Traditional identity providers (IdPs) are essential for single sign-on (SSO) and federation for employee and customer access to resources ranging from custom-built applications to cloud-based services. By themselves, they are great at doing these tasks, however there are trade-offs that need to be considered. Here we look at the top 3.
Increased Convenience Comes With Increased Risk
By providing a single identity that can be shared across multiple systems, IdPs create a unique set of security challenges that are magnified should an attacker compromise the user. Instead of just a single system, they now have access to every federated service tied to the victim’s credentials.
Most traditional IdP vendors usually offer simple multi-factor authentication (MFA) as add-ons that complement their products. Many organizations are now realizing that these basic options like text-based one-time passcodes (OTPs) and mobile push aren’t as secure or convenient as they hoped. Even the latest in biometric technologies can be susceptible if device registration and authenticator failure policies aren’t configured properly.
Increased Convenience Comes With Reduced Agility
Most of the foundational technologies of traditional and even modern cloud-based IdPs weren’t architected to be flexible and adaptable to quickly react to new business requirements and changes to the threat landscape. Integration capabilities are limited to a set of third-party services offered by alliance partners. Almost every organization runs into a vendor in their identity stack that isn’t supported and requires time-consuming and costly workarounds. Additionally, custom applications are going to require deploying and maintaining numerous SDKs within their code. This may not seem terribly complicated at first, however it adds up for every application and makes future changes difficult, resource intensive, and prone to errors that can lead to security gaps.
Limited Threat Detection and Mitigation
Most IdP systems offer only basic threat detection tools like device characteristics and location services that provide snapshots of what the user is doing at the time of authentication or what software version a device is running. None were designed to offer true behavioral threat detection based on past usage patterns that can detect anomalies then act to stop them before they do damage to the organization or the user.
An identity orchestration platform can provide seamless integration into any identity-related service, including IdP solutions such as Ping Federate, Okta, Azure Active Directory, AWS, and Google. These services are combined with other authentication tools, fraud detection services, and access controls into a single system that manages them as one under a single pane of glass. Changes to authentication technologies, other identity services, and complex policies can be made quickly and deployed across the enterprise without having to touch application code.
A risk-aware identity orchestration platform such as Transmit Security is able to use stored user and device profiles histories to compare user activities in real time to detect anomalies then trigger automatic actions to protect against those that may be threats. This combined with integration gives enterprises the agility they need while defending against threats that look for weaknesses that can be amplified by SSO and federation.