-
Industrial
- Healthcare
-
Commercial
- Public Sector
- Threat Research
- Partners
-
Resources
Featured Content
- Company
Blog / 3 min read
Of the multiple ways through which risk can be introduced into operational technology (OT) environments, credential mismanagement is one of the simplest problems to solve, though its solution can be difficult to enforce. Credentials can be challenging to manage with the vast array of vendor-specific applications and devices requiring multiple levels of access privileges that operate on the OT network.
These conditions are often a factor in cases of account-sharing, which tends to be particularly common in cyber-physical systems (CPS) environments and can have serious implications ranging from the loss of audit trails to an expanded attack surface, among others. The risks at hand can be even greater when privileged accounts are shared between users who wouldn't otherwise be granted privileged access, further opening the door for both unintentional errors and malicious activity.
Closing this door requires a solution that is not only secure — but also efficient and intuitive for administrators and users alike. This is where Security Assertion Markup Language (SAML) comes in.
SAML is an open-standard, XML-based protocol, used for exchanging authentication and authorization between access points. Its primary role in security is to enable a user access to multiple web applications using one set of login credentials. It operates by passing authentication information in a particular format between two parties — typically the identity provider (IdP) and the service provider (SP). SAML is supported per-site at Claroty Continuous Threat Detection (CTD) deployments, through Claroty xDome, and remotely via Secure Remote Access (SRA).
There are multiple benefits to passing security tokens between these points using SAML, including:
Standardization: SAML is designed to interoperate within any system regardless of its implementation. While OT environments are overflowing with vendor-specific protocols, assets, and applications, SAML authentication's open approach to architecture helps reduce the burden of designing for multiple, interconnected devices and systems.
Security: SAML provides a single point of authentication with an identity provider, meaning that user credentials never leave the firewall. SAML also extracts the security framework away from vendor architectures and implementations so that user information is not required to be synchronized between directories, making SSO platform-neutral. At the core of it secure OT remote access helps to ensure one key piece of information, that anyone attempting to access the system is who they say they are.
Administration: SAML authentication enables web-based, cross-domain single sign-on (SSO), helping to reduce the overhead of providing multiple authentication tokens for one user.
This sequence diagram shows an example of how SAML authentication can be utilized for web-based, cross-domain SSO.
The Claroty Platform allows users to enable SAML 2.0 to connect with third-party authentication providers such as Google, Duo, Ping Identity, and Okta and customize a SAML policy that fits their unique access requirements. By design, SAML offers increased network security by enabling administrators to enforce multi-factor authentication (MFA) methods along with single sign-on (SSO).
SAML can be configured in SRA, for example, for all web access clients and application tunnel users. These users are authenticated via SAML at the Secure Access Center (SAC) server when utilizing the application tunnel client, meaning that their credentials are not stored at the SRA site or OT asset. After enabling SAML, SRA administrators can choose to enforce Active Directory policies to provide consistency across authentication sources. Having this level of secure authentication in places helps to ensure that malicious actors won't be able to gain a foothold in the network with stolen credentials.
Enforcing a strong credential management program can make your network more secure and more user friendly at the same time. By utilizing seamless experience tools like SSO you can help eliminate the complexity of managing multiple, vendor-specific sign-ons that encourage users to look for their own efficiencies like password sharing and recycling.
