eBooks & Reports

O'Reilly's Automating Security in the Cloud

Issue link: https://resources.threatstack.com/i/872576

Contents of this Issue


Page 17 of 32

The U2F Attestation The purpose of the U2F attestation is simply to provide a mechanism so that a U2F relying party (a website or service) can verify the authenticity of a U2F authenticator and thereby trust its attestation certificate. A relying party queries the attestation cer‐ tificate to find out information about an authenticator, such as a YubiKey. The infor‐ mation queried can include the vendor, the type of device, and the assurance/security properties (for example, a secure element-based device) of the authenticator. The authenticity of the attestation information is guaranteed by a digital signature which has a specified validity period. In addition to attesting to the authenticity of a device, the attestation certificate can also be used to determine what devices can be used by a relying party. For example, a banking site might want users to be able to provide their own U2F devices for two- factor authentication, but will only allow users to use devices from certain approved vendors. There are no requirements however to dictate what type of device or client side soft‐ ware is using U2F – the relying party or service can decide to accept any type of attes‐ tation certificate or a specific type. Free Open Source Code and Servers Yubico provides alternatives for implementation: Standalone validation server that your server can query using a simple REST API. This is ideal if you want to make as few changes as possible to your existing code and database. Libraries for programming languages . With these, you have the flexibility/burden to store and access U2F artifacts yourself. This is ideal if you don't want to deploy a standalone validation server. From an access management standpoint in the cloud organization need to update their thinking around traditional IT infrastructure as a boundary of protection or a fortress, with high, strong walls and controlled entry points which keep the bad guys out. Cloud can enable everything as an endpoint therefore you have to protect each asset through a security by design approach which starts with secure, reliable access management based on the least possible access necessary for an organizational user, partner or application to be successful. Cloud security foundation architecture Is effective only if the correct prevent, detect and corrective controls are in place from the start of your cloud journey. An efficient cloud security architecture should recog‐ nize the issues that will arise within security implementation, operation, use and in 16 | Chapter 4: Cloud Computing Foundational Security Leading Practices

Articles in this issue

view archives of eBooks & Reports - O'Reilly's Automating Security in the Cloud