Plan for security in Advanced Identity Cloud

Always use HTTPS for connections into Advanced Identity Cloud.

Advanced Identity Cloud does not accept connections over HTTP. However, a client making API calls to Advanced Identity Cloud over HTTP instead of over HTTPS can still send unprotected credentials in an HTTP Authorization header, inadvertently exposing sensitive information. Even though Advanced Identity Cloud rejects the request, the credentials could be leaked to eavesdroppers.

Configure the cookie domain in your Advanced Identity Cloud tenant to ensure only users and entities from trusted domains can be authenticated.

By default, Advanced Identity Cloud sets the cookie domain based on the fully qualified hostname of a tenant, such as id.mycompany.co.uk. However, you might want to change the cookie domain to mycompany.co.uk so Advanced Identity Cloud can communicate with any subdomain.

Learn more in Control cookie scope for custom domains.

Configure cross-origin resource sharing (CORS) to securely share browser resources across domains.

In Advanced Identity Cloud, you can configure CORS to allow browsers from trusted domains to access Advanced Identity Cloud protected resources. You can create as many individual CORS configurations as your applications need. The configurations combine to form the entire set of rules for resource sharing. The CORS service also collects the values of the JavaScript Origins property in each OAuth 2.0 client and adds them to the list of accepted origins.

Learn more in Allow cross-domain requests with CORS.

Advanced Identity Cloud includes a filter to harden protection against cross-site request forgery (CSRF) attacks. The filter applies to all REST endpoints under /am/json/. It requires all requests other than GET, HEAD, or OPTIONS to include at least one of the following headers:

Failure to include at least one of the headers causes the REST request to fail with a 403 Forbidden error.

Learn more about API versioning in REST API versions.

The X-Forwarded-For HTTP header identifies the originating IP address of a client. However, as there are security and privacy concerns associated with its use, Advanced Identity Cloud includes two alternative HTTP headers:

Consider using one of these headers as a trusted replacement for the X-Forwarded-For header, especially when making decisions concerning access.

Advanced Identity Cloud provides the following HTTP headers to let you identify the geographical location of client requests coming into your tenant environments:

Use these headers to implement region-specific behavior in your scripts and journeys. For example, you can enforce MFA for clients originating from a specific country or set of countries.

To protect against requests that contain large amounts of data, Advanced Identity Cloud rejects the following:

Ping Identity provides policy enforcement points (PEPs) to improve application security by enforcing Advanced Identity Cloud authentication and authorization decisions in your applications:

Learn more in these guides:

Learn more about protecting applications built using an SDK in Security guide for SDKs.

Use Proxy Connect to configure a proxy service, such as a web application firewall (WAF) or a content delivery network (CDN), in front of your Advanced Identity Cloud tenant environments.

To minimize the time an attacker has to attack an active session, set expiry times for Advanced Identity Cloud sessions and JWT tokens.

Ping Identity recommends setting an expiry time of 15 minutes. However, you should decide your expiry time according to the context of your deployment, balancing security and usability so that your end users can complete operations without their authenticated sessions frequently expiring. Learn more in the OWASP Session Management Cheat Sheet.

To update the expiry time for authenticated sessions and JWT tokens in Advanced Identity Cloud, learn more in Configure session termination settings.

Enable journey session allowlisting to protect journey sessions from replay attacks, whereby a malicious user might try to rewind an authentication flow to a previous node.

Learn more in Journey session allowlist.

Advanced Identity Cloud has no automatic mechanism to delete authenticated sessions when a user changes their password. To implement automatic invalidation of authenticated sessions on password reset, consider one of the following approaches:

Make sure only authorized people can access Advanced Identity Cloud, and audit system access periodically.

The more features you have turned on, the greater the attack surface. If something is not being used, switch it off, or remove its configuration to deactivate it. These are some features to consider turning off:

Ensure you harden your password policy for each realm. These are some common ways to harden a password policy:

Learn more in Password policy.

Account lockout is a security mechanism that locks a user account after repeated failed login attempts. You can use it to supplement your password policy to slow down brute-force attacks.

Ping Identity recommends using a persistent lockout. If that’s not compatible with your company’s preferences, Ping Identity recommends using a duration lockout of at least 15 minutes.

Learn how to configure account lockout and implement account lockout in your journeys in Account lockout.

Ensure any automated scripts do not rely on a tenant administrator account to generate an access token. Instead, use a service account. Additionally, restrict the scopes that a service account can grant only to those needed by the automated script.

Learn more in Service accounts.

Make sure 2-step verification is mandatory for tenant administrators.

Learn more in Tenant administrator mandatory 2-step verification FAQ.

Different algorithms and methods are discovered and tested over time, and communities of experts decide which are the most secure for different uses. Use up-to-date cryptographic methods and algorithms to generate keys.

Small keys are easily compromised. Use at least the recommended key size.

Ensure sensitive data such as passwords and encryption keys are stored in ESV secrets, and never embedded directly in configuration or scripts.

Learn more in the Secrets section of ESVs.

These are some reasons to rotate keys regularly:

Learn more in Use ESVs for signing and encryption keys.

Advanced Identity Cloud supports encryption of data stored in the repository. Data can be encrypted using reversible encryption or one-way encryption.

Ping Identity recommends you encrypt all sensitive data. These are examples of sensitive data:

Learn more in Secure identity data.

OpenID Connect 1.0 (OIDC) ID tokens can contain sensitive data and personally identifiable information (PII). Ping Identity recommends you encrypt all ID tokens.

Learn more in Encrypt ID tokens and backchannel logout tokens.

Login journeys are vulnerable to brute force attacks. You can mitigate this risk by adding account lockout to your login journeys.

Registration journeys are vulnerable to denial-of-service attacks, where attackers try to create extremely high numbers of new users with the intention of exhausting system resources and creating an outage. You can mitigate this risk by using the Email Suspend node in your registration journeys to prevent new users from being created until an email address is verified.

Learn more in Email Suspend node.

Advanced Identity Cloud is preconfigured with default journeys to get you started. However, Ping Identity recommends you harden these default journeys or implement your own journeys using security best practices; for example, by adding MFA to a login journey to confirm user identity using a device.

Once you have built your journeys, ensure you deactivate any unused journeys, particularly insecure login journeys that only require a username and password.

Learn more in the Deactivate a journey section of Journeys.

If you have developed your own end-user journey and account experience using Ping SDKs or APIs, Ping Identity recommends that you deactivate the hosted journey pages and/or the hosted account pages to ensure there is no risk of unauthorized access by a malicious user.

Learn more in Advanced Identity Cloud hosted pages.

Misconfiguration can arise from bad or mistaken configuration decisions and poor change management. Depending on the configuration error, features can stop working in obvious or subtle ways and potentially introduce security vulnerabilities.

To guard against bad configuration decisions, implement good change management:

Despite efforts to improve how people manage passwords, users have more passwords than ever before, and many use weak passwords. You are strongly encouraged to use a password manager to generate secure passwords.

Advanced Identity Cloud provides an audit logging service that captures key auditing events critical for system security, troubleshooting, and regulatory compliance.

Audit logs gather operational information about events that occur within an Advanced Identity Cloud tenant. They track processes and security data, such as authentication mechanisms, system access, user and administrator activity, error messages, and configuration changes.

You are strongly encouraged to set up systems to monitor your audit logs and alert you to unusual patterns of behavior.

Learn more in Monitor your tenant.