FINAL WORD
4. Federation and single sign-on
To nail down the differences between these
two terms, let’s start by explaining the
comparatively simple structure of an SSO
authentication environment. Single sign-on
allows you to sign on once with a service
provider for a range of services, allowing
that one authentication event to give you
access to a suite of services. There are plenty
of services that enable SSO, and the beauty
of SSO is how frictionless it is for users.
5. Federation
This works slightly differently, as it isn’t
just requesting access from a single service
provider. There’s still one sign-on involved
on the user’s end, but not on the back
end. Instead, federation relies on a trust
relationship between multiple service
providers, with a single source for that trust.
So, the user signs on to the source of the trust
relationship (a centralised identity provider
or IDP) with all of the necessary credentials
once. Attempts to access federated services
will involve re-authentication through that
IDP. You won’t be using credentials to access
those diverse services – the IDP will be
66
sending them out. Same time savings as SSO
and similar risks if the IDP is breached.
6. Zero Trust
breach. No one wants to be that guy. With
a Zero Trust security model, they wouldn’t
get the opportunity.
A Zero Trust model says that anything
coming onto your network (person or
device) has to have a positive identity that’s
verified by the system. Put simply: ‘Trust
never, always verify.’ That way, access is 7. Phishing
restricted to licit users and devices: trusted
entities. When hundreds or even thousands
of Internet-enabled devices are able to come
on the network of a large organisation,
it’s crucial to give them access rights
commensurate with what they need from
the network – which shouldn’t be much.
So how does a Zero Trust security
posture contribute to a safer organisation?
Basically, it makes sure that what’s on
your network belongs there and heads
off breaches by unauthorised devices that
may not be properly configured. It also
addresses vulnerabilities arising from use
of your network’s resources by devices
that may be communicating remotely over
an insecure Internet connection. Finally, it
keeps users from bringing in their own less-
secure devices and inadvertently causing a and productivity apps, crooks attempt to
steal user data. Usually, they’ll pose as a
legitimate organisation and steal a bit of
formatting from licit communications from
those organisations. The goal is to get people
to click a malicious URL, log in to a fake site
or download a virus-ridden attachment.
Because it can be devastatingly
successful, cybercriminals have continued to
innovate. They all want to build the better
phish-trap, which is why there are some new
terms associated with this old-school brand
of attack, such as: Spear Phishing, Whaling
and Clone Phishing.
Phishing, as you probably know, continues
to be one of the most common security
scams. Through email (the usual source),
text, phone, or even messaging, social media
8. Internet of Things
If you think of a certain talking home speaker
system or your smart oven when you think
of the Internet of Things (IoT), you’re not
alone. Consumer ‘smart’ devices overwhelm
the public imagination when it comes to
IoT. The surface area of this ecosystem and
its vulnerability to breach is enormous. A
‘headless’ device, which has no clear user
interface and may even communicate
through archaic or unsecured protocols, is an
attractive target for crooks. What’s crucial is
to have an identity and access management
solution that encompasses all of these
headless devices (Zero Trust), ensuring that
their access to the network is licit, and that
no bad actors are hijacking the device to
access your network.
The consequences of an IoT breach
can be dire, but avoiding breaches isn’t
necessarily simple or straightforward.
Today’s IoT ecosystem is full of mismatched
headless or limited UI devices that may be
ticking time bombs.