Plan for security in Advanced Identity Cloud
When you set up your PingOne Advanced Identity Cloud tenant environments, you must ensure that they are configured with security in mind.
The following topics lay out a comprehensive list of actions to take to help you set up Advanced Identity Cloud as securely as possible. However, security is a very broad subject, and every Advanced Identity Cloud customer has different use cases; you are expected to do your own research to complement the information found in these topics.
You should also ensure any changes you make to security settings in Advanced Identity Cloud follow your own corporate security policies, especially in relation to password complexity and active features.
Network connections
HTTPS and HTTP
Always use HTTPS for connections into Advanced Identity Cloud.
Advanced Identity Cloud does not accept connections over HTTP. However, a client making API calls to Advanced Identity Cloud over HTTP instead of over HTTPS can still send unprotected credentials in an HTTP Authorization header, inadvertently exposing sensitive information. Even though Advanced Identity Cloud rejects the request, the credentials could be leaked to eavesdroppers.
Cookie domain configuration
Configure the cookie domain in your Advanced Identity Cloud tenant to ensure only users and entities from trusted domains can be authenticated.
By default, Advanced Identity Cloud sets the cookie domain based on the fully qualified hostname of a tenant,
such as id.mycompany.co.uk
. However, you may want to change the cookie domain to
mycompany.co.uk
so Advanced Identity Cloud can communicate with any subdomain.
Learn more in Configure the cookie domain for a custom domain.
CORS
Configure cross-origin resource sharing (CORS) to securely share browser resources across domains.
In Advanced Identity Cloud, you can configure CORS to allow browsers from trusted domains to access Advanced Identity Cloud protected resources. You can create as many individual CORS configurations as your applications need. The configurations combine to form the entire set of rules for resource sharing. The CORS service also collects the values of the JavaScript Origins property in each OAuth 2.0 client and adds them to the list of accepted origins.
Learn more in Configure cross-origin resource sharing.
CSRF attacks
Advanced Identity Cloud includes a filter to harden protection against cross-site request forgery (CSRF)
attacks. The filter applies to all REST endpoints under /am/json/
. It requires all requests
other than GET, HEAD, or OPTIONS to include at least one of the following headers:
- X-Requested-With
-
This header is often sent by Javascript frameworks, and the UI already sends it on all requests.
- Accept-API-Version
-
This header specifies which version of the REST API to use. Use this header in your requests to ensure future changes to the API do not affect your clients.
Failure to include at least one of the headers causes the REST request to fail with a 403 Forbidden
error.
Learn more about API versioning in REST API versions.
Identify originating client IP addresses
The X-Forwarded-For
HTTP header identifies the originating IP address of a client; however, there are security and privacy concerns associated with its use. Learn more in the MDN Web Docs X-Forwarded-For.
Advanced Identity Cloud includes two alternative HTTP headers:
- X-Real-IP
-
This header contains the IP address of the client making the request.
- X-Trusted-Forwarded-For
-
This header contains three trusted
X-Forwarded-For
IP addresses as an array. The first IP address in the array is always the real client IP address. The remaining two values in the array are load balancer IP addresses.
Consider using one of these headers as a trusted replacement for the X-Forwarded-For
header, especially when making decisions concerning access.
If the client is behind a reverse proxy, the trusted replacement headers contain the real IP address of the reverse proxy, not the client. |
Request data size limits
To protect against requests that contain large amounts of data, Advanced Identity Cloud rejects the following:
-
Requests with a body size larger than 1 MiB (1,048,576 bytes).
-
Requests that contain JWTs that expand to a size larger than 32 KiB (32,768 bytes) when decrypted.
Protect applications
Ping Identity provides policy enforcement points (PEPs) to improve application security by enforcing Advanced Identity Cloud authentication and authorization decisions in your applications:
-
Use PingGateway to protect your applications without modifying them or the infrastructure where they run—whether on-premises, in a public cloud, or in a private cloud. PingGateway acts as a reverse proxy, intercepting client requests and server responses to enforce authentication and authorization.
-
Use Ping Identity web or Java policy agents to protect your applications when you have access to the infrastructure where they run. Policy agents natively plug into web or application servers and intercept inbound requests to enforce authentication and authorization. You can manage the policy agent configurations centrally from Advanced Identity Cloud.
Learn more in these guides:
-
Advanced Identity Cloud guide for PingGateway
-
Advanced Identity Cloud guide for Web Agent
-
Advanced Identity Cloud guide for Java Agent
Learn more about applications built using an SDK in Security guide for SDKs.
Sessions
Set expiry time for sessions and JWT tokens
To minimize the time an attacker has to attack an active session, set expiry times for Advanced Identity Cloud sessions and JWT tokens.
Ping Identity recommends setting an expiry time of 15 minutes. However, you should decide your expiry time according to the context of your deployment, balancing security and usability so that your end users can complete operations without their sessions frequently expiring. Learn more in the OWASP Session Management Cheat Sheet.
To update the expiry time for sessions and JWT tokens in Advanced Identity Cloud, learn more in Configure session termination settings.
Authentication session allowlisting
Enable authentication session allowlisting to protect authentication sessions from replay attacks, whereby a malicious user might try to rewind an authentication flow to a previous node.
Learn more in Authentication session allowlist.
Session invalidation after password reset
Advanced Identity Cloud has no automatic mechanism to delete existing user sessions when a user changes their password. To implement automatic invalidation of existing sessions on password reset, consider one of the following approaches:
-
Use the
logoutByUser
action, specifying the username in the request payload.This action can be used for server-side and client-side sessions and is described in Invalidate all sessions for a user.
-
Use a query to locate all sessions for a user, then use the
logoutByHandle
action to invalidate those sessions.This action can be used for server-side sessions only and is described in Invalidate specific sessions.
Access
Remove non-essential access
Make sure only authorized people can access Advanced Identity Cloud, and audit system access periodically.
Deactivate non-essential features
The more features you have turned on, the greater the attack surface. If something is not being used, switch it off, or remove its configuration to deactivate it. These are some features to consider turning off:
-
Hosted journey pages and/or hosted account pages (learn more in Deactivate hosted pages)
-
Unused or insecure journeys (learn more in Deactivate unused or insecure journeys)
-
Unused realms (learn more in Manage realm settings)
-
RCS OAuth 2.0 client (learn more in Deactivate the RCS OAuth 2.0 client)
Harden password policy
Ensure you harden your password policy for each realm. These are some common ways to harden a password policy:
-
Require a minimum of 12 characters
-
Prevent the use of repetitive characters
-
Prevent the use of commonly used passwords
-
Prevent reuse of the last three passwords
Learn more in Password policy.
Account lockout
Account lockout is a security mechanism that locks a user account after repeated failed login attempts. You can use it to supplement your password policy to slow down brute-force attacks.
Ping Identity recommends using a persistent lockout. If that’s not compatible with your company’s preferences, Ping Identity recommends using a duration lockout of at least 15 minutes.
Learn how to configure account lockout and implement account lockout in your journeys in Account lockout.
Use service accounts to generate access tokens
Ensure any automated scripts do not rely on a tenant administrator account to generate an access token. Instead, use a service account. Additionally, restrict the scopes that a service account can grant only to those needed by the automated script.
Learn more in Service accounts.
Enforce 2-step verification for tenant administrators
Make sure 2-step verification is mandatory for tenant administrators.
Learn more in Tenant administrator mandatory 2-step verification FAQ.
Keys, secrets, and encryption
Update cryptography
Different algorithms and methods are discovered and tested over time, and communities of experts decide which are the most secure for different uses. Use up-to-date cryptographic methods and algorithms to generate keys.
Small keys are easily compromised. Use at least the recommended key size.
Store sensitive data in secrets
Ensure sensitive data such as passwords and encryption keys are stored in ESV secrets, and never embedded directly in configuration or scripts.
Rotate keys
These are some reasons to rotate keys regularly:
-
To limit the amount of data protected by a single key.
-
To reduce dependence on specific keys, making it easier to migrate to stronger algorithms.
-
To prepare for when a key becomes compromised. The first time you try key rotation, it shouldn’t be during a real-time recovery.
-
To conform to internal business compliance requirements.
Learn more in Use ESVs for signing and encryption keys.
Encrypt sensitive data
Advanced Identity Cloud supports encryption of data stored in the repository. Data can be encrypted using reversible encryption or one-way encryption.
Ping Identity recommends you encrypt all sensitive data. These are examples of sensitive data:
-
Passwords
-
Authentication questions
-
Credit card numbers
-
Government benefit ID numbers
Learn more in Secure identity data.
Encrypt OIDC ID tokens
OpenID Connect 1.0 (OIDC) ID tokens can contain sensitive data and personally identifiable information (PII). Ping Identity recommends you encrypt all ID tokens.
Learn more in Encrypt ID tokens and backchannel logout tokens.
Journeys
Add account lockout to login journeys
Login journeys are vulnerable to brute force attacks. You can mitigate this risk by adding account lockout to your login journeys.
Add email confirmation to registration journeys
Registration journeys are vulnerable to denial-of-service attacks, where attackers try to create extremely high numbers of new users with the intention of exhausting system resources and creating an outage. You can mitigate this risk by using the Email Suspend node in your registration journeys to prevent new users from being created until an email address is verified.
Learn more in Email Suspend node.
Deactivate unused or insecure journeys
Advanced Identity Cloud is preconfigured with default journeys to get you started. However, Ping Identity recommends you harden these default journeys or implement your own journeys using security best practices; for example, by adding MFA to a login journey to confirm user identity using a device.
Once you have built your journeys, ensure you deactivate any unused journeys, particularly insecure login journeys that only require a username and password.
Learn more in the Deactivate a journey section of Journeys.
Deactivate hosted pages
If you have developed your own end-user journey and account experience using Ping SDKs or APIs, Ping Identity recommends that you deactivate the hosted journey pages and/or the hosted account pages to ensure there is no risk of unauthorized access by a malicious user.
Learn more in Advanced Identity Cloud hosted pages.
Threats
Misconfiguration
Misconfiguration can arise from bad or mistaken configuration decisions and poor change management. Depending on the configuration error, features can stop working in obvious or subtle ways and potentially introduce security vulnerabilities.
To guard against bad configuration decisions, implement good change management:
-
For all enabled features, document why they are enabled and what your configuration choices mean. This implies a review of configuration settings, including default settings that you accept.
-
Validate configuration decisions with thorough testing.
-
Maintain a record of your configurations and the changes applied.
-
Use version control software for any configuration scripts and to record changes to configuration files.
Compromised passwords
Despite efforts to improve how people manage passwords, users have more passwords than ever before, and many use weak passwords. You are strongly encouraged to use a password manager to generate secure passwords.
Audit logging and monitoring
Advanced Identity Cloud provides an audit logging service that captures key auditing events critical for system security, troubleshooting, and regulatory compliance.
Audit logs gather operational information about events that occur within an Advanced Identity Cloud tenant. They track processes and security data, such as authentication mechanisms, system access, user and administrator activity, error messages, and configuration changes.
You are strongly encouraged to set up systems to monitor your audit logs and alert you to unusual patterns of behavior.
Learn more in Monitor your tenant.