The weak link in federation

Federation becomes more and more popular to gain access to cloud services. One common way to accomplish this is to use tools like ADFS to let the users in AD access cloud applications. This also facilitates for the users by providing SSO for the users. However, there is one weak link that may affect the security. Not so much from the AD out to the cloud applications, but how much may we trust what has been entered into the AD. Are there sufficient controls on the way to guarantee the identity in the AD? 

It is almost impossible to reach a 100% secure world, but there are some measures to be taken to make it more difficult to tamper with identity management. Of course, first step is to see that there is governance and policies to follow required regulations and legislations. Next step is to set up well documented procedures and processes, regardless of automated or manual handling of the identities.

Automated handling and provisioning of identities from HR to AD may take place through a number of different tools. Most of them do it in similar ways, but there may be some different flavours in it. Manual handling will also do in some cases, but may have a disadvantage in the traceability of the transactions.

However, even if a secure way is provided from the identity is entered into the organisation until it is safely created in the AD to be federated through ADFS out to the cloud, there may be loopholes that may be used to bypass the normal routines and procedures.

One may be that the administrator account of the AD is open to persons that may create their own fraudulent identities in the AD. It's not really enough to find out that "admin" created this and that account at the specific time. Admin can be anybody and we don't know who was actually behind the keyboard at the time, unless we have actually secured the admin-account or the admin access rights and found a way to make sure that we know exactly who used the admin account at the specific time. There are tools for that....start using them!!!

Then of course, we have the problem already when we enter a new identity into the organisation. Can we truly trust the legitimation? We have already have had cases in Sweden where trusted providers of e-identifications have failed in the background check, with the result that some people managed to get a number of false e-identities. 

Security never gets stronger than the weakest link, and that weak link may not be where you anticipated it to be!