How to Comply with ISO 27000 Using WSO2 Identity Server
- Dinali Dabarera
- Senior Solutions Engineer - WSO2
ISO/IEC 27000 standards for information technology is a series of security techniques that can improve the overall information security of an organization. The standard defines requirements for your information security management system (ISMS). In short, if your organization is compliant with ISO 27000, your personal data and business sensitive data are in safe hands.
Here are a few information security controls that you can implement with WSO2 Identity Server to protect personal data and for overall information security risk management.
Multi-Factor Authentication of WSO2 Identity Server Enables Compliance with ISO 27000 - 9. Access Control
Relying only on one authentication factor puts your information security at risk with a single point of failure. If your knowledge, device, or biometric pattern is compromised, anyone who has it can impersonate the user, leading to a significant data breach. By using two-factor authentication, you create an additional layer of protection against anyone seeking unauthorized access, because although one factor is compromised, your information assets will be protected unless the second factor is exposed.
Security controls of ISO 27000 |
Rationale |
9.1.1 Access Policy Control 9.4 System and application access control 9.4.1 Information access restrictions 9.4.2 Secure log-on procedures |
● The need for two-factor authentication will vary with the business requirement. Based on the requirement, Role-Based Access Control and Attribute-Based Access Control can be achieved with WSO2 CIAM, Multi-Factor Authentication, and Adaptive Authentication. ● Adaptive Authentication will provide dynamic control over the authentication flow to provide more security in a user-friendly manner. ● The solution’s Adaptive Authentication can connect with an Open Policy Agent (OPA) or Analytics Server and control access based on the decisions given. |
https://is.docs.wso2.com/en/5.11.0/learn/adaptive-authentication/
Identity Provisioning and Deprovisioning of WSO2 Identity Server Enables Compliance with ISO 27000 - 9. Access Control
Users can be provisioned or registered to WSO2 Identity Server in three ways.
- Users can self-register
- The administrator can invite users to register
- Users can be provisioned just-in time during federation
The provisioning and de-provisioning in WSO2 Identity Server can be controlled by enforcing policies or changing permission levels required to achieve each task.
To enforce policies during provisioning and deprovisioning in WSO2 Identity Server:
- WSO2 Identity Server ships with an inbuilt XACML engine to enforce XACML policies to achieve Rule Based Access Control or Role-Based Access Control during provisioning/registration or deprovisioning
- Provisioning patterns can be configured in WSO2 Identity Server to outbound provision users in third-party systems
- WSO2 Identity Server ships with an inbuilt workflow engine to activate a workflow during provisioning and deprovisioning. This will control the provisioning and deprovisioning by an approval process (multi-step or uni-step approvals)
Security controls of ISO 27000 |
Rationale |
9.2 Responsibilities for assets 9.2.1 User registration and de-registration 9.2.2 User access provisioning |
● Controlling provisioning identities depends on the business requirement. WSO2 Identity Server enables organizations to customize the existing features to achieve this requirement via extension points. ● Provisioning and deprovisioning of users, groups can be controlled through XACML policies and workflows |
Reference: https://is.docs.wso2.com/en/latest/learn/identity-provisioning/
Password/Tokens/Secret Management of WSO2 Identity Server Enables Compliance with ISO 27000 - 9. Access Control
Password Management
There are several ways to change the password using WSO2 Identity Server
- Reset password or forgot password
- Reset password through challenge questions
- Administrator forcefully resets user's password in a critical situation
- The user has to reset the password periodically and cannot reuse the same password
- The password policy authenticator prompts the user periodically to reset the password and does not allow reusing of passwords
To secure user's password:
- The user passwords will be stored as a salted hash in WSO2 Identity Server schemas..
- Store credentials in a vault - WSO2 Identity Server can be easily integrated with one of the most popular secret management systems, the HashiCorp Vault
- Use password policy authenticator to maintain a history of passwords and to periodically reset passwords while notifying users.
- Complex password policies and patterns can be configured in WSO2 Identity Server.
To secure WSO2 Identity Server passwords in files:
The plaintext passwords in configuration files can be encrypted using the secure vault implementation built into WSO2 Identity Server. Outside parties will not see the plaintext password. The keystore password and private key password of the product's primary keystore will serve as the root passwords for the secure vault. This is because the keystore passwords are needed to initialize the values encrypted by the secret manager in the secret repository. Therefore, the secret callback handler is used to resolve these passwords.
Security controls of ISO 27000 |
Rationale |
9.4.3 Password management system |
● Passwords can be encrypted or hashed with a salt as per requirement ● Passwords can be changed regularly with complex policies |
Best Practices:
- Encrypt the passwords in configuration files of WSO2 Identity Server via the cipher tool: https://is.docs.wso2.com/en/latest/setup/encrypting-passwords-with-cipher-tool/
- Enable password policy authenticator for password history and password expiry
- Use of a strong secret management system - HashiCorp Vault
Reference: https://is.docs.wso2.com/en/latest/setup/maintaining-logins-and-passwords/
Tokens and Secret Management
Best practices:
- Symmetric or Asymmetric encryption can be used to encrypt and store access token and client secrets in WSO2 Identity Server. Symmetric encryption is used by default: https://is.docs.wso2.com/en/latest/administer/symmetric-overview/
- OAuth2.0 token can be hashed if encryption is not needed: https://is.docs.wso2.com/en/5.11.0/learn/setting-up-oauth-token-hashing/
- Encrypt ID tokens: https://is.docs.wso2.com/en/latest/learn/testing-oidc-encrypted-id-token-with-is/#enable-id-token-encryption
Key Management Features of WSO2 Identity Server Enables Compliance with ISO 27000 - 10.1 Cryptographic Control
Best Practices:
Two keystore can be maintained:
- Internal keystore - used for encrypting/decrypting internal data. By default, the primary keystore is used as the internal keystore. The key rotation of the internal keystore can have a longer period compared to TLS keystores.
- TLS Keystore - used for TLS communication. By default, the primary keystore is used as the TLS keystore. Key rotation of TLS key stores can be done frequently as these keys are exposed to outside systems more frequently.
Security controls of ISO 27000 |
Rationale |
10.1 Cryptographic Controls 10.1.1 Policy on the user of Cryptographic controls 10.1.2 Key Management |
● Tokens and secrets can be symmetrically encrypted(faster than Asymmetric encryption and industry-standard) with the internal keystore ● Separate keystores can be used for internal and TLS communications with frequent key rotations |
Auditing and Logging Capabilities of WSO2 Identity Server Enables Compliance with ISO 27000 - 12.4 Logging and Monitoring
The Following logs can be monitored through WSO2 Identity Server:
- Audit logs
- Access Logs
- DEBUG/WARN/ERROR Logs
WSO2 Identity Server supports logging capabilities for tracking down latencies due to database calls. See Working with Product Observability for instructions on how to configure and use this capability.
Digital evidence such as events and logs can be published to any popular SIEM for further analysis. E.g., SPLUNK integration
WSO2 Identity Server ships with its own Analytics Server to view login and session analytics in a dashboard. Dashboard details can be downloaded in a PDF format.
Best Practices:
- Manage the growth of carbon logs using a rollover mechanism
- Make claim logs available in audit logs to display more user information when auditing. This can be customized as per requirement https://is.docs.wso2.com/en/latest/setup/logging-claims-in-audit-logs/ Reference: https://is.docs.wso2.com/en/latest/setup/monitoring-logs/
Security controls of ISO 27000 |
Rationale |
12.4.1 Event logging 12.4.2 Protection of log information 12.4.3 Administrator and operator log |
● The access logs of users, audit logs of all operations, and debug logs will be recorded in separate files inside WSO2 Identity Server. These files can be hosted in a separate location for added security or analysis. ● This information can be published to any advanced SIEM for further analysis based on business requirements. ● WSO2 Identity Server analytics can be used to view user login and session statistics. |
Consent Management Feature of WSO2 Identity Server Enables Compliance with ISO 27000 - 18. Compliance with Legal and Contractual Requirements
Information security management systems should adhere to the strictest security standards to ensure secure operation.
WSO2 Identity Server is designed based on privacy best practices and is fully compliant with GDPR. GDPR compliance in your IAM and API security spaces is feasible with WSO2 Identity Server.
Consent management refers to the practice of prompting, collecting, and managing user approval for collecting or sharing the user's personal information. Consent, defined as granting permission or agreement for a specified action to take place. defined as granting permission or agreement for a specified action to take place. When creating, storing, or sharing user information, WSO2 Identity Server will prompt for user consent. Consents can be managed by the user via a portal.
WSO2 Identity Server supports the following:
● Privacy by design and privacy by default
● Consent identity management
● Consent lifecycle management
● Consent receipt specification
● Right to be forgotten
● Exercising individual rights
Learn more about compliance here: https://is.docs.wso2.com/en/latest/compliance/general-data-protection-regulation/
Admin portal support for organizations to define and manage consent, data processing purposes, and user attributes per consent. For more information, see Managing Consent Purposes.
Consent collection during single sign-on (SSO) before sharing the user attributes with external applications. For more information, see Consent Management with Single-Sign-On.
Support for the Kantara consent receipt specification. For more information, see the Kantara Consent Receipt Specification.
WSO2 Identity Server is also compliant with eIDAS and CCPA
Security controls of ISO 27000 |
Rationale |
18.1.4 Privacy and protection of personally identifiable information 18.1.3 Protection of records 18.1.5 Regulation of cryptographic control 18.2.1 Compliance with security policies and standards |
● WSO2 Identity Server acquires consent from the user to comply with GDPR standards. ● Support Kantara consent receipt specification ● Sensitive user information can be encrypted. WSO2 Identity Server also encrypts all the user information via a custom userstore if needed by the business requirement. ● WSO2 Identity Server can be customized to comply with any regulation based on business requirements. |
Other Security Techniques to Follow when Setting up a Production Deployment
- Enable HTTP Strict Transport Security headers (HSTS) - https://is.docs.wso2.com/en/latest/setup/enabling-hsts/
- Prevent browser caching if your applications contain sensitive information - https://is.docs.wso2.com/en/latest/setup/preventing-browser-caching/
- Enable transport-level security: https://is.docs.wso2.com/en/latest/setup/preventing-browser-caching/
- Enable Java Security Manager: https://is.docs.wso2.com/en/latest/setup/enabling-java-security-manager/
- Overall security guidelines when building up a WSO2 Identity Server solution in production to ensure maximum application security: https://is.docs.wso2.com/en/latest/administer/security-guidelines-for-production-deployment/
WSO2 Identity Server helps you secure your applications using ISO 27000 recommended information technology security techniques.
Being ISO 27000 compliant means your data, be it in cloud services or in on-premises products are secure.
About Author
- Dinali Dabarera
- Senior Solutions Engineer
- WSO2
Dinali is a Senior Solutions Engineer in the security team at WSO2. She holds a bachelors degree in Computer Engineering from University of Peradeniya, Sri Lanka.