1) The document discusses the security risks of using cloud access security brokers (CASBs) that rely on non-standard "black box" solutions to access an organization's sensitive authentication data and synchronize it to the cloud.
2) Specifically, it notes the top CASB vendors Okta and OneLogin both use non-standard on-premise agents that require high privileged domain credentials and have no configuration controls, sending an unknown amount of an organization's active directory data to the cloud.
3) This approach is seen as a major security risk, as it could allow a compromised cloud vendor to take over the on-premise agent and access the internal network, presenting a nightmare scenario for security practitioners.
Hands on Security - Disrupting the Kill Chain Breakout Session
OneLogin Review
1. Cloud Access Control and the Balance Between Complexity and
Compromise
Many of us inthe securityfieldare addressingthe complexandoftenmisleadingfunctionalityassertions
made by our outsourcedservice providersinthe “cloud” whenitcomesto security. Functionalitylike:
Data Loss Prevention,eDiscovery,Federatedauthenticationaccess,SAML,OAUTH2,etc..
Security…the bugaboointhe “cloud”.
However,there isalotof IT service managementthat formsthe very foundation of security,and
because of that,cloudservicesare becomingextremelyattractive fromasecurityperspective. From
personnel supportcosts,tohardware maintenance,youcanaddresssome of the mostaggressive
securitychallenges we all face byadoptingcloudservices. Andtheyinclude; patching,configuration
management,andinventorycontrol. The topthree SANScontrols. I’ll repeatthat;the topthree (3)
securitycontrols. Despite the concernthatall of us face inmovingto the cloud,there are a lot of
compellingsecurity reasonstodojustthat. E.g. Considerthe benefitsof platformasa service inthe
cloudthe nexttime a HeartBleedbugarisesinthe news,andyourorganizationneedstoaddressit. How
longdidit take to update all of the SSL libraries onyourmyriadwebservers tocalmthe fearsof your
customers,andclients? Innearlyall cases,the PaaScloudofferingshadthe patchand remediation
online within24 hoursof the issue.
Still, like anysecurityblog, thisisacautionarytale focusedonthe concern withwhathappenswhen
thingsare headedinthe wrongdirection,andmore specifically wheretheycangowrong. Because
many of us knowwhathappenswhenoutsourcingsome partof theirservicesandmaintenance toa
thirdparty vendor- you needtounderstandthe riskof doingso. Take Target,for example,puttingtheir
HVACvendoronthe networktomanage theirheating/coolingsystemswhichsubsequentlyledtothe
compromise of theirPoSsystems. Knowingthe riskisthe firststeptowardaddressingthatrisk.
I wantto focus onone area where the riskmay notoutweighthe reward:Cloudaccesssecuritybrokers
(CASB).
A CASBcan addressyour biggestchallenge ineasinguseracceptance of cloudservices –whichis:using
the systemsaseasilyasif theywere inyour owndata center. How manyof youhave beenasked;“why
can’t we have single sign-on(SSO) tothe hostedcorporate website?”Orto Salesforce,or DropBox, or
Google,etc.? A CASBcan provide thatsolution:secure authenticatedaccesstoan externallyhosted
service. Yetlike the hostedserviceitself,itisanothercog inthe machineryof thirdparty vendorsoutof
your control:providingthe enterprisewithclient-to-service authentication,justlikeyourinternal Active
Directorywoulddoforinternal resource access. Onlyinthe cloud.
The old folksfromCambridge willquicklychime intostate – “yup,Kerberos, we getthe idea”- the
OASISgroupin Burlington–“done that withSAML”. It shouldbe clear,that the requirementsto
enablingtransparentauthenticationto externalsystemsandservices have beendefinedfornearly 20
years,thoughonlywithSAML 2.0 hasit been relatively widelyadopted. Andeventhen,itisalot of
efforttoget itto work right. To quote one writer:“itis an extremelycomplex,andobfuscatedprotocol”
basedon XML. Andit isbecause of thiscomplexitythatthe nextgenerationof SSOvendorshave taken
advantage of thisgreat marketopportunity tofill thatgap:Okta,OneLogin,PingIdentity,Netskope
SkyHigh,etc.
2. To highlightthisconcept;let’suse athirdpartyvendorto handle accesstoanotherthirdparty vendorby
providingourmostsensitiveaccesscontrol:authentication.
To a securityprofessionalthis seemsriskyrightoutof the box. If notfor the concern of; yetanother
thirdparty vendorexacerbatingyourthirdpartyvendorriskfurther,thenbecause thatexternal entityis
gettingaccessto yourmost sensitivedata;authenticationcredentialsfor yourpersonnel. Similarly,it
wouldbe a concernthat such a vendorhad accessto your personnel dataatall. How manyof youwant
the worldto knowwhoyour entire ‘C’levelstaff is,where theyare located,theirphone number,ande -
mail addresses touse forphishing?
Security101 – neverreleasemore informationintothe wild thanwhatisnecessary.
Unfortunately, more informationisjustwhatisneeded;relationalinformation,because itisnotjust
authenticationwe are lookingfor,be authorizationaswell –whatareasof a cloudservice should the
membersof yourenterprise getaccessto? Shoulddeveloperssee the CRMdata enteredinbySales?
How doesone collaborate withmembersinyourgroupwithoutknowingwhothe membersinthat
groupare? Despite the availablestandard, SAMLisonlythe componentof authentication inthe
solutionof cloudservicesaccesscontrol. Whatisalsoneededis authorization. Fortunately, like SAML,
there isa standard forthisportionof the solutionaswell: OAUTH.
Currently manyCASBseschew bothsecurity standards.
The market leadersinthisspace provide anincreasinglynecessary solution thatmanyof usare looking
for: easy accesscontrol to informationinthe cloud.Itis how thisis done thatis the devil inthe details.
Let’slookat the market leaderforthissegment(accordingthe Gartner),OneLogin,forinsightintothis
process(notingrightupfront,that not all CASBsare made the same). OneLogin’s designintroducesa
systemrunninginthe enterprisetoconnectOneLogininthe cloudtothe enterprise’securitydata:
knownas an active directoryconnector(ADC). Touse an engineeringterm;itisa “blackbox”. A non-
standards basedapplicationwhose functionalityisunpublished,andnon-interactive. Itrequires
NetBIOStoidentifythe domainserversinyourenvironment,connecttothem, and subsequently enable
the OneLoginservicesinthe cloudaccesstothat data. Andwhile thatisa bluntassessmentof the
functionality of whatis happening,itisnotthatfar from whata SAML gatewaymight alsoprovide,with
a lot lesseffort.
It ishow thisisdone that isdisquieting.
OneLoginrequiresthisblackbox be equippedwithadomainadministratoraccountto accessyour
domaincontrollerwith. Despite anypublicationsontheirwebsitetothe contrary,any lessprivileged
account causesthe synchronization processtofail. I.e.,if the blackbox,cannotread specificattributes
and Organizational Units(OUs) inyouractive directory,the ADCfails. The ADChasno configurable
settingsforthe user,itis a dumbLDAP replicator;cloningthe clientADinformation fromyourActive
Directory intothe cloud. The cloudhowever, doeshave configurationcontrol, anditcanbe configured
to publish areduced subsetof the over1300 Active Directoryattributesforuse in subsequent
federation. Whatit doeswiththe restof the data fromyour organizationislefttothe imagination. And
thisisparticularlytroublingwhenthe on-premise clientreportsproblemswithreadingOUsthat were
specificallyconfiguredNOTtobe read. Like deletedaccounts. Sothe agenttriestoread AD information
that youspecificallyconfiguredit nottoread regardlessof yourcloudconfigurationsettings. Whether
3. that isan artifact of the queryandthe agentis subsequentlyfilteringthisdataoutbefore itissentto the
cloudislessimportantthan the fact that data is comingoutof yourActive Directoryandgoingintothe
OneLogininfrastructure that youdonotwant goingthere.
..like all of the accountinformationforyourdomainadministrators. …andyouruserpasswordhashes.
Betteryet, let’stake themtogether:yourdomainadministratorpasswordinformation. How manyof us
are willingtotrusttheirthirdparty vendortothislevel of authenticationinformation? How aboutto a
thirdparty vendorthatis specificallyusedtoenableaccess toyetanotherthirdparty – and isbeingused
by that otherpartyto access yourinformation? Ina federatedcloudmodel,yourcompanymaynotbe
the onlyadministratorsoveryouridentitydata,particularlybecauseyou aretryingto federate access
data.
I wouldargue that thisisnot a good idea. Surprisingly, OneLoginisnotalone inthismodel;Oktaalso
providesanon-standardon-prembox toaccessyourdomainauthenticationcredentials,and according
to Gartner these are the twomarket leadersin thissegmentatthe moment. Perhapsbecause they are
so easyto implement.
For those of you thatlike togo the lastpage and skipthe beginning,let’stake amomenttosummarize
where we are:
1) You have a thirdpartyvendorusinga blackbox construct to access yourmostsensitive data
and senditto the cloud
2) You have no ideawhat isbeingsentoutto the cloud
3) You have no administrative controlsoverthe blackbox todiscoveror control that data
The cold hard truthis this - unlessyoucanconfigure NetBIOSacrossyourfirewalltoisolate thissystem,
youcan’t evenlimitthe impactof whathappenstoyour environmentwhenthe cloudvendorishacked
and those responsible decide totake overthatbox on yourinside network,because youcouldnot
firewall the systemoff. All youknowiswhatisshownona UI inthe cloud to reassure youthatthis
shouldneverhave happened…
Regardlessof where anycontrolsmay infact be withthese companies,thisisanightmare scenariofor
all securitypractitioners. Butthere isa realisticbalance between securityandease-of use,because not
all CASBvendorsfunctioninthisway,manysupportsecuritystandardssuchas SAML 2.0 and OAUTH2 to
achieve whatwe all needtoaccomplish;federation and security.
The point? We live inanincreasinglycomplex environment.Butitisnot necessaryto compromise
security forease-of-use. Thiskindof out-of-the-boxsolution maycome ata steepprice,andinorderto
avoidpayingthatprice,demanda standards-compliantsolutionforall of yourthird-partyvendors
wheneveritispossible. There are manyotherCASBproviders thatcan do thissame functionality
withoutguttingyourenterprisesecuritymodel. If youare curiousas to who,please don’thesitate to
reach outto me viae-mail atdavid.humphrey@hphc.org