Outsourcing Identity online – too important to be neglected.
Organizations – especially during economic uncertainty and rising inflation – are reevaluating their spending. Companies look for areas where they can make adjustments to keep operating costs as low as possible. This also applies to areas related to identity & access management (IAM). As outsourcing in this area seems to be a convenient alternative, it is becoming a popular choice for many companies. How to decide if identity outsourcing is a good idea for your organization? And how does it relate to multi-factor authentication and the FIDO2 standard?
The abundance of cybersecurity solutions
There’s an abundance of cybersecurity solutions that protect against various attack vectors. The problem of the second decade of the twenty-first century is not only the complexity of IT environments and the implementation difficulties but also the rising demand for IT specialists. For this reason, many companies decide to outsource IAM services outside the organization.
– Such practice allows to relieve overworked software developers who struggle with application maintenance on a daily basis – says Tomasz Kowalski, CEO at Secfense. – However, identity & access management outsourcing is associated with a high risk. Organizations should be aware that they are not the only ones that could be attacked. If a company outsources IAM, then attackers can try to attack that company by compromising the third party that manages its identity.
We do not need to look far for such cases. Quite recently, there was a lot of talk about the attack on the giant in the IAM space. In January, an unsuccessful attempt to hack into the account of a customer service engineer was detected there, and in March, the attackers compromised the credentials of one administrator. As it was later published in the course of the investigation, the cyber criminals did not download the databases but instead focused mainly on clients and clients of clients. Ultimately, it was about 2.5% of them.
Is it a little or a lot – difficult to judge? Certainly, none of the companies that decided to outsource their identity management – large enterprises, government institutions, and universities among them – wanted to be in this group.
Zero Trust Security
In conclusion, companies have to adapt to new security requirements, for example, by building security on the so-called onion model with multiple security layers. There is no technology, producer, or integrator in the world who will be able to protect against all possible threats.
You can maximize security performance by adopting a zero trust security model and by using multi-factor authentication (MFA) on all applications and access points in your organization. Importantly, MFA must be based on FIDO2, i.e., a modern open online authentication standard in which you can authenticate with a face scan or with a fingerprint. SMS codes or authenticating apps that generate one-time passwords can already be successfully intercepted by cybercriminals – most often with the use of social engineering techniques.
– Developers and organizations know very well that the security of users’ identities is too important to be neglected. Outsourcing of these processes in conjunction with the outsourcing of identity management, as can be seen from the real examples of violations, also needs to be carefully thought over – adds Tomasz Kowalski. – A recipe – both in a situation where we manage the identity ourselves and in the case of using outsourcing services – may be to separate identity management from its protection, where Secfense broker can come in handy. The user access security broker allows protection of every access point in the organization with strong FIDO2-based passwordless MFA protection.
FIDO2, the safest way to log in
And why FIDO2? Because it is a real revolution in terms of authentication and online security. This open standard is one of the best ways to protect against phishing and credential theft today.
FIDO2 allows you to use cryptographic keys but also devices that we always carry with us, such as smartphones or laptops with a built-in camera.
It takes time…
So, if there is FIDO2 – an open and effective authentication standard – then why do companies still have a problem with securing their employees’ accounts with MFA?
Implementation is still the biggest problem. MFA implementation is difficult, burdensome, and expensive. Moreover, if a company has hundreds of applications, scaling MFA across the entire organization can be hard or even impossible. Effect? One of the best authentication methods, the FIDO2 standard – although it was designed in April 2018 – is still most often an addition rather than a universal way of securing your identity online.
– We hope that thanks to Secfense User Access Security Broker, we will be able to change that. Our goal is to open the path to the mass use of MFA in business and to use the strongest authentication standard for this purpose, the FIDO2 authentication standard – says Tomasz Kowalski. – Our technology allows you to do it without generating costs related to hiring programmers, without the cost of purchasing hardware keys, and without any impact on the smoothness of operations.
Today, logging into any computer, accessing cloud applications, and even downloading anything to your phone or computer requires you to use your credentials. Credentials, if not well protected, become a potential threat to the company. Multiple examples of attacks using social engineering to take over user credentials clearly show that companies that care about user access security have to move away from using weak and selectively used forms of identification. Standard passwords and even two-factor authentication (2FA) based on outdated methods, like SMS codes, no longer work. So regardless of whether you keep identity management inside of your company or decide to outsource it, the key is to make sure that all access points are secured with MFA – and preferably, the strongest one – FIDO2 passwordless authentication.