Threat vectors in an identity environment
The PingDirectory platform serves as the authentication repository for a wide variety of network applications, and it often stores sensitive user information and application data.
Hackers that obtain user credentials can cause extensive damage to individuals, systems, and businesses.
Business costs to secure and monitor identity deployments can be large, but the total cost is small compared to the cost of a security breach. A security breach requires resources to investigate the incident, assess the scope of the damage, identify any compromised data, and revert any changes. Affected users must be notified and must be compensated for downtime and for any costs incurred from the exposure of their personal data. However, the damage to a company’s reputation is often the most costly result.
Directories are the central component within identity management systems. They streamline authentication and authorization across system boundaries. Whether for user, account, or subscriber provisioning, directory services must be properly secured so that sensitive information is not accessible by unauthorized individuals externally or internally. If the directory service is compromised, attackers can gain access to the data that it contains and to other systems that rely on the directory service for authentication and authorization.
In securing the directory service, several threat vectors must be considered:
-
Compromise of:
-
The underlying host system on which the PingDirectory server is running
-
Peripheral systems that might have access to server data, including backups, LDIF exports, log files, or monitor data
-
Systems used in setting up new instances including orchestration frameworks and configuration-as-code repositories
-
-
Access to network communication
This includes not only the ability to observe traffic passing between clients and servers, but also the potential to intercept and alter that communication, or impersonate a legitimate server.
-
Attacks that involve communication with the server over the intended protocols, including LDAP, SCIM, and the Directory REST API, whether by unauthenticated clients, regular and administrative users using legitimately obtained credentials, or attackers who might be able to obtain compromised credentials
This includes denial of service attacks and attempts to access unauthorized data.