Identity as a Service:IDaaS secure-by-default design

Secure-by-default design philosophy

When balancing usability and security, Alibaba Cloud IDaaS prioritizes security while maximizing ease of use. Although security requirements vary across industries, we do not claim that the default configuration of Alibaba Cloud IDaaS meets every industry standard or guarantees absolute security. Instead, our goal is to provide the most comprehensive security possible, right out of the box.

Security is a lifeline. An enterprise identity system is a core component of information security and a primary target for external attacks. We are committed to providing a secure, trusted, and reliable identity service that adheres to high standards.

Example 1: Two-factor authentication by default

While passwords have inherent security risks, they remain a primary authentication method for many applications due to their convenience and ease of implementation. Two-factor authentication (2FA) is the most direct way to secure password-based logins. After a user logs in with a password, they must complete an additional verification step, such as entering a code from an SMS message or email, to access the service. To protect enterprise accounts, every Alibaba Cloud IDaaS instance has two-factor authentication enabled by default. All accounts must complete 2FA to verify their identity before accessing an application. As a result, all applications integrated with Alibaba Cloud IDaaS single sign-on (SSO) are immediately protected by 2FA.

Advanced: Intelligent mode

To avoid the inconvenience of repeated 2FA during multiple logins, Alibaba Cloud IDaaS also enables intelligent mode by default. The intelligent mode assesses the current device environment and account status to determine if 2FA is required.

During normal work activities, you may not need to perform 2FA for several days. This is how Alibaba Cloud IDaaS balances security with a user-friendly login experience.

Example 2: Risk control for console operations

Administrators have significantly more permissions than regular users. If an administrator account is compromised, the potential for malicious activity and negative impact is much higher. When a sub-administrator performs high-impact, sensitive operations, a designated supervisor should confirm the actions to ensure the situation remains controllable and compliant with internal processes.

For critical administrative operations, Alibaba Cloud IDaaS uses a risk control system, developed over years of experience at Alibaba Cloud, to evaluate the account status and access environment of the administrator. If the operational risk exceeds a predefined threshold, a risk control check is triggered. The user must then complete 2FA by using the phone number associated with the Alibaba Cloud account.

Alibaba Cloud IDaaS includes built-in risk control checks for the following operations, covering the most sensitive scenarios related to access, development, and data:

• Deleting an instance

• Deleting multiple accounts at a time

• Deleting an application

• Key rotation

• ...and more than ten other operations

Example 3: Default manual application authorization

Beyond the convenience and security of single sign-on (SSO), a core value of using Alibaba Cloud IDaaS for enterprise identity management is centralized permission control. When all access is managed through Alibaba Cloud IDaaS SSO, you can centrally manage application access.

By default, Alibaba Cloud IDaaS requires all applications to be authorized manually.

If you select manual authorization, you must assign permissions in application authorization.

A newly created application remains inaccessible until an administrator explicitly defines its authorization scope. This enforces the principle of least privilege and prevents granting unnecessary application permissions.

Example 4: Secure password policy

When password-based login is necessary, a strong password policy becomes essential. Alibaba Cloud IDaaS supports password login by default. To ensure a baseline of security, we provide a set of recommended security settings as the default configuration for a new instance.

By default, the minimum password length is 10 characters. Additional complexity options, which are not enabled by default, include disallowing passwords that contain the display name or its pinyin, the phone number, or the email prefix.

We enable a strong default complexity configuration to promote high standards for identity security. The default requirements are:

• Must contain an uppercase letter

• Must contain a lowercase letter

• Must contain a number

• Must contain a special character

• Cannot contain the account name

You can adjust this policy to balance your business requirements with security needs.

Example 5: Signatures and encryption by default

Even with HTTPS, the security of cross-origin requests during network transmission is not guaranteed.

To achieve true end-to-end protection, Alibaba Cloud IDaaS provides a business-level signature layer and encryption layer in addition to global HTTPS. These layers are enabled by default.

• Signature layer: When a cross-origin request is made, its content is signed with a private key. The recipient can then use the corresponding public key to verify the message, ensuring it was not tampered with in transit. This is used in certain SSO scenarios and for outbound account synchronization.

• Encryption layer: This layer supports end-to-end encryption and decryption for synchronized information. By default, data is encrypted before synchronization, and passwords are not synchronized to prevent accidental data leaks. In the future, full-process encryption for SAML SSO will be supported to meet the high-level security requirements of financial and government services.

The encryption layer provides the following configuration options: Enable encryption, encryption/decryption key, and Synchronize passwords. The encryption/decryption key is an AES256 encryption key in Hex-encoded format. You can specify a key manually or click Generate Key to have Alibaba Cloud IDaaS generate one.