By: Jerome Becquart, COO
I recently attended a cybersecurity conference and attended a presentation about the coming of age of cloud authentication solutions. And specifically, the fact that these solutions are now mature and widely adopted.
One of the points made by the speaker was that — cybersecurity professionals can assume all of the solutions discussed in the presentation were sound and secure. The thought sounded logical in the moment but later that evening, I realized how untrue this statement is in today’s world. We can no longer assume — anything. We must verify — everything.
Multi-factor authentication (MFA), now common across enterprises of all sizes, has hackers taking note and adapting, accordingly. To give you a real-world example, consider the Russian attack on US elections where reports confirm hackers were able to bypass MFA systems.
Another famous— or perhaps, I should say infamous — example is the 2011 RSA Hack. At the time, RSA was the MFA market leader, and one of the biggest brands in Cybersecurity — considered the safe choice for IT directors and CIOs. This said in 2011 RSA’s authentication key vault — storing customers’ OTP seeds — was breached resulting in hundreds of thousands of RSA tokens having to be replaced.
More recently, another cybersecurity company, OneLogin was breached and I’m sure it’s not going to be the last. The point is — even cybersecurity companies are vulnerable to hackers.
An Arms Race: Hackers vs. Cybersecurity Professionals
There’s an "arms race" going on between the hackers and the cybersecurity professionals. As lines of defense improve, the bad guys look for the next weak link. And as MFA becomes prevalent, hackers are looking for ways to circumvent it.
Hackers tend to be driven by two factors: 1) how easy it is to break into, and 2) what the reward is. If we are talking about hacking into a cloud service — the reward could be huge especially, if it is multi-tenant. One hack, many breaches.
If you are a looking for a cybersecurity solution you need to consider the following security precautions when selecting a cloud authentication solution:
1. Secure software development and deployment practices — from software development to code reviews to handling of proprietary information to vulnerability scanning to pen-testing
2. Architecture of Cloud solutions — Cloud solutions are architected and compartmentalized to ensure if one customer is compromised, the whole Cloud isn’t compromised
3. Access control to the cloud infrastructure — the right security controls are in place to prevent unauthorized users from gaining access to the Cloud infrastructure while securely auditing all activity.
4. Information security program — confirm your service provider takes a proactive approach to cover all aspects of information security.
5. 3rd party compliance audits — don’t rely on the vendor to tell you his solution can be trusted. Ask what 3rd party certification they can provide.
The moral of this blog…
Don’t assume you are secure, ask questions and always verify.
About the Author
Jerome Becquart, COO, Jerome has over 20 years of experience in identity and access management solutions, including 15 years at ActivIdentity. Jerome’s management experience includes roles in operational management, sales management, professional services, product and solution marketing, engineering, and technical support. After the acquisition of ActivIdentity by HID Global in 2010, Jerome served as general manager of the HID Identity Assurance business unit. He chaired the Global Platform Government Task Force for three years, and served on the board of directors of this Industry organization.