Getting the identity solution right is a very critical part of building software systems. While it may be important to have the right identity solution for certain systems, for some systems that deal with sensitive data, getting the identity and security solution is absolutely mission-critical.
From decades of auditing software systems of our customers, we have come across several systems with major security loopholes in their identity management and security. Building an identity management solution requires heaps of experience and knowledge of security standards, best practices, known vulnerabilities of technology stack in use, authentication protocols, etc.
Maintaining your user’s identity data including credentials comes with its own set of challenges. Managing password hashes and salts securely and keeping the encryption strong comes with its own set of challenges and associated costs.
Building your own identity management system comes with several challenges some of which we discuss in this article.
Skills:
Designing and building an effective and efficient Identity Management system requires special knowledge and skills. One needs to make several design choices while designing such a system such as the right hashing algorithm and hash iterations to use so it provides optimum security without straining your infrastructure with the burden of hashing user credentials. While you would want your application to scale and handle an increased number of users signing up for your business, you wouldn’t want to compromise on security in pursuit of speed by choosing a weak hashing algorithm. This is a tight rope an architect must walk to get the right balance between performance and security – something that requires deep experience building such a system.
It’s a popular choice among engineers to use cookie-cut Identity Management Solutions available to them but utmost care has to be taken while making such a choice as these solutions tend to have their own flaws and shortcomings the knowledge of which is readily available in the public domain. These flaws could be readily exploited by a hacker to break into your system. For instance, “SQL Membership provider” which is the default identity management framework shipped with ASP.NET used a weaker SHA-1 hash until a few years ago. A password hashed using SHA-1 with single hash iteration takes a brute force software such as hashcatplus less than a couple of hours on a Non-GPU machine to reverse calculate (un-hash) the password from its hash.
Cost:
While you can take a cautious approach and choose the most secure hashing algorithm to secure your user data, it is to be noted that a more secure hashing algorithm comes with associated costs. For instance, in order for your application to scale to handle increased user traffic while managing the security of their data via advanced hashing, you might need to spend more to procure high capacity infrastructure in absence of which the end-user experience may take a hit.
Alternatives:
An alternative approach to handling your user’s identity is to adopt one of the SaaS offerings of the modern Identity Management systems by various cloud vendors, this practice is called Identity as a Service (IDaaS). These systems are tried and tested, and battle-hardened which is a major plus with security systems.
Azure Active Directory for instance is one such IDaaS offering from Microsoft that comes bundled and free with any Microsoft Azure subscription. AWS Cognito is one other IDaaS service offered by AWS that has both free and paid pricing tiers.
Some advantages of using SaaS-based Identity management systems (IDaaS):
- Scale – These systems bring with them the power of cloud and scale based on your system’s traffic needs. This means you only need to deal with scaling your applications and not the identity system.
- Security – These Identity Management systems are built to support advanced authentication protocols such as OAuth 2.0, OpenID Connect while still supporting older protocols such as SAML. They also have inbuilt support for several advanced features such as Multi-Factor Authentication and Risk-based Conditional Access. Since these systems are battle-tested, they provide the strongest security layer around your software systems.
- Tried & Tested – These systems have been battle-hardened over the years. Your team need not re-invent the wheel in trying to build an Identity Management System from scratch and rely on these IDaaS services for your application’s Identity needs.
- Price – Most of these Identity Management systems come bundled with your subscription to any of the cloud vendor’s services and have a free tier that serves the purpose of one or more of your software systems without paying extra for Identity Management.
- Centralized Access Management – The SaaS-based IMS come with a sophisticated web portal that can be used to centrally manage user access to your application without needing to build this capability into your application. You can grant or revoke access of any of your users at a click of a button.
In summary, Identity Management is a very core part of a solution, and building it the right way is critical. Building such a system requires skill, knowledge, investments in time, and money. Modern Identity Management SaaS-based offerings by various cloud vendors are a very promising alternative to building your own Identity Management System and should be adopted for robust and foolproof Identity management of one’s user data.