Identity Analytics & Risk Intelligence Security Questions and Responses
This is a collection of security based questions around the software and data used within Identity Analytics & Risk Intelligence. As new questions arise this list may be expanded.
How can I trust the integrity of the software that I am downloading, is there any code signing in place ? Is there a hash I can compare ?
The collector installer that is downloaded, as well as the modules that are installed, are all signed by One Identity. Since there are frequent updates to the installer and module files, which will auto-update, we do not publish specific hash values. The collector service will dynamically download and run modules specific to configured data sources. These module files are validated using file version and hash values supplied by the IARI cloud service to ensure the properly approved files have been downloaded.
What is the nature of the initial authorization using the code, how is this code generated? what makes it unique to me? How can I be sure that my data is only going to my tenant?
The initial authorization code is generated by an IARI user within a specific subscription and is tied only to that subscription. A new code is generated when the IARI web site is used to download a collector installer and the code expires in a fairly short period of time to ensure uniqueness. This code is used by the collector and the IARI cloud service to associate a newly installed collector to a subscription. When the collector is installed, the code is used to ‘register’ the collector for the subscription and the collector is only authorized to communicate with the subscription that was used to generate the code. This registration process generates subscription-specific endpoints for the IARI cloud subscription, and data is generated within this subscription that is used to validate the collector during API calls.
Once the collector is installed what is the ongoing authentication between collector and Starling service, are there any shared crypto keys involved?
The registration process also provisions the collector with STS token endpoint and credential information that are used by the collector to acquire a Java Web Token from the Starling STS. This provisioning information is encrypted and stored securely by the collector service. This authentication mechanism is based on OAuth mechanisms for token generation and authorizations. The token is used to authenticate and authorize the collector API calls to the IARI cloud service and expires frequently. A new token is acquired when necessary.
What is the nature of the wire level protocol used, is there any encryption used, if so what schemes, TLS etc. ?
All communications between the collector and Starling STS and IARI cloud services utilize the HTTPS protocol, which typically implements TLS as the underlying cryptographic technology.