Access is mostly defined by identity policies than by infrastructure topology. This makes identity perimeter that requires as much security scrutiny as the classic DMZ style perimeters of the past. Implicit in this analysis is that protection can fail and must always be backstopped by detection and other mechanisms.
Network security has delivered a large amount of network detection systems over the years to identify malice on the network perimeters, but where are the equivalent for identity systems? A lot of it is potentially there, but buried in audit and app logs and the like. But where is the timely and detailed information on malicious use of identity services to be found?
Identity protocols like SAML, OAuth, OIDC, and others have made it far simpler to stitch together disparate systems, and they're embedded pretty much everywhere. However, the identity protocols only solve (at best) the protection use case like authorization. They are silent on coping with malice meaning there is room for attackers to roam inside of the identity protocols. For example, OAuth 2.0 shipped with a 70 page long threat model. Kudos to the team for transparency, but where is the tool marketplace to detect the many dozens of threats it specifies?
Identity protocol design should not stop at protection, abuse and malice are inevitable and should be factored in to include monitoring for known identity layer threats:
- Brute force
- Token replay
- Token modification
- Redirection (numerous options inside the protocol dances)
- Authentication or Authorization Bypass
- Spoofing (client and server)
The list goes on, and the implicit separation in roles and responsibilities from the identity provider and service provider makes all of this a bit more difficult, but all the more reasons to seek out a malicious identity detection system to coordinate the Blue team on potential inbound attacks.
There are some nascent efforts starting now in some identity products, which is good to see, but a lot more to do to reach the level of visibility that the ecosystem really needs. Since the identity protocols are the layer that stitches things together, that means they are also a prime spot for increasing blast radius and traversal ranges.
