HeadSpin has a wide range of security-oriented features, including bare-metal devices, on-premise deployments, CYOL, Soc 2 certification, HS Tunnel (Socks 5 base) support, and more. Recently, we introduced a new feature called the “Data LifeCycle Policy” API, which allows you to delete unused test data automatically from devices under test, based on a configured corporate policy. The reason behind the ever-increasing demand for such robust and flexible security features is that remote work widespread in the wake of the COVID outbreak and increased the risk of information leaks due to unauthorized access. Further, the speed of the release cycle is shortened, and the content under test is diversified. Today, there is an ever-increasing need to handle various sensitive information safely and timely during the testing phase.
Read: A Guide on How to Use HS Tunnel
Some examples of sensitive information used in testing are as follows:
- Pre-release apps and contents
- Copyrighted materials such as video and audio of games before release
- Access credentials to CI/CD or other external systems
- PII data related to human health
- Financial information such as credit card information
- Authentication tokens cached in the browser
- Applications built for debugging that support deep linking
Confidential information is not limited to the above. So, what measures can you take to reduce the leakage of this confidential information to the outside world? One answer is to introduce a single sign-on (SSO).
Also read: Mobile App Security Testing - A Comprehensive Guide
HeadSpin supports modern authentication protocols such as OAuth/OIDC and SAML. Using these protocols, you can delegate the authentication process to a 3rd-party identity service. As a result, not only can you centrally monitor access logs to the HeadSpin platform, but you can also deploy high-assurance multi-factor authentication to protect your data. Also, note that having SSO in place keeps your architecture simple, reducing the risk of being caught in the blind spot of complex or isolated systems, thus improving the organization's overall security (*1).
This blog will show you the procedure of configuring authentication and authorization with Okta as an IDP (Identity Provider) and some key benefits of HeadSpin and Okta integration.
Effective use of IAM to prevent data breaches in testing and automation
In this video, we reviewed the procedure of configuring SSO with Okta as an IDP and introduced some benefits of using Okta together with HeadSpin, including auto-configuration, multiple role assignment, and deletion, enabling Okta MFA (Fido2/WebAuthn) and central access log. The following article will cover integrating HeadSpin with Azure Active Directory to achieve SSO and benefits unique to the Azure integration.
(*1) According to the IBM/Ponemon report in 2021, system complexity and compliance failures were top factors that amplified data breach costs. The average time for respondents to identify and contain a breach is 287 days.
FAQs
1. What are the three parts of IAM?
The IAM systems primarily comprise three critical tasks that include: identify, authenticate, and authorize. This refers to the practice that the right people must be identified, must have proper credentials for their identity to be authenticated, and only on proper verifications should they have access to the computers, hardware, software apps, other IT resources, or execute specific tasks.
2. What is an active directory in IAM?
Microsoft has developed Active Directory (AD) as a user-identity directory service for Windows domain networks. Despite being proprietary, AD is included in the Windows Server operating system and is therefore extensively deployed.
3. What is federated identity management (FIM)?
FIM, also known as federated SSO, implies the establishment of a trusted relationship between different organizations and third parties like application vendors or partners, enabling them to share identities and also authenticate users across domains. When two domains are federated, a user can authenticate to one domain and then access resources in the other domain with no requirement of performing a separate login process.
4. What is dynamic authorization?
Dynamic authorization offers control over who has access to what data and actions in your SaaS, mobile, web, and enterprise applications. This capability provides you with fine-grained access control, which uses real-time context about your user and the resource they are accessing.