Cloud Access Manager 8.1.4 - Security and Best Practice Guide

Information stored by Cloud Access Manager

To support Single Sign-On (SSO) to non-federated web applications Cloud Access Manager saves your application passwords, encrypted in a table within the configuration database. The passwords are encrypted with AES-128-CBC, using a key derived from a combination of user ID and the shared secret which you specify during Cloud Access Manager installation.

For SSO to federate SAML and WS-Federation applications, Cloud Access Manager stores signing certificates in its configuration database along with their associated private keys. The private key associated with each signing certificate is encrypted with AES-128-CBC using a key derived from the shared secret.

To allow you to authenticate to Cloud Access Manager with your existing corporate credentials through Cloud Access Manager's built-in Security Token Service (STS), Cloud Access Manager must make an authenticated connection to an Active Directory or Lightweight Directory Access Protocol (LDAP) compliant directory. The credentials used to establish this authenticated connection are also stored in the configuration database and they are encrypted using AES-128-CBC using a key derived from the shared secret.

NOTE: All sensitive information in Cloud Access Manager's database is encrypted using keying material derived from the shared secret. The shared secret is stored on each Cloud Access Manager host in a local file, encrypted using Windows Data Protection API. Please refer to Microsoft documentation at http://msdn.microsoft.com/en-gb/library/ms995355.aspx for a detailed description of Windows DPAPI.

Inter-service communication

Cloud Access Manager transmits information between its services over Secure HTTP (HTTPS). Each connection is authenticated using the shared secret chosen during Cloud Access Manager installation.

User authentication

Cloud Access Manager allows you to access multiple systems without having to supply multiple sets of credentials. However the convenience of Single Sign-On (SSO) comes at the cost of security as an attacker that can hijack your Cloud Access Manager login account has the keys to the kingdom.

User authentication settings should therefore be reviewed thoroughly according to corporate security policy, with attention to:

  • Prevailing password complexity rules
  • Password expiry interval and password history rules
  • Suitability of authentication method.

    NOTE: Consider using two-factor authentication, or smart card authentication, either for access to the application portal or for access to individual applications.

Where you are using a federated identity provider from a third-party organization, we recommend you seek assurances from that organization that their user authentication settings are in agreement with your security policy.

Related Documents