Companies that provide digital services need to secure access to information to protect the data belonging to the organization, its customers, and its business partners. Developing software with security gaps carries the risk of being exploited by cyberattacks, which have become more sophisticated in recent years.
Mitigations such as having a third-party company perform penetration testing can help. This identifies vulnerabilities from the OWASP Top 10, such as vulnerable backend endpoints exposed to the internet. However, penetration testing typically only detects a subset of problems. Instead, we recommend defense-in-depth, where software teams follow best practices for protecting against threats.
Implementing security correctly can also provide significant business benefits. A good separation of concerns design works well, keeps your application’s security code simple, and allows you to easily extend your security behavior. It also offers the best features in areas such as user authentication and connecting with business her partners.
1. Applications use the latest security standards
These days, the strongest security option for modern applications is to use the OAuth family of specifications. These security standards address enterprise use cases. For each standard, threats and mitigations have also been carefully reviewed by many experts.
OAuth is used to secure mobile, web, and API components. It is lightweight and suitable for large software platforms. It’s also widely used to protect high-value data with stronger security profiles, such as those defined by the Financial-grade API (FAPI) working group.
Applications need to outsource complex security to identity and access management (IAM) systems. This provides powerful options for authenticating users, protecting data using tokens, and interoperating with business partners.
Standards also provide a blueprint for engineers to follow to find more weak spots early on. This includes using ‘Scopes’ and ‘Claims’ to validate early on the lack of OWASP’s biggest API vulnerability: broken object-level authorization.
Next, businesses should choose an IAM solution. This is an important decision as it must ensure proper business outcomes. A company may start with some technical research. However, the final product choice decision maker is usually the chief technology officer (CTO) or the head of architecture.
But there are subtleties in understanding the key requirements and making an informed choice. As such, he highlights other key behaviors that CTOs should look out for when planning a company’s next-generation security architecture.
2. Secure token design to protect APIs
Ultimately, OAuth is about protecting your data. The developer understands that the application redirects to her IAM system when the user needs to be authenticated. The app then uses the token to make API calls. However, not everyone realizes that the data used in tokens requires careful design.
The IAM system stores unique user account data that is the authoritative source of personally identifiable information (PII). An IAM system can help manage other regulatory aspects, such as acceptance of terms and user privacy prompts. To protect against both external and internal threats, you should use a Zero Trust Architecture (ZTA). This requires only simple code in your API to validate JWT access tokens and apply business rules on every request. For an overview of how it works, see the article Implementing Zero Trust APIs.
The IAM system must write a secure value to the token as a “claim”. This is later relied on by the API and used for authorization. Examples include user ID, email, tenant ID, role, or subscription level. If some values are stored in business data, the IAM system must be able to retrieve them. Internet clients, on the other hand, should only receive confidential reference tokens.
3. Users authenticate in multiple ways with one identity
An IAM system allows you to run a simple code flow in your application and then configure different ways to authenticate users. One possible solution is to use Azure Active Directory as the first factor in your multi-factor authentication (MFA) flow. Support for passwordless logins via WebAuthn, passkeys, and wallets is also becoming essential for enterprises.
Robust authentication also requires designing for data integrity. Business data often has its own concept of users, where business user identities are stored against business resources. However, the system should avoid duplicating users in identity or business data when using different authentication methods. This is achieved with the following data picture type called Account Linking. An IAM system must be highly scalable to handle all current and future authentication use cases.
4. Engineering teams follow security best practices
OAuth is a complex framework and applying it is an advanced architecture. It also provides a greater separation of concerns than the old architecture, with more components and endpoints. Some use cases, such as web security, are difficult to get right. Unfortunately, it’s common to make costly mistakes that can delay time to market and impact future productivity. Most architects and developers are not security experts and need access to in-depth IAM online resources.
Hopefully OAuth requires only simple application code. However, if the architect follows a suboptimal design, or if the IAM system lacks the required extensions, it is common to have to code complex workarounds at the application layer. This code becomes difficult to manage and extend over time.
5. DevOps teams operate production systems safely and reliably
Using a SaaS provider’s IAM system may be viewed as a safe choice by an external party to ensure high availability of the IAM system. But the requirements from DevOps and InfoSec teams usually go beyond this. The DevOps team needs modern logging and monitoring capabilities, and InfoSec needs auditing of her IAM events. IAM providers should also offer support packages that provide timely access to real-world product experts.
In production, DevOps teams work with APIs, API gateways, and IAM systems. These are summarized in the IAM Primer. These components interact frequently and are most efficient when hosted next to each other in the backend cluster. A cloud-native approach works best, and teams can also limit the endpoints exposed to the internet.
Modern apps can be secured via the OAuth framework, which provides state-of-the-art features for user authentication and data protection. Before committing to an IAM product, engage your technical staff in evaluations to ensure that you can achieve the following results:
- Applications that use the latest security standards.
- A secure token design that protects your API.
- A user can be authenticated in a variety of ways using a single identity.
- Our engineering team follows security best practices.
- DevOps operates production systems safely and reliably.
At Curity, we provide IAM products and are passionate about keeping up to date with the ever-growing list of OAuth security standards. We also make it easy to extend the product for any use case.
We know that implementing OAuth is difficult for organizations and takes time to focus on complex business goals. So, in addition to our IAM products, we offer specific designs to reduce uncertainty and accelerate end-to-end solutions.
The Curity approach involves separation of concerns that externalizes application security plumbing. We also put a lot of effort into resources focused on the developer and those who support him on his DevOps journey.