This month, as we head toward RSA Conference USA 2021, where more than 40,000 security practitioners are usually all buzzing throughout the Moscone Center in San Francisco, we will all be signing in to virtual sessions instead. And just like last year, compromised credentials continue to be one of, if not the top vector for breach, fraud, and theft. These stories are in the news daily.
What rarely gets coverage is the outstanding work being done in the identity industry and open standards consortiums to secure authentication, authorization, and access control, which makes it possible for application developers and vendors, public- and private-sector organizations, and consumers and citizens alike to be productive and prosperous during these unprecedented pandemic conditions.
A Little History on Standards
Authentication (AuthN) and Authorization (AuthZ) standards have been informing the way identity experiences ought to work for more than 30 years. Some of the pioneering working groups and guidelines include:
- ENISA - https://www.enisa.europa.eu/
- FIDO Alliance - https://fidoalliance.org/
- IETF - https://www.ietf.org/
- Kantara Initiative - https://kantarainitiative.org/
- NIST - https://www.nist.gov/
- Oasis Open - https://www.oasis-open.org/
- OpenID Foundation - https://openid.net/foundation/
- W3C - https://www.w3.org/
This standards-led approach is why every digital experience you’ve ever had that starts with signing or logging in pretty much works the way it does, with interoperability.
Best Practices in Security
Since identity standards have been around for quite a long time and newer specifications are continually in development, it has become increasingly important to revisit many of them to ensure security practices are being properly configured and validated by the practitioners that depend on them. Below are a few of the freshest, best current practices:
| TOPIC | DESCRIPTION |
| OAUTH 2.0 Security Best Practices, April 2021 |
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-18 This document updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. |
| FIDO Authenticator Lifecycle Management, April 2021 |
Guidance for IT administrators and enterprise security architects deploying FIDO Authenticators across their enterprises and defining lifecycle management policies. |
| JWT Best Current Practices, February 2020 |
https://datatracker.ietf.org/doc/html/rfc8725.txt JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims which can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols, digital identities, and applications. This Best Current Practices document updates RFC 7519 to provide actionable guidance, leading to secure implementation and deployment of JWTs. |
| OWASP Cheat Sheet Series (70 Topics) |
https://cheatsheetseries.owasp.org/Glossary.html The OWASP Cheat Sheet Series provides a concise collection of security guidance by various application security professionals who have expertise in specific topics. The corresponding GitHub is https://github.com/topics/best-practices. |
Let me know if I have missed any open/community sources of good practices and security guidance in the past year and I’ll be sure to update the table above.
Next up: Least Privilege Access & Entitlement Management
