Alibaba Cloud Identity as a Service (IDaaS) is an identity management service developed by the Alibaba Cloud security team. IDaaS is designed to manage identities with a security-first approach.
Design Concept: In scenarios where trade-offs must be made between availability and security, IDaaS prioritizes security while still affording users ease of use. Due to the varying security requirements of each industry, we cannot guarantee that the default configuration complies with security standards across the board. Instead of absolute security, IDaaS aims to provide relatively comprehensive out-of-the-box security coverage.
Enterprise identity management system is essential for protecting information security, making it an attractive target for hackers. We strive to provide secure, trusted, and reliable identity management services.
Example 1: Two-factor authentication is enabled by default.
Due to the ease of use and implementation of password-based systems, many applications still rely on passwords as a main authentication method.
Two-factor authentication (2FA) adds an extra layer of security for applications that use the password authentication method. To pass 2FA, in addition to your logon credentials, you must also provide a key that is sent to you via an SMS message or email.
To ensure the security of enterprise accounts, 2FA is enabled by default. All users must complete 2FA to verify their identity before they can access applications.
This way, applications that use single sign-on (SSO) are protected with IDaaS 2FA.
Intelligent mode
To reduce the hassle of repetitive 2FA for multiple logons, intelligent mode is enabled by default. In intelligent mode, IDaaS determines whether 2FA is required based on the device environment and account status.
Intelligent mode allows IDaaS to ensure the security of your applications without complicating its use. Under normal circumstances, a valid 2FA will provide access to an application for a few days.
Example 2: IDaaS controls the risks of console operations.
Administrators have more permissions than regular users, and the theft of administrator accounts has the potential to cause more damage. To ensure access control and operational compliance, owners must verify sensitive operations performed by sub-administrators if the operations may have a large impact.
IDaaS manages administrator operations. Based on a risk control system that Alibaba Cloud has developed over the years, IDaaS determines the risk level based on the device environment and account status of the current administrator. If the risk of an operation exceeds the threshold, risk control verification is triggered, and the operator must complete 2FA by providing the key delivered to the mobile number bound to the Alibaba Cloud account.
IDaaS monitors risk levels for the following operations on access, development, and sensitive data scenarios.
Deleting an instance
Deleting multiple accounts at a time
Deleting an application
Rotating keys
Other operations
Example 3: IDaaS requires manual authorization for applications by default.
IDaaS also provides centralized permission management for better enterprise identity management. If all applications are accessed by using IDaaS for SSO, the access permissions can be assigned easily by using IDaaS.
By default, IDaaS requires permissions to be manually granted for all applications.
After an application is created, users are unable to access the application until the administrator sets the authorization scope. Application permissions must be granted based on the principle of least privilege so users only have the permissions required to perform their jobs.
Example 4: IDaaS enforces a strong password policy.
A password policy is implemented when users log on to a system by using passwords.
By default, IDaaS supports password authentication. To ensure logon security, we recommend default security configurations when you initialize an instance.
By default, we enforce a strong password policy to ensure the security of your business. The following password policy is enforced by default.
The password must be at least 10 characters.
The password must contain at least one uppercase letter.
The password must contain at least one lowercase letter.
The password must contain at least one digit.
The password must contain at least one special character.
The password must not contain the account name.
You can adjust this policy to meet your business requirements and high security requirements.
Example 5: IDaaS implements request signature and encryption by default
When a cross-origin request is transmitted across the Internet, the security of the request cannot be guaranteed even if an HTTPS connection is used.
For end-to-end security, IDaaS uses HTTPS globally and provides a signature layer and an encryption layer at the business level. They are enabled by default.
Signature layer: When a cross-origin request is transmitted, the request content is signed by using a private key. To ensure that the message is not tampered with during transmission, the recipient verifies the message by using a public key. This measure is used in some SSO scenarios and outbound account synchronization scenarios.
Encryption layer: For end-to-end encryption and decryption, data is encrypted by default before it is synchronized. In addition, password information is not synchronized by default to prevent accidents that result in information leakage. In the future, SAML SSO will be supported to ensure all processes are encrypted, to meet the high level of security required by the finance industry and public services.