Over the past few months, the RIPE NCC has been working on enhancing the security of RIPE NCC Access, the Single Sign-On (SSO) system for accessing our key services. In this article, I explain the recent enhancements we've implemented and provide an overview of forthcoming developments you can anticipate from us.
Why is enhancing the security of RIPE NCC Access important?
RIPE NCC Access serves as the Single Sign-On (SSO) gateway for accessing our most vital services for members. These services include the LIR Portal, where users can request transfers of their IPv4 resources, and the RPKI dashboard, where configuration changes can affect the visibility of BGP announcements. Unauthorised access to these services can result in technical disruptions (e.g., misconfigurations in RPKI can potentially render entire networks inaccessible from the Internet) and significant financial loss for members (given the high value of IPv4 resources).
Given this context, it is imperative that the RIPE NCC employs state-of-the-art technology to protect access to its services from unauthorised users. This involves maintaining a robust SSO architecture, offering modern Two-Factor Authentication (2FA) methods, and imposing stringent security requirements for accessing these accounts.
Overview of recent changes
At the beginning of 2023, RIPE NCC Access faced several significant challenges. The backend engine in use at that time, Atlassian Crowd, lacked support for modern Two-Factor Authentication (2FA) methods like FIDO2 keys, as well as secure integration methods such as SAML 2.0 and OIDC. This required extensive customisation within our home-grown layer, which was becoming outdated and burdened with technical debt.
Our ideal solution was either to fully outsource our Single Sign-On (SSO) system to a product like Auth0 or to adopt a more modern backend engine that met most of our requirements out-of-the-box. Ultimately, we chose Keycloak, an open-source Identity and Access Management (IAM) system that provided many of the required features without extensive customisation. We embarked on a full replatforming effort and deployed it on a modern container orchestration platform using Cloud infrastructure (EKS in AWS). This project was completed in July 2023, marking a significant reduction in technical debt. However, there were still pending changes, including the migration of the 2FA code from our proprietary layer to Keycloak's native implementation and integration with the remaining third-party tools to decommission our OIDC server.
Following security incidents involving RIPE NCC Access accounts earlier this year, the urgency to implement these changes increased, particularly the need to make 2FA mandatory. However, we were not yet technically prepared. Transitioning 2FA from our proprietary layer to Keycloak was necessary, as enabling mandatory 2FA in the former solution would have required substantial effort compared to the straightforward process in Keycloak. In essence, there was no easy solution, and the proper implementation required several weeks of work.
This critical step was successfully completed last month where we used native Keycloak functionality to handle 2FA and enabled the mandatory option. This milestone significantly enhances the security of our members' accounts, safeguarding their resources and network accessibility.
What’s next?
We have received a lot of feedback regarding RIPE NCC Access over the past couple of months, and I'd like to express my gratitude to everyone who shared their insights. Your feedback is invaluable to us and plays a crucial role in shaping our product strategy.
One of the most frequently requested features is the provision of different 2FA methods, such as FIDO2 keys and biometrics. We recognise that Time-Based One-Time password (TOTP) is an older technology that may not be ideal for everyone. Addressing this is our top priority, and we're working to offer a broader range of authentication methods very soon.
Some other suggestions have already been put into action. For example, we've implemented the ability for administrators to view which users have 2FA enabled. However, now that 2FA is mandatory, we may phase out this feature as it becomes redundant. Nonetheless, it has served its purpose by helping administrators secure their accounts while we worked on a more long-term solution.
Additional improvements include third-party integrations and the decommissioning of our proprietary OIDC server. We will also focus on enhancing the User Experience and refactoring our existing codebase to reduce technical debt. We want to use more of KeyCloak's native functionality instead of reinventing the wheel. And in doing so, we can maintain a lean and efficient home-grown layer and operate everything on a modern infrastructure-as-code platform.
We would love to hear more from you. Please share comments, suggestions or ideas, either here in the comments section or to the RIPE NCC Services Working Group mailing list ncc-services@ripe.net. Our aim is to provide a very secure, simple to use platform to manage your RIPE NCC services.
Comments 0