Blog

Securing Applications using WSO2 Identity Server and CASQUE

WSO2 Identity Server is an extensible, open source solution to federate and manage identities across both Enterprise and Cloud environments including APIs, mobile, and Internet of Things devices, regardless of the standards on which they are based. The Identity Management Suite subsumes features found in competitive products but is open source!

Distributed Management Systems Ltd (“DMS”) has invented and fully developed a new, radical approach to Identity Assurance, CASQUE which removes major vulnerabilities which all current, multi-factor authentication methods possess.

WSO2 and DMS have cooperated to closely integrate CASQUE with WSO2 Identity Server and will present a joint webinar on 22nd May 2019 at 11am, Click to Register

The Case against Adaptive Authentication

We believe the fashionable trend for “Adaptive Authentication” where Identity is determined by a software only technique based on the User’s “Use Profile” is flawed both in design principle and operation.

The Whitepaper details the weaknesses in this approach and shows how a different “Fortress Construction” design is superior.

Click to Download the Whitepaper

CASQUE SNR adds High Grade Identity Assurance to CISCO ASA

Organisations may want to utilise Cloud resources provided by AWS, Google Cloud or Azure but want to own and operationally control their Identity Access. There is a trend to offer “Virtual Appliances” – software versions of previously dedicated hardware gateway units so that they can run on compute resources residing in Cloud environments.

We have integrated CASQUE SNR using the capabilities of Cisco Adaptive Security Appliance (ASA) Software. All Cisco ASA 5500-X Series Next-Generation Firewalls are powered by this software and so are the “Virtual” manifestations called ASAv. Cisco Adaptive Security Virtual Appliance (ASAv) is optimised for cloud and data center environments with VMware, KVM and Hyper-V hypervisor support providing throughput from 100 Mbps to 10 Gbps utilizing from 1 to 16 GB memory.

CASQUE SNR integrates both with clientless VPN configurations with the Challenge presented as a QR coded image as well as providing Challenges as file downloads using client installed AnyConnect.

UK Government issues minimum cyber security standards

These cyber-security standards which will now be incorporated into the Government Functional Standard for Security, obliging government departments and suppliers to comply.

Multi-factor authentication shall be used where technically possible, such as where administrative consoles provide access to manage cloud based infrastructure, platforms or services. Multi-factor authentication shall be used for access to enterprise level social media accounts

BUT.. existing Multi-factor Authentication (MFA) Products are weak!

According to NIST, “Out-of-Band” like SMS and Email or “OTP” like SecurID or Vasco need multiple other supporting techniques and therefore consume extra overhead and management costs -see NIST Digital Identity Guidelines on Authentication Products. 

Use of a mobile phone to carry the authentication response may seem adequate but Users now want to use their own mobiles as the primary Client- so other than carrying a second phone, these existing Solutions will, ridiculously, become single factor Authentication!

CASQUE SNR is the only MFA certified at source code level by NCSC as suitable for Secret and is cheaper than traditional techniques. Why use MFAs that already have known weakness when you can use CASQUE SNR?

 

 

WSO2 Identity Server Integration

WSO2 Identity Server is used to simplify identity and access management related activities in the enterprise; it is based on open standards and open source principles. WSO2 Identity Server comes with seamless, easy to use integration capabilities that help connect applications, user stores, directories and identity management systems.

WSO2 Identity Server allows enterprises to achieve single sign-on/sign-out, identity federation, strong authentication, identity administration, account management, identity provisioning, fine-grained access control, API security, monitoring, reporting, and auditing.

CASQUE SNR integrates in a closely coupled way by providing a free to use local connector plug-in.

Insider Threats

Interesting Report from Forrester “Best Practices: Mitigating Insider Threats” published November, 2017. Results from Forrester’s Data Global Business Technographics Security Survey showed that more than half of global network security decision makers, whose firms had suffered a data breach in the past 12 months, had experienced at least one insider incident. The report shows that the human motivation of revenge, greed or ideology are persistent and weak technology aids and abets. Specifically, if a User can easily repudiate access– someone must have taken a picture of my iris, I lost my U2F and they could not disable it, SMS isn’t secure – then there is no deterrent. The Insider Threat is not just confined to an organisation’s internal employees- if the Authentication Technology relies on a fixed secret then the Security Manufacturer is part of the risk. CASQUE SNR Authentication is not based on a fixed secret and denies user access repudiation.