Busting myths behind authentication and authorization

In a not so past life, I worked with a large team of software developers at a rather large company. As part of the development leadership team, one of the goals I had set was to constantly broaden and challenge our development practices. I remember a phrase that I’d often say, “I don’t want this team to get inbred!” Now, before you jump to conclusions, let me explain what I meant. If left unchecked, any business team may begin to falter through groupthink and miss out on the evolution that other teams may be experiencing because they actively seek to improve their processes. If we didn’t actively search out new techniques and development practices, we’d fall victim to enforcing our own bad habits. By now, you are probably wondering what this has to do with identity and security… let’s get to that.

As a development consultant and security advisor, I’m lucky to be able to visit and work with a different company every week. This puts me in a unique position that many of you might not have: I’ve been able to see and experience the culture, technical maturity, business acumen, and processes of hundreds of companies over my career. I’ve also been able to see many an “inbred” security team over the years. Sometimes the outdated philosophies and stubbornness are a hard nut to crack.

What I find are people, systems, and processes that simply don’t seem to make sense. Sometimes it’s a single person, sometimes it’s the whole company. Over the years, you can imagine I’ve encountered many preconceived notions, outdated approaches, and what I simply call “security myths.” We all wear many hats… one of mine is of a security myth-buster. In this series of posts, I’d like to cover some of the most common myths I find in the discipline of authentication and authorization. Truth be told, they aren’t all as crazy as you may think!

Myth #1: Reverse proxies are bad!

VPN technology is still one of the most widely used methods of granting users access to intranet resources from the internet. Companies use this type of technology not only for their own employees but also for their partners. Is using a reverse proxy a viable alternative for VPN? Is using a reverse proxy-less secure than a VPN connection?

The use cases are simple:

• My employees need access to applications behind the firewall.
• My partners need access to apps behind the firewall.
• To achieve either of these use cases requires either installing a VPN client on my machine or to configure my machine manually for the connection.

So, what could go wrong? This approach has been used for years and it’s just fine, right? Well, my opinion is that the VPN is a massive Trojan horse and that we should only be using it when absolutely necessary. Consider these challenges with VPNs:

• You just allow someone to join your network, are you really sure who they are?
• Your security team has assured you that VPN users can’t get access to anything they aren’t supposed to have access to. Are you sure?
• Simple tools that anyone can download can discover fatal flaws in your VPN architecture.

One question for you: why open the drawbridge and allow a risk into the castle walls when simply communicating through a porthole may be enough? A reverse proxy is a porthole you are looking for. Reverse proxies are able to fetch web applications from behind the firewall and present them securely to users being left safely outside our perimeter. What exactly are the myths about reverse proxies?

VPNs are more secure

Well, when you can look at recent history regarding some of the more infamous breaches, you’ll likely find that it started with a VPN connection. It is not a challenge to prove that actually allowing an identity thief (aka hacker) onto your network is in no way shape or form more secure than never allowing the attacker on-prem, to begin with.

Reverse proxies are slow and create application bottlenecks

Take a minute to think about what has occurred in the gaming industry in just the last 10 years. The leap in technology from 16-bit blocky sprites to virtual reality landscapes with a life of their own is astounding. This is due in part to an increase in processing power and in part to revolutionary new approaches in graphics and AI. To put it simply, today’s reverse proxies are not your dad’s reverse proxies. Increases in computing power, optimized programming and load balancing have all but removed any concern over a lack of performance.

My firewall rules are flawless

Again, this myth aligns with the notion that VPNs are more secure but is truly another approach at the argument that I’ve been told. Honestly, when you look at the benefits of a reverse proxy in contrast to the gamble you are taking with your IT department’s configuration of the firewall, are you really willing to bet your company’s reputation or intellectual property? In every “flawless” firewall combination is a hidden vulnerability that normally isn’t too terribly difficult to discover.

Myth #1: Reverse proxies are bad: Busted!

In the next post, I’ll cover another myth that is a favorite of mine… Myth #2: Your users don’t want MFA. Hmm… that one might be plausible, eh?