The Internet is ablaze with reports of a major security lapse in the access controls for Google Webmaster Tools. According to multiple reports, users who had previously had access to accounts and websites but subsequently had that access revoked found themselves again able to access tools like Google Analytics for websites they were no longer associated with. Most of the reports involve reinstated access for users who had previously managed the sites, such as former employees or contractors. The access granted in error could allow a malicious actor to redirect traffic, drop pages from the site index, remove sitemaps, and even change the access permissions for legitimate users of the accounts. The event provides valuable lessons on identity management and access control in the cloud.Google insists the glitch has been fixed and that they are investigating the issue, according to the following statement on the incident:
"For several hours yesterday a small set of Webmaster Tools accounts were incorrectly re-verified for people who previously had access. We’ve reverted these accounts and are investigating ways to prevent this issue from recurring."
So what happened? Darren Platt, CTO of identity and access management provider Symplified explains that this incident highlights the issue of 'identity silos' that companies often create when they use cloud services and the redundant user information stores that are maintained by each of the sites that a user accesses.
"In enterprise IT architectures, we have learned - sometimes with considerable pain - that redundant data eventually goes out of sync. In this case, companies were managing user accounts for their web master tools within Google's infrastructure - separately from centralized user management processes that secure their other applications. What happened here was Google made decisions about a given enterprise's users without all of the knowledge the enterprise has about the user," Platt said in an emailed statement.
Platt says that identity federation technologies have been developed over the last few years to address the identity silo issue, as well as other potential problems that are inherent with the cloud computing and Bring Your Own Device (BYOD) trends. Platt says access control standards such as SAML, OpenID, and OAuth should be used to create a more secure cloud computing environment that enables identity information to flow more freely, and will help in preventing events such as that experienced by Google Webmaster users.
"These standards empower an enterprise to extend control of their existing security investments - including directories, user management, and strong authentication - out to cloud, SaaS and other third party applications," Platt said.
In the case of Google, if a company had being using SAML to authenticate users to the WebMaster Tools service, they would have been able to prevent the old administrative accounts from regaining access.
"Using the SAML protocol Google would have sent the user back to their employer for authentication. Since the company knows the user no longer works there, they would have instructed Google not to allow that person access," Platt explained. "In this way the company remains the authoritative source for users that access a service, instead of allowing Google to authenticate users and authorize account reset procedures unilaterally."
Platt notes that it is unfortunate that this event occurred at Google since they have been one of the leaders in the development and implementation of federation standards. He believes it is likely that Google had only given its customers the option to turn on SAML for their web master tools administrators. Google provides this and other capabilities for end users, as Platt points out that enterprises, for example, can enable single sign on for their employees from the corporate network to Google Docs.
"The biggest challenge right now with the exploding use of cloud/SaaS services among enterprises is raising awareness of these identity and access management issues. Hopefully this incident will force companies to look for ways to prevent these problems from happening to them," Platt said.