Securing Social / Locking Login / Armoring Authentication

Authentication might be the single biggest hazard for web security over the next decade.

It’s not that the fundamentals of authentication are particularly challenging; we’ve understood the basic principles behind password management, push-based authorization, and device certificates for some time. But managing those at scale, and navigating to a more secure world — maybe one without passwords someday — requires a level of investment and focus that is, for most enterprises, a distraction from their core mission.

Akamai has always been about enabling our customers to deliver on the promise of a hyperconnected world, by providing them not just with performance and security at scale, but by offloading the critical, but not core, capabilities into our environment. That started with image and video delivery, grew into whole websites, added SSL (now TLS) management, guarded against DDoS, provided adaptive content management, filtered application attacks, managed bots, and connected internal enterprise apps to users.  Along the way, we’ve integrated into just about every authentication environment imaginable: from cookie and password auth to mutual TLS with push.

Delivering a better Internet for our customers has always been about seeing the common pain points across their businesses, and providing common capabilities that work better at the edge.  Akamai’s acquisition of Janrain will bring customer identity and access management (CIAM) into that capability set. Akamai CIAM, like most other Akamai capabilities, solves a range of problems that enterprises face, supporting experiences from the most basic to the most complex.

Why does this matter? The biggest challenge in most security solutions is the implementation overhead.  Implementing social login can be tricky for an enterprise — managing your social network APIs, integrating login into your pages, even just keeping track of which social networks you want to support. Maintenance is a key piece of that management: APIs change, and new threats arise require coordinated action across sites using social login. Pulling in CIAM via an edge configuration is going to simplify both integration and maintenance, making it more accessible for websites across the board — but especially for sites that are often supported outside the IT organization.

Having personal data in every website’s system is another hazard we hope to reduce. Most user databases contain the same information (name, shipping address), and the amount of repeat work done to secure this data becomes wasteful. And, in being repeated in so many places, is more prone to leakage, as evidenced by the continued breaches of end user data. Pulling that redundant data out, and storing it in one place, guarded by one company, reduces the hazard of widely scattered defenses (See my blog post “Composing Defences”). Having that personal data also carries a compliance burden for each enterprise, one we can reduce with a single set of robust privacy and security controls, providing a clear, repeatable message for users and auditors.

Credential stuffing — an attack where adversaries use already compromised passwords to try to take over accounts on websites — is a significant risk today. Integrating CIAM at the edge with bot defense technologies is going to enable organizations to take a leap forward in security; making it harder for bots to pretend they are humans.

All of these hazards that the web faces arise from the challenge of consistently protecting end user identity, authentication, and authorization information across millions of separately managed web properties. While we aren’t going to completely eliminate the need for some of that separate management, we aim to enable those websites to move more agilely, with less overhead needed to protect their ecosystem and users.

This is a step forward for the Internet, bringing us nearer to the day when users and sites experience the edge for what it is: a fast, intelligent, secure Internet.

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Andy Ellis. Read the original post at: