Access Management, With A Side Order Of Identity

2362 0

Picking a name for anything can be hard, but we take a lot of time because it’s important. A name carries meaning, and often creates our first impression of a person, place, or company. When a market segment is defined as “Identity & Access Management” or IAM, it’s no surprise that a technology professional might then seek a single vendor in this space. The reality, when attempting to deploy Identity federation and single sign-on (SSO) services, is that Identity management and Access Management are often separate, but complementary, practices within the application infrastructure.

In one area, there are Identity providers such Microsoft, Okta, Ping, Centrify, and Netskope. All of these solutions enable you to manage and expose a directory of identities. However, these solutions all possess varying levels of support for Access Management to the target application. In general, these solutions will require a redirect (as we have all experienced with using SSO services via Google, Facebook, and Twitter on the Internet) or some sort of application proxy capable of more seamlessly authenticating an application user against some central Identity store. Portal-based redirects to validate Identity as in the first scenario are easier to deploy based on the ubiquity of standard protocols for authentication and authorization such as SAML, OAuth, and OpenID Connect.

Most users and administrators want a more seamless experience, minimizing redirects and other things that slow down or disrupt application workflow. Instead of a portal or pop-up for Access Management, an application proxy can intercept and validate credentials. In many cases an Access Management proxy can provide even greater utility by translating authentication protocols to provide SSO and integrating disparate back-end systems. While the aforementioned authentication protocols are useful for more modern applications, many legacy applications rely on HTTP basic, NTLM, Kerberos, Client Certificates, and other forms of authentication. Integrating legacy applications and systems with modern forms of authentication can be difficult without an efficient proxy able to bridge the gaps.

Considering Access Management as a separate discipline can open up new possibilities when designing more secure application access, without compromising user experience. This advantage can be true for both applications within your infrastructure as well as the many SaaS-based applications on the Internet. When focusing on applications hosted by your organization, consider that there is increasing demand for two-factor or multi-factor authentication (2FA or MFA) options among consumers that never existed before. With data breaches seeming to increase in size and frequency over the last few years, providing more flexible and adaptable authentication methods will become a competitive advantage for consumer web applications and is already a necessity for enterprise applications.

With more flexibility in the Access Management layer of the application infrastructure, layering in MFA is much easier since the requirement to alter the application code or behavior isn’t necessarily required. In fact, some proxy-based Access Management solutions can provide step-up authentication based on a request for a more sensitive data source, prompting a user for a second factor only when necessary. This approach to Access Management enables a better balance between security and usability.

When adopting this approach to Access Management, survey the environment for pre-existing application proxies. These may be web servers running Apache in many cases, or a specialized proxy provided by an Identity provider. Specialized proxies may have the advantage of easier integration with the Identity provider, but the significant disadvantage of not accommodating other back-end systems using different auth types. Explore how these various proxy systems might be consolidated and/or adapted to the use of disparate authentication mechanisms to achieve true single sign-on. This effort may prove much easier than migrating or cloning your current Identity provider service.

Brian A. McHenry
BrianAs a Senior Security Solutions Architect at F5 Networks, Brian McHenry focuses on web application and network security. McHenry acts as a liaison between customers and the F5 product teams, providing a hands-on, real-world perspective. He is a regular contributor on, a co-founder of BSidesNYC, and a speaker at AppSecUSA, BC Aware Day, GoSec Montreal, and the Central Ohio Infosec Summit, among others. Prior to joining F5 in 2008, McHenry, a self-described IT generalist, held leadership positions within a variety of technology organizations, ranging from startups to major financial services firms.
Follow him on twitter @bamchenry

Brian A. McHenry Web Site

In this article