Securing Identities in Business Data Flows

In today’s business ecosystem, data exchanges are critical for operations. From APIs to FTP connections, Electronic Data Interchange (EDI), and Virtual Desktop Infrastructure (VDI), data transfers happen continually, each using specific protocols and requiring authentication to ensure security and confidentiality. These interactions rely on a vast array of identities, keys, and credentials that need consistent management and periodic rotation to maintain security. However, without a comprehensive system for tracking and managing these credentials, businesses face significant challenges, risking security vulnerabilities and compliance issues. This article explores the types of identities used in different protocols, highlights the complexities of managing them, and proposes a solution for comprehensive identity discovery and management.

1. APIs: Identity and Key Usage

Example: In API communications, an identity might be an API key or OAuth token. For instance, in a RESTful API exchange, an API key is often embedded in the header to authenticate the request, allowing access to resources or data. Here, the identity can be a service account’s OAuth 2.0 token, which includes a defined scope and permissions.

Challenges in Identity Rotation: Regularly rotating API keys and tokens is difficult, as they are often hard-coded in applications or embedded in configuration files. Changing these keys disrupts services and requires careful synchronization across systems to avoid downtimes or failed requests. Moreover, if the key is shared across multiple services, it must be updated simultaneously in each location.

2. FTP: Managing Authentication Credentials

Example: For File Transfer Protocol (FTP), identities typically involve usernames and passwords. In a secure FTP (SFTP) setup, a private key might be used for authentication, while the corresponding public key resides on the server. The private key identifies the client and grants access to upload or download files.

Challenges in Identity Rotation: Rotating FTP credentials is often overlooked in legacy systems. If credentials are hard-coded in scripts or embedded in batch jobs, updating them requires manually changing the code and verifying compatibility. FTP systems are especially prone to credential leakage if the rotation process isn’t managed properly, leading to potential unauthorized access.

3. EDI: Data Interchange Identification

Example: Electronic Data Interchange (EDI) facilitates standardized communication between business systems, like purchase orders or invoices. In an EDI exchange, identities are commonly tied to sender and receiver IDs within the message envelope, such as in the ANSI X12 standard, which contains an “Interchange ID” to identify the trading partner.

Challenges in Identity Rotation: EDI identities are challenging to rotate because they are tightly integrated with the business logic of ERP (Enterprise Resource Planning) systems. Any changes require synchronization with trading partners, and updates often need to go through rigorous testing cycles to avoid breaking existing workflows.

4. VDI: User Identities and Credentials

Example: In Virtual Desktop Infrastructure (VDI) environments, user identities are often authenticated using domain credentials through Active Directory. A session token may be used to manage user access across virtual machines (VMs) or desktop sessions, ensuring that only authenticated users can access specific resources.

Challenges in Identity Rotation: For VDI, rotating credentials involves updating Active Directory and managing cached credentials across different virtual desktops. If tokens are stored locally, they need to be cleared out periodically. Identity rotation in VDI environments requires centralized access management tools, making frequent changes disruptive and requiring extensive coordination across multiple teams.

The Need for an Identity Catalog

Despite these protocols using identities in different ways, many businesses lack a centralized catalog of all the identities, keys, and credentials actively in use. Without this catalog, companies cannot accurately assess their security posture, as they are unaware of the full range of identities that might be compromised or misused. This lack of visibility also makes regular rotation and monitoring a daunting task, increasing the risk of unauthorized access, data breaches, or regulatory non-compliance.

The Case for a Holistic Discovery Approach

To create a comprehensive inventory of identities, businesses need a multi-faceted discovery approach. This can include:

1. Code Scanning: Scanning code repositories and configuration files to uncover hard-coded credentials, such as API keys, passwords, and tokens. This is particularly useful for identifying embedded identities within applications and automation scripts.
2. Network Scanning: Network scanning tools can detect credentials in active network traffic, especially those used in real-time data exchanges. This is helpful for identifying FTP and EDI credentials during file transfers.
3. In-Flight Data Discovery: Analyzing data in transit provides visibility into identities and credentials exchanged over APIs, FTP, and EDI, offering real-time insights into how data is flowing and which credentials are in use.

Together, these approaches form a holistic framework for discovering identities, offering the insight needed to secure and manage credentials effectively.

An Active Governance Based Solution

One effective method for managing identities in these various data exchange protocols is a proxy-based solution. By intercepting and analyzing data traffic, a proxy can capture and tag identities, log credential usage, and track access patterns across all communication protocols. This approach offers several advantages:

• Centralized Monitoring: A proxy acts as a single point of observation, capturing all credential exchanges in real-time across APIs, FTP, EDI, and VDI protocols. This centralizes credential tracking, making it easier to monitor and manage identities across the organization.
• Identity Tagging: With a proxy in place, each credential or token used in data exchange can be tagged and recorded, allowing teams to identify which credentials are active, when they were last rotated, and their usage patterns.
• Simplified Rotation Processes: By logging all credential use through a proxy, businesses can automate credential rotation based on established timelines and monitor compliance with identity management policies. This makes it easier to synchronize updates without disrupting workflows.
• Enhanced Security and Compliance: A proxy-based solution enables continuous compliance by ensuring that all credential use is cataloged and managed according to regulatory standards. This supports audit-readiness and helps maintain strong security controls.

Conclusion

Managing identities across data exchange protocols like APIs, FTP, EDI, and VDI is essential but challenging for businesses due to the dispersed nature of identities and the integration complexity. Most companies lack a comprehensive catalog of these identities, making it difficult to manage and secure them effectively. Adopting a holistic discovery approach through code scanning, network scanning, and in-flight data discovery, combined with a proxy-based solution, offers a scalable and effective way to gain visibility, enhance security, and simplify identity management. This approach allows companies to maintain control over their data exchanges, minimize security risks, and remain compliant with regulatory standards.