The traditional methods of software implementation and access from a local installation at standalone servers are slowly and steadily migrating to centralized cloud-based service models. Furthermore, application hosting and access from cloud-based models are available as subscription services. When software is delivered as a service through the Internet cloud, then it is generically termed as Software as a Service (SaaS).
Similarly, identity and access management applications and associated services are delivered through subscription-based cloud models. Such services are termed as Identity as a Service (IDaaS). While such services provide flexibility and cost effectiveness, there are security concerns due to the open nature of the Internet.
The following are some of the security concerns pertaining to Software or Identity as a Service:
- Due to the open nature of the Internet, cloud-based identity services are subject to higher scrutiny in regard to security. One important concern is identity theft. During the login process to the cloud application, it may be possible that the communication can be intercepted (eavesdropping) and the credential details can be captured.
- The security of data at rest, such as the credentials stored in the database. Systems can be compromised and the credentials may be captured from the databases.
- When using software as a service, one important security concern is privacy. The amount of personal information that the cloud software application can access from the local computer is a concern.
- The compromise of passwords using brute force or other password attacks on the identity systems.
- Cookies are generally used by identity services to store session information. Some systems are susceptible to cookie replay attacks. In such a scenario, an attacker may be able to gain access to the system without knowing the credentials.
- Data may be tampered during the communication, which would compromise the integrity of the identity data during the communication.
- Identity services may be unavailable due to denial-of-service (DoS) type of attacks, thereby affecting access and compromising the availability requirements.
- The spoofing of identities and forgery or cloning attacks.
- Phishing attacks on the users to gain identity information.
Note
Security concerns and attacks listed previously are covered in Chapters 8, Day 8 — Communication and Network Security - Network Security, and Chapter 9, Day 9 — Communication and Network Security - Communication security.
Security solutions for many of the security concerns pertaining to Identity as a Service (IDaaS) are based on strong authentications, such as multifactor authentication; cryptographic methods, such as encryption; and robust monitoring.
Note
Cryptographic controls are covered in Chapter 7, Day 7 — Security Engineering - Cryptography and Physical security.