ELEVATOR PITCH

Introduce Yourself in Few Seconds

■ I am Vishnu from so & so Co., Currently working in middleware technology with
Microsoft product experienced with 5+ year, having .Net application devlopement with
3+ year experienced. Certified in AWS Solution Architect, In parallel looking into
Security aspect, especially Identity & Access Managment. Looking for an opportunity
to invest my knowledge & work towards company's growth as well. I will be awaiting
for your response. Nice to see you... Have a great day.

About Myself
CLAIM BASED
AUTHENTICATI
ON
Who am I?
 ■ A Claim is a piece of information about the
user. It is consists of a Claim type and an

Claim optional value. We store it in the form of

name-value pair. A Claim can be anything for
example name Claim, Email  Claim, Role
Claim, PhoneNumber Claim, etc.
Claim Based Authentication
(CBA)
■ Applications often referred to as the “relying party” must trust the
Identity Provider and often refer to as Security Token Services (STS)
(Azure AD, ADFS, Ping Identity, octa, and more) to:
– Identity provider verifies the identity of the users
– Create claims with appropriate attributes
– Sign the token with a signature which issues the credential to
keep it secure
How CBA works?
Security Token Service (STS)

■ The figure illustrates the authentication

process. The process is composed of 3 steps:
1. User (via application) sends authenticate
request (with credentials) to STS
2. STS verifies user credentials, gets
information about identity
3. STS creates and returns token

■ Communication between user (application)

and STS is provided by using the standard
protocol WS-Trust
STS Modes

■ Communication between web application and STS can be made in

two modes : passive and active.

o Active STS is a special type of web service, which is based on WS-

Trust protocol.
o Passive STS is generally a special kind of web site, where user is
redirected during authentication process. User authentication
credentials are given on STS login form. After authentication process
user is redirected to source application.
 first check with the ticket counter and present your passport

Analogy: After verifying your passport by matching the document photo with
your face and confirming that you have paid for the ticket, the agent
prints a boarding pass with relevant information about you (Name,

Airport flight, seat, priority, etc.).

Check-In Now you can head to the security checkpoint and into the boarding

Procedure gate by presenting the boarding pass.

In this analogy, a boarding pass is a token containing a set of claims

about you such as name, seat number, and flight number. The gate
agent doesn’t need to validate claims you make about yourself
because they have been issued and verified by a source that the gate
agent trusts – the airline.
Why CBA?

■ Outsourcing authentication -  Removes the need for applications to perform authentication

tasks. Additionally, centralizing authentication makes it easier to upgrade applications to stronger
authentication methods. Removes the need to store sensitive user account and password
information needed to manage authentication internally –eliminating this security risk
■ Supporting multiple authentication providers - Enables companies to easily implement
different authentication methods using different providers, e.g., Windows Live ID, Windows
Active Directory authentication or forms-based authentication for a website, using single sign-on
to support users who access services or applications in various ways, including over the internet,
from within the organization and through affiliated organizations.
■ The disadvantage of SAML 2.0 protocol is that it is XML based and very descriptive, so it is
heavy on a wire. We mostly use SAML with SOAP, XML, and SaaS applications. It can be
difficult and unsuitable for bandwidth conscious mobile users.
Today’s competitive Identity providers

Cloud On-Premise
■ Microsoft Azure Active Directory ■ Microsoft ADFS (Active Directory
■ Okta Federation Services)
■ OneLogin ■ Ping Identity
■ JumpCloud
■ Site Minder
■ Oracle Identity Management
■ AWS Directory Service
■ Amazon Cloud Directory
■ Apache Directory
■ Social Identity providers (Google, Facebook,
Twitter, Amazon)
Glossary ■ relying party (rp) / service provider (sp) = application
■ Claim = statement about identity
■ Security Token Service (STS) = builds, signs and issues
security tokens
■ subject = user
■ principal = user
■ security token service (sts) = issuer
■ identity provider (IdP) = issuerresource security token
service (R-STS) = issuer
■ active client = smart or rich client
■ passive client = browser
Resources & References

■ https://www.tektutorialshub.com/asp-net-core/claims-based-auth
orization-in-asp-net-core/
■ https://specopssoft.com/blog/claims-based-identity-a-better-mod
el-for-authentication/
■ https://centricconsulting.com/blog/using-claim-based-authentica
tion-for-identity-and-access-management/
■ https://searchsecurity.techtarget.com/definition/claims-based-ide
ntity
■ https://kariera.future-processing.pl/blog/introduction-to-claims-b
ased-authentication-and-authorization-in-net/
SECRETS
Protect the Information
What is Secret?

Generic Term: Secrets must be hidden, but they also must be stored somewhere.
Eamples: House keys, Vehicle Keys...

IT Term: a secret is a highly private piece of information that unlocks sensitive and
protected resources. It is what grants access to your most sensitive systems,
services, and data both in transit and at rest. Examples: database passwords,
privileged account credentials, SSH keys, encryption keys, API keys, and private
certificates for secure communication and data transmission.
■ According to Gartner, by 2021, more than half of organizations using DevOps will be
using PAM-based secrets management services and solutions. That’s a promising
prediction, considering that today only about 10% of organizations use secrets
management solutions. At the same time, secrets management is crucial for all
organizations, whether they use DevOps or not, because all organizations use digital
secrets to some extent.

Gartner says...
Secrets Management

■ Secrets management is the process of securely and efficiently managing the creation,
rotation, revocation, and storage of digital authorization credentials. In a way, secrets
management can be seen as an enhanced version of password management. While the
scope of managed credentials is larger, the goal is the same — to protect critical assets
from unauthorized access.
■ With secrets management policy, organizations can prevent various cybersecurity
issues, including unauthorized access to critical data and systems, data losses, and data
breaches.
Secret's Lifecycle
■ Creation – Secrets can either be created manually by a user (a password to a personal account) or
generated automatically (an encryption key for deciphering).

■ Storage – Secrets can be stored centrally or separately, using designated solutions (a PAM-based
secrets management tool or password manager) or common approaches (in a text file, on a shared
disk, etc.).

■ Rotation – Secrets can be changed or reset on a schedule, thus improving the overall protection of an
organization’s infrastructure. Secrets rotation is one of the key requirements of many regulations and
standards, including NIST and PCI DSS.

■ Revocation – Secrets can be revoked in the case of a cybersecurity incident. Organizations can
prevent or limit the negative consequences of an incident and make sure that attackers can’t use
compromised credentials for accessing your organization’s critical resources, systems, endpoints, or
applications.
How to use Secret Securly
Authenticate Authenticate all access requests made with non-human credentials.

Apply the principle of least privilege: ensure that each user is given the minimal access level and permissions to perform their
Apply job.

Use Use role-based access control (RBAC) so that access is granted based on a person’s role in the organization.

Enforce routine secret rotations. For example, you should change encryption keys frequently and re-encrypt the data
Enforce accordingly.

Formulate Formulate consistent access policies and enforce them with automated secret management tools.

Keep Keep a thorough audit trail to track all access requests.

Remove Remove secrets from unprotected locations, including code and configuration files.
Problems / Risk / Challenges

■ Weak passwords
■ Storing secrets in plain text
■ Sharing passwords
■ No secrets revocation (key NIST requirements)
■ No secrets rotation (PCI DSS recommends)
■ Reusing secrets
Secret Management Services

■ HashiCorp Vault ■ Strongbox

■ AWS Secrets Manager ■ Azure Key Vault
■ Akeyless Vault ■ Docker Secrets
■ Square Keywhiz ■ Knox
■ Confidant ■ GCP's Secret Manger
Best Practices ■ Discover / identify all types of passwords
■ Eliminate hardcoded/embedded secrets
& Solutions ■ Enforce password security best practices
■ Apply privileged session monitoring to log, audit, and
monitor
■ Extend secrets management to third-parties
■ Threat analytics (detect anomalies and potential
threats)
■ DevSecOps
other security best practices, including the principle of
least privilege (PoLP) and separation of privilege.
Conclusion

■ Secrets management is important for ensuring an organization’s cybersecurity. It covers

all processes and tools related to the creation, storage, transmission, and management of
digital credentials such as encryption keys, APIs, and passwords.
■ To manage secrets both securely and effectively, organizations should build a core
secrets management policy that establishes standard rules and procedures for all phases
of a secret’s lifecycle. To avoid human errors, it’s best to deploy a centralized secrets
management solution.
■ PAM solutions enriched with secrets management capabilities allow organizations to
tackle two main cybersecurity tasks:
– Securely and effectively manage different types of secrets
– Control, monitor, and audit privileged accounts
Resources & References

■ https://www.gartner.com/en/documents/3894154/magic-q
uadrant-for-privileged-access-management
■ https://www.reblaze.com/blog/keeping-secrets-in-the-clou
d/
■ https://www.beyondtrust.com/resources/glossary/secrets-
management
■ https://geekflare.com/secret-management-software/
■ https://www.ekransystem.com/en/blog/secrets-manageme
nt
THANK YOU
for your Time