Token Time: Proactive OAuth Management for Blue Teams
The OAuth protocol has become a mainstay for integrating cloud applications in modern enterprises. This integration often takes the form of an authorization dialogue that allows a user to provide persistent access from one piece of software to another. On receipt of this authorization the connected software may greatly enhanced by additional insights provided the additional interconnected systems.
But this added value comes at a cost not often understood by the user. There is therefore valid concern that standard users are not properly equipped to make good decisions about which software should be integrated in the enterprise context. There are options for the blue team however. Understanding the true impact of OAuth on enterprise business applications will allow defenders to make proactive choices that protect a company and its users from unnecessary risks, while allowing critical integrations that can employ enterprise data to maximum benefit.
In this talk, I will explain in more detail the underlying fundamentals of how an OAuth integration works at enterprise scale. I will also discuss the technical and legal ramifications of allowing users to make these decisions for themselves. Finally, I will go in depth across a number of critical enterprise products like Google, Salesforce, Microsoft, and more with comparative research that details how OAuth functions within these platforms, and best practices for the blue team to proactively mitigate the risks that OAuth integrations can represent. You will leave this talk with actionable advice on how to secure the platforms covered, and understanding of how to assess OAuth on platforms not included in this research.