Access management is a general description of IT technologies and processes that control access to enterprises systems, resources, and data. It uses company-defined policies to ensure that users, based on their profiles, roles, and groups, are granted access to the appropriate resources, while prohibiting unwarranted or unauthorized access.
Account takeover (ATO) fraud occurs when a malicious outsider gains access to a user’s login credentials to steal funds or information. The perpetrators digitally break into a bank account or ecommerce account through a variety of techniques, such as phishing, malware, and man-in-the-middle attacks. Once they gain access, the attackers steal money from an account by making fraudulent transactions, such as payment to a fake company, transferring funds to another bank account, or through any number of unauthorized transactions. To learn how adaptive authentication can prevent ATO fraud, go to ForgeRock Intelligent Access.
The job of authentication is to verify a user’s identity, usually by two or more factors. But what happens when something changes between a user’s login attempts? Perhaps the credentials are correct but the device is not recognized. Or the login is from an unusual location or there have been multiple (failed) attempts. Adaptive authentication intelligently adjusts to these changes by requiring additional (stepped-up) authentication before allowing access. If a user is behaving in a typical way using a recognized device, adaptive authentication makes login fast and frictionless. Learn about ForgeRock Autonomous Access, an AI-driven threat protection solution, that makes it easy to include adaptive authentication in your IAM user journeys.
Authentication, in the simplest terms, is a process that verifies a user’s identity. As people access company applications or resources, or they log in to online accounts, they typically authenticate by entering their email address or username and password. Unfortunately, this combination has become increasingly risky, as people use simple passwords, which are subject to brute-force attacks, and reuse passwords on multiple sites, which leaves them open to password stuffing and other attacks.
To prevent such attacks, many organizations are adopting two-factor authentication (2FA) or multifactor authentication (MFA), which add a layer of security by requiring something the user knows (such as a username/password) and something the user has (such as a device that can receive access codes). Other forms include biometrics, such as a fingerprint and facial recognition, or tools, such as key cards and USB tokens.
Authorization differs from authentication, as it is used to determine the [authenticated] user’s approved level of access. In the enterprise, users (including people, workloads, and “things”) are granted certain privileges related to what may be accessed, based on their roles, and such access may be extremely granular. For example, an accountant may have extensive privileges within most financial applications, but not those related to compensation. A product marketer may have permission to view engineering diagrams but not the ability to alter, download, or share them.
Autonomous Identity uses artificial intelligence (AI) and machine learning (ML) techniques to help security and IT teams increase an organization’s security posture by avoiding excessive access permissions and privileges. It automates certain processes, such as collecting and analyzing identity data, to simplify provisioning of new employees' access using risk scores. Autonomous Identity provides deep insight into risk as it pertains to access. By quickly understanding who has access to what, security and risk teams have better awareness of an organization's risk posture. Learn more by reading Accelerating Zero Trust with ForgeRock Autonomous Identity.
An application programming interface (API) acts as an intermediary between different software applications, allowing them to talk to each other and share information. Like any entity that’s connecting to your apps and data, such as a user or device, API connections need to be secured. If they’re not, they can become targets for malicious activity. By treating APIs as other entities and putting a gateway in front of them, you can enforce policies and monitor API traffic to detect anomalies, blocking malware, and prevent access by unsanctioned entities.
Biometric authentication is a technique for authenticating users that applies the unique characteristics of the user, such as fingerprints. Biometric authentication uses technologies such as fingerprint sensors, eye (iris or retina) scanning, and facial recognition. It is a layer of authentication that provides greater security than standard username and password authentication and is often a component of multifactor authentication (MFA).
A brute-force attack is a way to break into an account through multiple login attempts that try a different password each time. It’s a rudimentary approach to infiltrating an account or network but remains popular with hackers due to its success. (Read tips for avoiding brute-force attacks.)
The Continuous Adaptive Risk and Trust Assessment (CARTA) model was defined by Gartner and is a key component in the zero trust framework. As the acronym suggests, CARTA uses a continuous and adaptive assessment of a user’s identity and activities. This means that once “trust” is established through authentication and policy, CARTA conducts frequent and unobtrusive checks to re-evaluate authentication and risk signals. Trust may be revoked as context changes, such as the user’s geolocation, device, the apps or data being requested.
CIAM (see Customer Identity and Access Management)
The term cloud commonly refers to applications and services that are accessible over the internet. Enterprise applications that were once hosted in data centers are being moved to the cloud to enable easier access for employees as well as scalability and greater reliability. Adopting software as a service (SaaS), such as Microsoft 365, Google Workspace, ServiceNow, Salesforce, and Workday, also reduces the IT burden by moving application management and updates to the cloud providers.
Enterprises are also moving their internally managed applications to public clouds, such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform. These companies are known as infrastructure-as-a-service (IaaS) providers and, though they manage the cloud, the applications are managed by the enterprise customer.
With public clouds, organizations may consume applications, infrastructure, and services on a pay-per-use basis without the need to own and manage the infrastructure. Users and services can be added or removed easily. Private clouds are slightly different in that the entire cloud instances—hardware, storage, and network—are dedicated to a single organization.
Learn about ForgeRock’s cloud-delivered identity and access management services: ForgeRock Identity Cloud.
Customer identity and access management (CIAM) allows organizations to manage customer identities, providing security and the enhanced experience consumers have come to expect. CIAM is related to identity and access management (IAM), as both solutions are designed to help organizations manage user identities as they access certain applications and data. But there are key differences. While the primary use case for enterprise IAM solutions is managing user identities and secure access for people (employees and partners), devices, and even APIs—the interfaces that allow applications to talk to one another—CIAM is specifically designed for enabling frictionless access to online services for consumers. Read more about CIAM.
In the enterprise, employees expect to have their identity and access privileges managed by their employer. But as consumers, we all expect to be able to manage our own profiles and privacy settings. It’s not only a requirement for customer acquisition and retention, but it’s the law in many parts of the world. Regulations — such as the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA), PIPEDA (Canada), POPI Act (South Africa), and LGPD (Brazil) — have been enacted and many more are on the way in the U.S. and around the world.
The reasons are clear. Consumers share more information than ever before with online businesses and services, including governmental agencies. Standards such as user-managed access (UMA) enables organizations of all types to comply with regulations while protecting consumer data and giving those consumers control over their personal information.
Credential spraying (also called password spraying) is an attempt to access a large number of accounts using known passwords, such as default passwords, or common ones, such as password123. It is an approach that relies on poor password hygiene.
Credential stuffing attacks typically involve bots that use automated scripts to test every username and password combination in a (stolen) database to see if any of them gain access to a user's account or website. This information can often be used to gain unauthorized access to multiple accounts due to the fact that many people reuse login credentials.
As the name suggests, a denial-of-service (DoS) attack occurs when legitimate users are unable to access their systems, email, websites, or other online accounts. In a DoS attack, a targeted host or network is flooded with traffic and junk requests that overwhelm the system until it can no longer respond.
In today’s digital ecosystem, everyone and everything — computers, smartphones, internet-connected devices (IoT), and applications — has a unique digital identity. Digital identities contain the identifiers and behavioral patterns that allow systems, services, and applications to know who or what they are interacting with.
People have dramatically increased their use of digital services. What began with online shopping has expanded to online banking, doctor’s appointments, tax payments, school, entertainment, and so much more. Managing all these identities, securing them from attacks and fraud, and maintaining privacy and compliance have become incredibly complicated. Adding to the complexity is the fact that machine identities now outnumber humans; it’s not unusual for an enterprise to be managing millions of identities.
Managing digital identities at such a scale requires a sophisticated identity platform that uses artificial intelligence and machine learning techniques to ensure that entities are who they claim to be, that access is granted based on context, and that decisions are automated and journeys are intelligently orchestrated. Read about ForgeRock Autonomous Identity.
Digital transformation is a term that’s appearing everywhere in business and IT circles but its meaning remains imprecise. In general, digital transformation describes the process of moving business applications and networking infrastructure to the cloud. But that’s just the beginning. A digital transformation replaces traditional processes and legacy systems with new technologies that help organizations operate faster and with greater intelligence. It’s a fundamental rethinking of business models and processes using digital technologies, such as cloud computing, big data, IoT, and artificial intelligence/machine learning (AI/ML).
Directory services, sometimes known as data stores and directories, are the databases that store essential information, much of it identity related. Directory services databases may include usernames, password(s), authentication preferences and enrollments, user preferences, application data, and information on mobile and internet-of-things (IoT) devices.
When a user, such as an employee in a large company, goes to check on the status of a sales opportunity in Salesforce, the application will connect to the directory to make sure that employee is still a legitimate user and is authorized to access this information. Many directory services rely on the lightweight directory access protocol (LDAP), which allows applications to access user information quickly for the purposes of access control. Learn how ForgeRock delivers high-performance directory services on a global scale.
A distributed denial-of-service (DDoS) attack occurs when a botnet comprising multiple systems and devices works together to attack one target. It floods the target — perhaps a website, internet service provider (ISP), or cloud service provider (CSP) — with messages and requests to either slow the service or shut it down altogether. The proliferation of IoT devices and their notoriously poor security have been responsible for the increase in botnets used for nefarious purposes. The devastating Mirai botnet consisted of more than 600,000 compromised IoT devices, such as IP cameras, home routers, and video players. DDoS attacks are carried out for a variety of reasons and from a variety of sources, such as disgruntled former employees, competitors, activists, organized criminals, and state actors.
Managing the identity of every internet-connected device is as important as managing the identities of employees and customers. Learn how ForgeRock IoT and Edge Security can help.
Fast Identity Alliance (FIDO) Authentication is based on open standards from the FIDO Alliance. The FIDO Alliance developed FIDO Authentication standards using public key cryptography for authentication that is more secure than passwords and one-time passwords (OTPs) or codes sent by text message. Though consumers want strong security, they don’t want to be bothered with complicated approaches, such as using digital certificates, for authentication. FIDO Authentication makes it easier for consumers to get strong security while making it easier for web service providers to deploy and manage than developing their own dedicated solutions.
Federated single sign-on (SSO) enables the secure sharing of identity information across different systems, networks, and clouds using standard identity protocols, including Security Assertion Markup Language (SAML), Open Authentication (OAuth), and OpenID Connect (OIDC). Federation allows users to access services using any device without the need for multiple passwords and user profiles, which create complexity and a frustrating user experience.
Headless commerce is an e-commerce architecture in which the front-end — the website and functionality that the user sees — is separated from the back-end, which comprises the web servers, database, and applications. The reason that retailers and other consumer-facing organizations are investing in headless commerce is because, by removing the complexity of back-end modifications, it provides them with much greater agility, allowing them to respond to changing market trends and customer expectations. They can quickly add services and functionality, including personalization, to the customer’s digital experience, a key competitive advantage in retail and financial sectors, among others, where customer expectations are especially high. Read more in this blog about digital commerce.
A hybrid cloud is a computing and networking environment that delivers applications and services through a combination of on-premises data centers and public and private cloud platforms.
While most organizations are moving applications and services to various cloud providers, they generally retain certain applications on-premises for a variety of reasons. In some cases, applications simply can’t be moved without breaking, a common concern in industries that use legacy applications, such as healthcare. Some organizations don’t wish for their critical data, such as intellectual property, to be housed outside of their data center.
A hybrid cloud environment provides enterprises with the flexibility to deploy applications where they want them, while providing orchestration—a way for applications, wherever they may be hosted, to connect to one another. Read this blog to learn more about hybrid IT and hybrid cloud.
Identity and Access Management (IAM) technology helps organizations securely control access to their resources, such as applications and data. IAM uses policies, which are defined by the organization, to help IT teams ensure that the right users have access to the right resources and nothing more. It can also define the conditions under which access may be granted, such as whether the request came from a trusted device and the user’s location.
Security was once focused on protecting everything inside a network’s perimeter, but that perimeter is gone. Many applications are in the cloud and most users are off the network. As a result, the new secure perimeter is based on identity. Today, there are many entities accessing and sharing data — employees, customers, computers, servers, IoT devices, APIs that allow one app to talk to another — and every single one needs a digital identity that must be managed and maintained as access privileges change through an entity’s access lifecycle. Learn about the ForgeRock Identity Platform.
Identity as a Service (IDaaS) is an IAM solution delivered as a service from the cloud. IDaaS delivers the capabilities of enterprise-class IAM, such as the use of multifactor authentication, single sign-on, identity management, and more, while shifting the infrastructure overhead and software management burden from the customer to the service provider.
Regulatory compliance has become a priority in the enterprise—companies are paying stiff penalties for noncompliance—and a complex one. With the massive number of users and devices (and “things”) now seeking access to data across borders, networks, and clouds, managing access privileges with precision cannot be done with traditional technologies. Identity governance and administration (IGA) is playing a key role in helping organizations maintain compliance while delivering the user experience their employees and customers want.
Modern IGA solutions improve employee productivity by automating access approvals and user self-service for “high-confidence” connections, comprising connections from users and devices that are behaving in a predictable manner and consistent location, for example. These capabilities remove the operational burden from IT and reduce helpdesk tickets, resulting in greater efficiencies. They also provide enterprise-wide visibility into the user landscape to simplify the enforcement of secure access to systems, applications, and infrastructure.
Identity and Access Management (see IAM)
Identity lifecycle management refers to the entire set of processes and technologies for maintaining, updating, and retiring digital identities. As people’s roles and responsibilities change, it’s critical to manage their access privileges. At the same time, systems and devices, including IoT, are assigned permissions that must be managed.
Once a manual process, identity management solutions use automation to speed provisioning and eliminate error-prone manual processes and provide an efficient way to create, modify, and remove user accounts in accordance with business policies. Learn more about identity lifecycle management.
An impossible traveler describes a possible attempt to gain unauthorized access to an online account. When an IAM system detects a login attempt from one city, such as San Francisco, and another attempt 10 minutes later from Brussels, it alerts the administrator of the suspicious activity. It’s essential for an IT administrator to have full visibility into user activity, with real-time monitoring that can identify patterns of behavior that indicate suspicious activity, such as impossible travel, and the possibility of fraud, including account takeover.
Any internet-connected device—printers, thermostats, cars, televisions, medical devices, security cameras, and more—becomes a part of the internet of things, or IoT. Just like any computer or phone that connects to the internet, these devices have a unique IP address, enabling them to connect to other devices and servers to send and receive data. IoT devices can create operational efficiencies and offer enterprises the opportunity to make faster, smarter, data-driven decisions, but they must be secured and their identities and permissions must be controlled just like any other entity across the network. Learn how ForgeRock enables you to manage the identities of all your connected things and their relationships between users and applications/services.
Least-privileged access is a central principle of zero trust. Least-privileged access refers to the idea that any entity (user or device) should be granted the minimum level of access necessary to perform an assigned function. In the old days, when an employee was granted access to the network either locally or via VPN, that employee gained fairly unfettered access to the network and everything on it. But this approach has become far too risky. Employees, even trusted employees, shouldn’t be able to see anything on the network that they are not explicitly authorized to access. Least-privileged access reduces business risk by eliminating unauthorized access to business applications or resources. It also prevents threats that gain access as a result of a compromised device connecting to the network or a breach from being able to move laterally across the network.
The Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol used to manage users and their access privileges to applications and other IT resources. It is a way for an organization to centrally store usernames and passwords, along with other records, as needed. Because it is vendor-neutral, many different applications and services can use LDAP for authentication purposes and it enables them to query user information rapidly. Though LDAP was developed nearly 30 years ago, it is still in use in most directory services today.
Malicious software — or “malware” — comes in a variety of forms and can perform many tasks on behalf of the attacker. Some of the more common types include:
- Adware is more annoying than it is dangerous, but it serves unwanted ads (which generates revenue to the attacker)
- Bots are simply programs designed to perform a task, but used maliciously and in great numbers, they can overload servers to bring down websites and services
- Keyloggers monitor every keystroke a user makes, so they can be used for spying purposes or for stealing banking logins and other valuable data
- Ransomware encrypts data on a system or network and holds the decryption key until a ransom is paid
- Spyware collects data about a user’s activity without the user’s knowledge and may even use a system’s camera to “watch” the user
- Trojans are disguised as legitimate programs, such as an app update, or are hidden within legitimate software; once downloaded, they can carry out any number of activities, such as stealing data or spying
In this type of attack, fraudsters position themselves between organizations (such as financial institutions) and users to intercept, edit, send, and receive communications without being noticed. An attacker can take over the communication channel between the user’s device and a bank’s server by setting up a malicious Wi-Fi network as a public hotspot in a coffee shop. People take advantage of public hotspots, not realizing they may be transferring their payment data through a network controlled by a bad actor.
MFA Prompt Bombing
As enterprises adopt multifactor authentication (MFA) to strengthen security, attackers are tirelessly working to outmaneuver this second line of defense. As is often the case, they are turning to social engineering tactics.
MFA adds extra steps for users before they can access their accounts or applications, such as . one-time passcodes (OTPs) or push notifications, and they can occur multiple times a day. These extra steps can, and do, lead to MFA fatigue, which dulls users’ sensitivity to occasional pop-ups. MFA prompt bombing attacks try to leverage MFA fatigue and get users to accept authentication attempts initiated by the attacker. Once an attacker has user credentials (usually stolen or obtained through brute-force and other attack methods), their login attempts will trigger the MFA over and over again, potentially causing a user to give in simply to stop the notifications. Read this blog to learn more about MFA prompt bombing attacks and how ForgeRock Intelligent Access can help prevent such attacks from succeeding.
Multicloud generally refers to an IT strategy that relies on multiple clouds from different public cloud providers. These clouds may host software as a service, infrastructure, storage, computing, and much more. Organizations are increasingly adopting multicloud environments due to the rise in remote work and demand for anytime, anywhere access to cloud services and apps. Multicloud doesn’t mean cloud-only, however—most organizations keep some functions in on-premises data centers or private clouds while using multiple cloud service providers for other purposes.
Multifactor authentication (MFA) is an authentication practice that adds a layer of security to the typical approach that simply involves a username and password. MFA has become standard practice in many industries and became required by U.S. government agencies, as outlined in the May 2021 Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity. With MFA, an additional step for authentication is required before a user can access a system, application, or other resource. The step may include entering a code sent via SMS to a smartphone, inserting a smart card or USB stick, or satisfying a biometric authentication requirement, such as a fingerprint scan. Learn more about MFA.
Multitenancy typically describes a computing architecture in which multiple systems, applications, or data from different organizations are hosted on the same physical hardware. Similarly, a multitenant cloud architecture describes a cloud instance and infrastructure built to support multiple customers. Think of it as a large building that houses lots of tenants; the cloud service provider owns and maintains the building along with all the services the tenants need, such as security and electricity. Such a system enables the tenants to share computing resources efficiently in a public or private cloud while securely scaling to meet increasing demand.
But multitenant cloud architectures are not the same. In the building metaphor, some clouds are akin to condominiums, in which each tenant has its own self-contained space, or “full customer isolation.” In others, the building is open, and resources, such as storage and bandwidth, are shared. In the open model, a tenant may be at risk of another tenant using too much compute power, which could slow performance for other tenants.
Learn about the ForgeRock multitenant cloud architecture with full customer isolation in this blog: Building a Secure Identity Cloud.
Omnichannel has become a key strategy for enhancing the customer experience and building customer loyalty, particularly for retailers, banks, insurers, and other consumer services. Omnichannel refers to a company’s ability to provide a cohesive experience whether customers are visiting the company in person, logging onto a website, connecting through social media, using a mobile app, calling on the phone, or visiting a kiosk in an airport or mall.
All these channels for engaging with customers are seamlessly integrated via omnichannel and can share data to enable a consistent and highly personalized experience for the customer based on shopping behaviors and preferences. It also allows retailers and other organizations to build a single view of customer needs across their channels, so that a customer shopping on a mobile device, for example, can then move to a desktop browser and pick up right where they left off.
Digital identity is a key component of omnichannel because it enables the frictionless experience consumers have come to expect while delivering the security needed to prevent fraud and protect customer data.
Open banking regulations are transforming the retail banking industry, enabling customers to receive more personalized services. Open banking builds on global standards, allowing trusted third-party financial service providers to access a bank’s customers’ data via APIs. Its purpose is to secure the financial services ecosystem, drive revenue, and provide a competitive advantage for financial institutions, while enabling consumers to connect with a broader range of financial products. Securing all these connected financial services is critically important, and so is maintaining regulatory compliance, protecting data and privacy, preventing fraud, and providing a smooth, personalized customer experience. It can all be done with a sophisticated CIAM solution that secures APIs, so that only those specifically authorized to connect are permitted to do so. It must provide zero trust security and a gateway that enforces security policy and access controls. And artificial intelligence at the identity perimeter is quickly becoming a must-have for preventing fraud and cyberthreats. Learn how ForgeRock helps organizations secure and advance open banking.
Open finance goes beyond open banking by connecting insights about a consumer’s financial needs based on their bank transactions, digital wallet activity, insurance and retirement accounts, investments, money transfers, and more. Essentially, it helps consumers get a single view of their financial standing so they can have better clarity and the ability to have more control over their money. Using APIs, banks can collaborate with various providers to deliver a wider variety of services based on consumer data. Through open finance, customers can control their data and decide when and with whom to share it. Like open banking, open finance requires API security, a zero trust framework that eliminates overprivileged access, and an architectural approach that provides the ability to remain in compliance with global regulations. Learn about ForgeRock Open Finance.
OpenID Connect (OIDC) was introduced in February 2014 by the OpenID Foundation for enabling the use of digital identities across websites and applications using any computer or mobile device. It is an authentication protocol based on the OAuth 2.0 family of specifications. According to the Foundation, OpenID Connect lets app and site developers authenticate users without taking on the responsibility of storing and managing passwords. Such responsibility is fraught with risk, as the internet is teeming with bad actors trying to compromise user accounts.
Open Authorization (OAuth) is an authorization framework that enables an internet user to authorize one application to interact with another on the user’s behalf without requiring sharing the actual user credentials, such as a username and password. In other words, a user can grant a website or application access to information on other websites.
OAuth may be used for web, desktop, and mobile applications, and a common use for it is social login, which allows social media users to share information about their accounts with other applications or websites. If you’ve gone to a website and seen the “Log in with Facebook” button, you are familiar with this application of OAuth protocol.
In the “old” days, a consumer or an enterprise employee could come up with a password (possibly their childhood pet’s name) and use that password on every site for years. But in today’s world, weak and overused passwords are a serious threat vector that cybercriminals can exploit through automated brute-force attacks and credential stuffing. Companies use password management to ensure that their end-users apply best practices for passwords. Password management uses company-defined policies that enforce how frequently a password must be changed, requirements for a password’s length and attributes, the ability to reuse passwords, and more.
Passwords are, for most people, a nuisance. We are supposed to create different passwords for every site, each of which is strong and uses unpredictable combinations of characters. The problem is that it’s difficult to keep track of them. According to a Forrester survey, 53 percent of people store their passwords insecurely, and the majority of people reuse passwords for multiple sites.
But passwords are more than a nuisance. They present a real risk, especially because, once a password is stolen, criminals know that there’s a good chance they can use it to access multiple accounts. By eliminating passwords, you remove this possibility. Passwordless authentication is gaining popularity for all of these reasons. It enables a person’s identity to be verified using other methods, such as using a secondary device or a fingerprint. There’s no password to remember. Learn more in this blog: Say Goodbye to Passwords and Usernames, or visit the What is Passwordless Authentication page.
Phishing is a type of social engineering attack, meaning that its tactics are designed to compel a user to take an action, such as clicking a link or downloading a file. The attacks tend to impersonate trusted brands and individuals, most often arriving as an email, though text messages (SMS) and social media messaging services can also be used. Today’s phishing attacks are sophisticated, appearing to be from legitimate sources—sometimes even appearing to an employee that an email message is from the company’s CEO. Their intention is to get users to click links that redirect them to malicious websites or to open an attachment that will install a piece of malware that can spy, lock up the system, harvest data, or spread across a network..
Enabling consumers to manage their own profile and privacy settings is essential in today’s world of expanding privacy laws that regulate how consumer data may be used and stored. It’s also a great opportunity to build customer trust and loyalty. Consumers have become increasingly wary of sharing personally identifiable information (PII) on websites, because they know this information may be shared with third parties or, worse, exposed to cybercriminals and sold on the black market through yet another data breach (according to the ForgeRock 2021 Consumer Identity Breach Report, more than 11 billion consumer records have been exposed over the past three years).
With a strong profile and privacy settings dashboard, a website can provide its customers with the ability to manage their account with fine-grained controls, including the personal information they provide, their sign-in and security settings, preferences, trusted devices, authorized apps, sharing, and many other controls. Learn about the comprehensive privacy and consent capabilities in the ForgeRock Identity Platform.
Ransomware is a type of malware that encrypts data and denies victims access to it unless a ransom is paid, in which case a decryption key is promised (but not always delivered). As ransomware became prevalent and many fell victim to it, companies began to enforce backup procedures so that data could be restored in the event of an attack. Attackers, in turn, began to exfiltrate data before encrypting it, in an attack known as double-extortion ransomware. In this case, even if the victims have good backups they are likely to pay the ransom to avoid having their data exposed. In 2020, the global damage from ransomware is estimated to have reached $20 billion.
A resident key is a passwordless and usernameless credential that may be stored in a browser, on the user’s device, or in an authenticator.
As a user returns to a website enabled with resident keys, that site would discover the presence of (or lack of) any keys related to the website in the user’s browser, on the user’s device, or in an authenticator. For the user, the user experience is akin to using single sign-on (SSO). For example, as the user navigates to a login page, instead of typing in a username or password, the user would plug in and then use an authenticator, such as an external key (like Yubico) or in-built platform keys accessed via TouchId or Windows Hello. The user is then logged in without the need for any further action. Read more about resident keys in the blog “Say Goodbye to Usernames and Passwords.”
Role-based access control (RBAC) has been used to reduce administrative overhead and improve regulatory compliance. With RBAC, each employee in an organization is assigned a specific role, and that role assignment provides the permissions needed to access certain resources to perform particular functions of the job.
RBAC is a fairly simple approach, but it is manual and time-consuming. Furthermore, it fails to keep up with identities at scale within today’s fluid business environments, where employees frequently change jobs and organizations. This results in overprovisioned access, orphaned accounts, and entitlement creep, which can lead to increased cyber risks.
Security Assertion Markup Language (SAML)
Security Assertion Markup Language (SAML) is an open standard that allows an identity provider, such as ForgeRock, to share identity information with service providers. The identity provider is responsible for authenticating end-users and managing their accounts.
An example of a use case for SAML is for a company to allow its internal staff to access and use the applications provided in Google Workspace, such as Google Docs and Google Sheets. In this case, Google has a trusted relationship with the identity provider, which provides SAML assertions—a set of statements about an authenticated user that allows a service to make authorization decisions, such as whether to allow that user to access the service, and what functionality they can use.
Employees and customers value the ability to create their own user experiences through self-services. As it turns out, self-service is also beneficial to the enterprises and companies serving those consumers and employees. Typically, onboarding of users often requires extensive customization and coding that is time and resource intensive.
Automated self-service streamlines registration, login, and password management experiences, reducing IT costs while improving the user experience. Self-service registration, access requests, and password resets minimize the need for site administrators to manage user accounts.
With digital identities driving revenue for your business, it’s crucial for customers to be able to quickly log on and use your services at all times. Traditional, multisite failover architectures are proven and extremely reliable, but they aren’t terribly responsive to changes in traffic patterns. On the other hand, modern elastic cloud environments enable appropriately sized deployments that dynamically scale for demand peaks and troughs. Learn about the ForgeRock Identity Platform, which enables complex, multi-site failover environments that are always available to end-users, with high reliability.
Swapping a SIM card is a legitimate service offered by mobile phone carriers when a customer buys a new device. In a SIM card swap scam, a cybercriminal impersonates a mobile phone customer, convincing a call center agent to port the mobile phone number to the illegal SIM card. If successful, the victim’s apps, including banking apps, can be activated on the impersonator’s phone. If the banking app uses text messages for multi-factor authentication (MFA) for delivering one-time passwords, the attacker can gain account access and perform fraudulent transactions.
Single sign-on (SSO) is a way for organizations to control access to multiple related systems and services. For example, an enterprise employee (user) going through a single sign-on provider will only have to enter credentials once to gain access to the network, applications in clouds and the on-premises data center, and various other company resources. Without SSO, the same user would have to enter credentials for each application, which can quickly add up as a typical enterprise user may require dozens of applications, from email and messaging to databases, productivity apps, conferencing platforms, and many more.
From a user’s perspective, single sign-on reduces frustration and streamlines workflows. But the primary purpose of single sign-on is security. It enables IT teams to manage access controls across the enterprise in a centralized fashion. SSO also reduces risk by eliminating the problems that are the result of too many passwords and poor user practices, such as using weak passwords or the same password for many (or most) logins.
Social registration (or social login) allows users to register on websites using login information from a social network provider, such as Facebook, Google, or Twitter. An increasing number of websites enable this feature to streamline the registration process (and prevent customer abandonment). If a user selects “Register with Facebook,” for example, the request is sent to Facebook, which confirms the user’s identity. The purpose is to make registration and login as fast and easy as possible for end users. It offers them the convenience of using the same identity across applications, services, websites, and devices.
Most identity stores are made up of two distinct services that do not communicate with each other. They are the authentication store, which contains the credentials used for authenticating a user, and the user profiles store, which contains profiles or identity data for users who have authenticated.
Synchronization and reconciliation services provide you with the ability to synchronize data from these stores in real time and schedule the reconciliation of identity data at any point. With synchronization and reconciliation services, you get a single view of the customer.
SaaS providers generally build their services on a multitenant cloud architecture, which means that multiple systems, applications, or data from different customer organizations — “tenants” — are hosted on the same physical hardware. Multitenancy creates efficiencies, but it is not without potential pitfalls that customers should be aware of.
If, for example, one customer has a massive-scale event that consumes unusually high bandwidth, other customers’ traffic may be throttled to accommodate the spike. That’s known as the “noisy neighbor” effect. Multitenancy can raise security and privacy concerns; if another tenant becomes compromised by malware, can it spread to other tenants? Can one tenant gain access to another tenant’s data? Finally, it presents challenges with compliance, as many regulations require data to remain within the country or region of origin, but cloud services are, by design, widely distributed, making data sovereignty a key concern.
Tenant isolation is a unique approach to delivering cloud services, as it provides all services within a customer’s isolated environment, ensuring that no other customer can access another’s resources. It also enables a customer to comply with data sovereignty and data privacy regulations, as the customer can define a country in which its data must remain.
Consumers love the convenience of new technologies in the connected world, such as sharing health data with a doctor or financial accounts with a tax advisor, but they also need assurance that their privacy is being protected and shared in a responsible manner. User-managed access (UMA) is an OAuth-based access management protocol standard designed to give an individual a way to authorize who can get access to multiple sources of digital data through a simple “share” button, and allow that user to monitor and change sharing preferences at will. At the same time, UMA provides the privacy controls that meet compliance requirements. Read more about UMA in this solution brief.
WebAuthn is a web standard created by the World Wide Web Consortium (W3C) and is built into all the leading browsers and operating systems, including Microsoft Windows 10 with Microsoft Windows Hello. It enables stronger account security than a username and password combination. As users log into a website, WebAuthn makes it possible to offer them a choice of ways to authenticate their identities, including security keys and the use of built-in biometric sensors.
The zero trust security model was first introduced by an analyst at Forrester Research in 2013. It is a complete departure from traditional security controls, which were based on the assumption that anything “inside” the network was trustworthy and anything “outside” was untrustworthy. All an organization had to do to stay secure was to keep the bad guys out. But that has proven to be a flawed approach as breaches have only worsened in spite of the billions of dollars organizations spend every year to strengthen their network perimeter. The zero trust model is built on the idea that enterprises should never inherently trust any user on or off the network.
Zero trust security removes implicit trust and grants access to resources based on the continuous evaluation of user identity, device posture, and fine-grained access policies defined by the organization. Any change in context—geolocation, device posture, data being requested, and more—will be assessed and the trust granted may be revoked. As a result, even if a network is breached, an intruder will have no access to systems and resources and malware will have no ability to spread.