Feature Spotlight: Increased OT Security with SAML Support
By Daniel Ashual | August 13, 2020
This post is part of our Feature Spotlight series, which dives into specific features and capabilities of The Claroty Platform. You can find more posts like this in our the Feature Spotlight section of the Claroty Blog.
Of the multiple ways through which risk can be introduced into operational technology (OT) environments, credential mismanagement is one of the simplest problems to solve, though its solution can be difficult to enforce. Credentials can be challenging to manage with the vast array of vendor-specific applications and devices requiring multiple levels of access privileges that operate on the OT network.
These conditions are often a factor in cases of account-sharing, which tends to be particularly common in OT environments and can have serious implications ranging from the loss of audit trails to an expanded attack surface, among others. The risks at hand can be even greater when privileged accounts are shared between users who wouldn’t otherwise be granted privileged access, further opening the door for both unintentional errors and malicious activity.
Closing this door requires a solution that is not only secure — but also efficient and intuitive for administrators and users alike. This is where Security Assertion Markup Language (SAML) comes in.
The latest release of The Claroty Platform includes support for SAML, an open-standard, XML-based protocol used for exchanging authentication and authorization between access points. SAML is supported per-site at Claroty Continuous Threat Detection (CTD) deployments, globally through our Enterprise Management Console (EMC), and remotely via Secure Remote Access (SRA).
There are multiple benefits to passing security tokens between these points using SAML, including:
Standardization: SAML is designed to interoperate within any system regardless of its implementation. While OT environments are overflowing with vendor-specific protocols, assets, and applications, SAML authentication’s open approach to architecture helps reduce the burden of designing for multiple, interconnected devices and systems.
Security: SAML provides a single point of authentication with an identity provider, meaning that user credentials never leave the firewall. SAML also extracts the security framework away from vendor architectures and implementations so that user information is not required to be synchronized between directories, making SSO platform-neutral. At the core of it secure authentication helps to ensure one key piece of information, that anyone attempting to access the system is who they say they are.
Administration: SAML authentication enables web-based, cross-domain single sign-on (SSO), helping to reduce the overhead of providing multiple authentication tokens for one user.
This sequence diagram shows an example of how SAML authentication can be utilized for web-based, cross-domain SSO.
What Does This Mean for Claroty users?
The Claroty Platform allows users to enable SAML 2.0 to connect with third-party authentication providers such as Google, Duo, Ping Identity, and Okta and customize a SAML policy that fits their unique access requirements. By design, SAML offers increased network security by enabling administrators to enforce multi-factor authentication (MFA) methods along with single sign-on (SSO).
SAML can be configured in SRA, for example, for all web access clients and application tunnel users. These users are authenticated via SAML at the Secure Access Center (SAC) server when utilizing the application tunnel client, meaning that their credentials are not stored at the SRA site or OT asset. After enabling SAML, SRA administrators can choose to enforce Active Directory policies to provide consistency across authentication sources. Having this level of secure authentication in places helps to ensure that malicious actors won’t be able to gain a foothold in the network with stolen credentials.
Enforcing a strong credential management program can make your network more secure and more user friendly at the same time. By utilizing seamless experience tools like SSO you can help eliminate the complexity of managing multiple, vendor-specific sign-ons that encourage users to look for their own efficiencies like password sharing and recycling.
To learn about how The Claroty Platform enhances both security and user experience, request a demo.