutions increase the IT infrastructure complexity and add many new levels of applications, servers, network components and data. As per my analysis, Identity Management introduces the following new attack vectors:

Authentication layer attacks - Even though there are standards such as NIST 800-63 that require strong authentication for critical federal systems, a large number of companies with Identity Management solutions do not encourage strong authentication. (6)

Network layer attacks - As discussed in the preceding sections, the extra network components that the use of Identity Management causes presents itself as an additional attack vector. Also, with many authentication protocols used across the entreprise, Single Sign On implementations can become complex an error-prone.

Transport layer/protocol related attacks – Identity Management systems make use of transport layer protocols such as SSL/TLS, authentication protocols such as Kerberos and identity-based XML frameworks such as Security Assertion Markup Language (or SAML) and Service Provisioning Markup Language (or SPML). The DigiNotar breach that caused fraudulent certificates is a popular example of SSL compromise. (7). Organizations integrate their identity management solutions with partner firms and vendors enabling Federated Single Sign On through the use of SAML. OASIS, the organization that developed SAML, has listed possible Denial of Service and Replay attacks on SAML. (8)

Availability issues owing to attacks on the application servers – The server components may be subject to a Denial of Service attack through physical means or through the network.

Attacks on the Identity Management configuration – The Identity System is configured with access policies, role-based access rules, password policies, provisioning and reconciliation rules and so on. An insider or a privileged user may modify these settings that may compromise the security of the enterprise.

The Identity Management system can be misused by disgruntled employees and malicious outsiders to for personal and financial gains. Cyber identity thieves may steal identity information for financial gains. The system may also be misused by terrorists and foreign governments, leading to information warfare.

Security issues

This section builds on the previous security discussion and presents a detailed description of the security issues identified with Identity Management schemes that increase the exposure to identity fraud. The security threats have been categorized for a more readable analysis.

Single point of failure

As discussed in the preceding sections, the Identity Management system enables an enterprise to centrally manage the lifecycle of all identities. Even though this offers many advantages to the enterprise, the centralized nature of the identity scheme also increases the risk of compromising the availability of the entire IT systems through a failure at a single point. A physical damage or compromise of the network and server equipment may render the entire system unavailable. The central server machines can be planted with malicious code with an intention to cause a Denial of Service attack, affecting the availability of critical authentication and access services. If the authentication services are brought down, employees will not be able to access enterprise resources, causing significant productivity and financial losses.

A disgruntled employee with privileged or administrative access may be able to revoke or modify access of other employees through the identity configuration console. This would, in turn, affect the service availability for the targeted employees.

Also, a network layer attack on the authentication and authorization servers may potentially cause a DoS attack and make the identity services unavailable for the employees. In the absence of an appropriate backup and disaster recovery strategy, an irreparable damage to a server machine or a physical configuration shall require a long time to detect and reconfigure the system, affecting system availability.

Authentication-related issues

Single Sign On implementations enable easier access to multiple applications, without requiring the users to remember multiple passwords. However, they increase the risk of weak authentication. Multi-factor authentication schemes are expensive and more complex to implement. For instance, introducing secure tokens along with password for two-factor authentication is more expensive than implementing only the password scheme. If the password policy is not configured to block multiple unsuccessful login attempts, an attacker may be able to crack the password by brute-force and log in to an employee’s account.

Also, Single Sign On implementations require connecting systems that make use of disparate authentication schemes and protocols. Interoperability issues between multiple protocols may be exploited by an attacker. Also, remote access of enterprise applications may pose a security risk. Accounts with privileged access and those with the right to approve or attest other accounts may be more attractive to attackers. An attacker would target such accounts to gain control over other accounts.

Confidentiality and integrity issues

Even if all communication between the user and the rest of the servers is encrypted using SSL/TLS, the confidentiality and integrity of the communication is limited by the security of the network layer protocols. It was shown by Dug Song back in 2000 that a Man In the Middle (MITM) attack is possible on the TCP/IP protocols. (9) This may allow an attacker to steal regular or SSO session information and be able to fraudulently access a legitimate user’s session. With SSO, the risk is even higher as a SSO session token can be used to access more than one enterprise application. An attacker may be able to gain entry into an employee’s mailbox, Active Directory account or a business application and change important credentials. An attacker may also install malicious code including a keylogger and compromise the system even further.

An attacker can also login to an employee’s account using a stolen identity and password information. An attacker can also hijack a session through shared session cookies, compromising the confidentiality and integrity of a user’s data. If the identity system does not detect and remove orphan or rogue accounts, application or target resource accounts that do not have associated identities, an attacker could misuse these accounts to access enterprise data.

Governance-related issues

Even though Identity Management reduces the need for manual administration, some amount of manual administration is still required to manage the identity system and make configuration changes when required. The administrators may also be required to manually modify access levels in cases where an approver is not available or when a rule did not trigger successfully because of logical errors. If the privileged access to administrators is not logged and managed properly, a disgruntled insider could exploit the privileged access to compromise the identity system. An administrator account with remote access can be exploited by an outsider to change or modify access rules and other configuration settings. Also, since all the meta-data and provisioning information is ultimately stored in a database or directory, an attacker who can gain access to the database server can directly modify or delete accounts, provisioning information and configuration.

Similarly, in the absence of proper security controls on the application servers that host the Identity Management applications, an attacker could modify the application behavior and settings. The application code can be modified by an attacker. With control of the server machines, firewall and network rules can be altered by an attacker and entire services can be stopped, changed and restarted.

Recommendations

The Identity Management solutions from most vendors provide highly configurable platforms to which fine-grained policies and settings can be implemented. I had the opportunity to work on the Oracle Identity Management suite and appreciate the amount of granularity the product offers in terms of customizing the connections between Identity Manager and end resources, personalizing the user interface, building customized approval workflows and access policies. However, most large corporations outsource the Identity and Access Management customization and deployment work to technology services companies. The state of security of these deployments, thus, depends on whether sound security practices were followed and whether all relevant security considerations were accounted for while designing the solution architecture. Even though there are groups and consortiums that are attempting to arrive at a set of common principles and best practices for Identity Management, there are currently no well-defined standards to guide the Identity Management solutions. (10)

The complexity of the environments and the requirement to manage millions of users makes the security implementations even more difficult. (11)

Based on my analysis, I have come up with the following recommendations to mitigate some of the security risks discussed above:

Reducing risk from single point of failure

It has been noted that the centralized nature of the Identity system can be an attractive target for disrupting availability across the enterprise. The risk of the physical server being targeted by a malicious insider can be reduced by having a well-defined physical and environment security policy. Server rooms should be securely isolated with limited access to legitimate users only. All access to server machines should be logged and audited. Access to server areas should be mandated to have multi-factor authentication. Smart cards may be considered along with another authentication factor such as a PIN or a passcode.

In order to ensure better security on the server machines, each server machine should be hardened. All Microsoft Windows machines should be hardened using Windows Security Configurations, time synchronized, regularly updated, configured with group policies using security templates. All Linux machines should be hardened to disable root user access, remove unnecessary services and daemons, secure kernel firewall settings and so on. Security hardening scripts such as Bastille can be used.

To mitigate the risk of service interruptions due to a large-scale physical damage or disaster, redundancy should be built on to the servers. Servers should be configured for load-balancing. Regular backups should be performed on the servers. Performance-intensive reconciliation tasks should be carried out in off-peak hours – such as weekends or dark window periods. Also, the Business Continuity Plan should detail the backup and disaster recover strategy to minimize business interruptions in the event of a disaster.

Reducing authentication related risks

The enterprise should not lose focus on implementing a strong authentication policy. It should consider a strong two-factor authentication policy. ‘Something you know’ such as a password can be considered along with ‘something you have’ such as a randomly generated PIN. If such a scheme is not affordable across all employees, the scheme can be implemented with a subset of most critical employees with elevated privileges. However, a strong password policy should still be included for other employees. The password policy should mandate strong passwords that are changes frequently. Unsuccessful login attempts should be limited to a small number. Centralized logging should be enabled. Security warnings with appropriate levels should be configured so that the administrators are alerted of a suspicious login attempt.

In order to ensure better security, contextual authentication data may be used to filter out authentication-related incidents. For instance, if a user logs in from a new location, an additional challenge-response screen could be presented to minimize the risk of an outside attack. Extra authentication security should be mandated for all remote logins. Context-aware authentication should be used for all remote users as they expose a greater risk for an attack. VPN access should also use strong two-factor authentication with auditing and logging enabled. It may be desirable to allow remote access through virtual machines with clipboard and shared folder features disabled to disallow communication between the virtual machine and the host computer.

Privileged accounts should be handled with due diligence. The least privilege principle should be followed for administrative and privileged accounts as well. All administrative changes to the system should be logged. Older logs should be archived but be kept accessible for reasonable periods of time.

Reducing confidentiality-related risks

SSL needs to be secured since a SSL compromise will compromise the confidentiality of the communication. Since SSL security may be compromised due to the inadequate browser settings or fraudulent certificates, it is imperative that transport layer communication is appropriately secured. Simply enabling SSL is not enough to ensure secure communication. It is important that strong cryptographic algorithms are used with appropriate key length, trusted certificates are carefully selected, bad certificates are revoked immediately and sensitive data is not allowed to appear in the URL. (12) Multiple domain certificates should also not be allowed as they may lead to a MITM attack.

Appropriate steps should be followed for session management to minimize the risk of an attacker being able to hijack a SSO session. Appropriate session expiration times should be set and session should be invalidated on both client and server sides. (13) Session should not only be invalidated when idle for a stipulated time, the session should have a maximum time limit after which it would expire.

Session information in cookies should be secured using the ‘secure’ attribute to minimize the disclosure of sensitive session information to an attacker, preventing a possible MITM attack. Also, the session IDs should have a long-enough length to prevent a brute-force attack.

In order to prevent the risks from a shared session cookie information, browsers should disable cross-tab sessions. (13) Moreover, browser should not cache session ID information. Browser settings can be pushed to all machines on the network through a common Group Policy.

Reducing governance-related risks

A disgruntled employee with administrative access may be a major risk to enterprise security. He may have the power to affect the availability of applications and data across all other users and may even have the control to steal identity information. It is important that administrative access is properly managed, audited and logged. It is essential that separation of duties is implemented across all administrative accounts. For instance, an administrator should not have complete access over all applications, configurations and server machines. The administrative privileges should be delegated across multiple individuals and all administrative changes should be logged. The management should be able to access and audit all administrative changes from a single place. Recently, many vendors like IBM and CAhave come up with Privileged Identity Management solutions to manage all privileged access. (14) Where applicable, organizations could consider these solutions for better governance of privileged access.

To minimize the risk of a malicious insider directly accessing the database and directories for identity information, the databases should be secured by creating appropriate tablespaces and associated user groups to contain access. All administrators should not enjoy the privileges to drop, add or modify critical tables. Similarly, all application code and behavior should be version-controlled and backed-up. The access to the production server machines with code access should also be logged and audited. Appropriate notification emails should be sent to senior management if a suspicious activity is recorded.

Also, to enable better governance, a thorough security policy that covers all aspects of security – physical security, encryption, email servers, vendors, application security, incident response and business continuity – should be made available to all employees. Employees should be made aware of the security policy and be engaged in regular training and awareness programs. Employees need to be provided enough information on the enterprise applications and best practices during onboarding. This would ensure that an average employee understands security and understands the implications of a breach. Knowledge of the incident response policy would also ensure that an employee reports suspicious behavior or activity around him.

Conclusion

In this paper, I provided an overview of Identity Management across an enterprise. The discussion introduced the generic architecture and benefits of an identity system while noting the scope for a identity fraud owing to the new attack vectors that the identity management scheme introduces. With a large number of vendors providing Identity Management products and a large number of technology services companies deploying customized Identity Management solutions, there may be considerable security risks in the architecture, design and implementations of these solutions. Also, it has been noted that it is still an evolving field with no noteworthy standards or guidelines that would assist a secure Identity Management deployment with minimum risk of a possible identity fraud. The analysis identified multiple implementation risks that may expose the enterprise to a corporate fraud. The paper has revealed several shortcomings in the Identity Management schemes that may make these an attractive target for a corporate identity theft. Since, Identity Management is a relatively new field, an attack of a substantial magnitude has not been observed yet. However, the future deployments should appreciate the importance of building resilient Identity Management solutions by securing all the attack vectors identified above. Many a time, the prime driver for security solutions is meeting compliance objectives and not enabling better security. With Identity Management trending towards cloud adoption and even mobile, BYOD devices, that have even bigger security risks, it is imperative that all identity systems are designed, implemented and maintained with security. (15)