Confronting the Pitfalls of Broken Authentication & Session Management with Zero Trust
Broken authentication and session management lead to a failure in protecting a user’s session from end to end, leaving the user and their organization vulnerable to attack.
To confront this, organizations and solutions providers alike are embracing Authentication, Authorization, and Accounting (AAA) standards such as OpenID Connect (OIDC) / Security Assertion Markup Language (SAML) standards.
To promote access security and stronger identity management, administrators must be cognizant of two important authentication snares:
- User credentials caching by a browser (automatic or user-initiated)
- Application of Single Sign On (SSO) to web-based access or identify authentication
These authentication loopholes come with the danger of not fully authenticating user identity, often without even a two-factor authentication (2FA) request.
Today’s authentication tools must support a mode of user identity validation that enforces full user reauthentication, regardless of SSO settings or browser caching, while protecting the session from end to end.
A session is created by an application server to track the state of authenticated users and visitors. Sessions include an area of memory or storage on the server, and a session ID to refer to that server-side session. These random, unique, and hard-to-guess strings are valid for a finite period. They are used by the application server on any subsequent request to verify the identity of the sender.
In many cases, given that session management is usually handled by the web framework, it is transparent to whoever knows how to look for it. The session ID is often all that is needed to prove authentication for the rest of the session. As such, this session ID must be protected.
Strong session defense is achieved by adhering to OIDC/SAML standards. All session validation occurs with JSON Web Token (JWT) access and bearer tokens with required grants. Continuous authentication is reinforced with policy-controlled multifactor authentication (MFA). A compliant Zero Trust Network Access (ZTNA) tool that prioritizes session management integrated with a reliable MFA tool promotes strong session defense.
A key tenet of zero trust is to enforce users to reauthenticate and assert their identities under certain conditions. The conditions can be indicators of compromises that can lead to a wide array of attacks. Continuous assessment of risk posture and forcing users to reauthenticate can bolster ZTNA.
This helps to ensure that if a user who was authenticated at one time is later compromised, the repercussions of the compromise are mitigated before any malicious activity can occur.
NIST Best Practices
As part of the global mission to usher in a new era of network access through ZTNA, the National Institute of Standards and Technology (NIST) has issued a set of common best practices to plan and implement a zero-trust architecture. These tenets of zero trust include:
All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
All data sources and computing services are considered resources.
The enterprise monitors and measures the integrity and security posture of all owned and associated resources.
All communication is secured regardless of network location.
Access to individual resources is granted on a per-session basis.
Access to resources is determined by dynamic policy – including the observable state of client identify, application/service, and the requesting asset – and may include other behavioral environmental attributes.
The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.
Moving to a zero-trust architecture is no small undertaking. It will involve a series of upgrades and changes over time. With these tenants of zero trust at the forefront of any transition to zero trust, administrators will be well-positioned to successfully lead their organizations through the next generation of network access.
CylanceGATEWAY: A ZTNA Solution to Authentication and Session Management
The CylanceGATEWAY® solution integrates with authentication tools to meet modern ZTNA needs. The CylanceGATEWAY Tunnel Reauthentication policy, working in tandem with authentication tools, helps to ensure reauthentication reoccurs frequently, regardless of the user’s SSO settings or browser caching. This policy keeps private resources secure by protecting against session hijacking. Simultaneously, source IP pinning and associated restrictions to accessing private applications act as a deterrent to prevent cookie hijacking.
When empowered with an authentication tool that has strong adherence to OIDC/SAML standards, administrators can feel confident in the security that the tool offers when combined with CylanceGATEWAY. Ideally, session validation occurs with JWT access and bearer tokens with required grants. This includes MFA-based continuous authorization that is policy controlled. This marriage is the essence of the CylanceGATEWAY solution, and an authentication integration that provides true zero-trust network access.
CylanceGATEWAY integrates with BlackBerry® Enterprise Identity services to broker authentication with any identity provider (IDP). Organizations without an IDP are natively supported through the BlackBerry Enterprise Identity services.
The right tools, working together, configured with the right policies enable a connected and protected world.