Chief OS Architect, Huawei Technologies, Ltd.
Analysis of the Propagation and Approaches to Mitigation of the Cyber Security Risk associated with Federated Identity
Federated Identity management offers a flexible and often automated way for organizations to securely exchange user information across suppliers, partners and customers. Businesses have been increasingly adopting technologies such as OAuth, OpenID to improve security and convenience for their end-users, and to achieve a more reliable and efficient propagation of information across the supply chain.
By its nature, Federated Identity involves an inter-dependency and a trust relationship between the enterprise and external stakeholders. A breach of any member in this new three-dimensional sphere of trust (Customers-Suppliers-Partners) has the propensity to propagate and negatively impact other players in the sphere.
Understanding the extend of damage on a company from a compromise in the Federated Identity management is important for purposes of valuation and insurance. However, this new risk is usually not well characterized, let alone quantified.
In this paper, we propose a method to measure the propagation of the risk associated with Federated Identity Management. We break down the risk into its four components (intrinsic risk, suppliers', customers', partners'), and we use the method to evaluate three Federated Identity Management technologies (OAuth, OpenID, PKI). We finally examine and measure the risk reduction factor of two approaches to the mitigation based on diversifying the trusted entities and decoupling identity providers from access control service providers.