Is outsourcing identity online a good or terrible idea?

Is outsourcing identity online a good or terrible idea 01

Outsourcing Identity online – too important to be neglected.

Organizations – especially during economic uncertainty and rising inflation – are reevaluating their spending. Companies look for areas where they can make adjustments to keep operating costs as low as possible. This also applies to areas related to identity & access management (IAM). As outsourcing in this area seems to be a convenient alternative, it is becoming a popular choice for many companies. How to decide if identity outsourcing is a good idea for your organization? And how does it relate to multi-factor authentication and the FIDO2 standard?

The abundance of cybersecurity solutions

There’s an abundance of cybersecurity solutions that protect against various attack vectors. The problem of the second decade of the twenty-first century is not only the complexity of IT environments and the implementation difficulties but also the rising demand for IT specialists. For this reason, many companies decide to outsource IAM services outside the organization.

Such practice allows to relieve overworked software developers who struggle with application maintenance on a daily basis – says Tomasz Kowalski, CEO at Secfense. – However, identity & access management outsourcing is associated with a high risk. Organizations should be aware that they are not the only ones that could be attacked. If a company outsources IAM, then attackers can try to attack that company by compromising the third party that manages its identity. 

We do not need to look far for such cases. Quite recently, there was a lot of talk about the attack on the giant in the IAM space. In January, an unsuccessful attempt to hack into the account of a customer service engineer was detected there, and in March, the attackers compromised the credentials of one administrator. As it was later published in the course of the investigation, the cyber criminals did not download the databases but instead focused mainly on clients and clients of clients. Ultimately, it was about 2.5% of them. 

Is it a little or a lot – difficult to judge? Certainly, none of the companies that decided to outsource their identity management – large enterprises, government institutions, and universities among them – wanted to be in this group. 

Is outsourcing identity online a good or terrible idea 02

Zero Trust Security

In conclusion, companies have to adapt to new security requirements, for example, by building security on the so-called onion model with multiple security layers. There is no technology, producer, or integrator in the world who will be able to protect against all possible threats. 

You can maximize security performance by adopting a zero trust security model and by using multi-factor authentication (MFA) on all applications and access points in your organization. Importantly, MFA must be based on FIDO2, i.e., a modern open online authentication standard in which you can authenticate with a face scan or with a fingerprint. SMS codes or authenticating apps that generate one-time passwords can already be successfully intercepted by cybercriminals – most often with the use of social engineering techniques.

Developers and organizations know very well that the security of users’ identities is too important to be neglected. Outsourcing of these processes in conjunction with the outsourcing of identity management, as can be seen from the real examples of violations, also needs to be carefully thought over – adds Tomasz Kowalski. – A recipe – both in a situation where we manage the identity ourselves and in the case of using outsourcing services – may be to separate identity management from its protection, where Secfense broker can come in handy. The user access security broker allows protection of every access point in the organization with strong FIDO2-based passwordless MFA protection.

FIDO2, the safest way to log in 

And why FIDO2? Because it is a real revolution in terms of authentication and online security. This open standard is one of the best ways to protect against phishing and credential theft today. 

FIDO2 allows you to use cryptographic keys but also devices that we always carry with us, such as smartphones or laptops with a built-in camera.

Is outsourcing identity online a good or terrible idea 03

It takes time…

So, if there is FIDO2 – an open and effective authentication standard – then why do companies still have a problem with securing their employees’ accounts with MFA? 

Implementation is still the biggest problem. MFA implementation is difficult, burdensome, and expensive. Moreover, if a company has hundreds of applications, scaling  MFA across the entire organization can be hard or even impossible. Effect? One of the best authentication methods, the FIDO2 standard – although it was designed in April 2018 – is still most often an addition rather than a universal way of securing your identity online.

We hope that thanks to Secfense User Access Security Broker, we will be able to change that. Our goal is to open the path to the mass use of MFA in business and to use the strongest authentication standard for this purpose, the FIDO2 authentication standard – says Tomasz Kowalski. – Our technology allows you to do it without generating costs related to hiring programmers, without the cost of purchasing hardware keys, and without any impact on the smoothness of operations.

Today, logging into any computer, accessing cloud applications, and even downloading anything to your phone or computer requires you to use your credentials. Credentials, if not well protected, become a potential threat to the company. Multiple examples of attacks using social engineering to take over user credentials clearly show that companies that care about user access security have to move away from using weak and selectively used forms of identification. Standard passwords and even two-factor authentication (2FA) based on outdated methods, like SMS codes, no longer work. So regardless of whether you keep identity management inside of your company or decide to outsource it, the key is to make sure that all access points are secured with MFA – and preferably, the strongest one – FIDO2 passwordless authentication.

Read More

Testimonials

Before investing in Secfense, we had the opportunity to talk to its existing clients. Their reactions were unanimous: wow, it’s so easy to use. We were particularly impressed by the fact that implementing their solution does not require the involvement of IT developers. It gives Secfense a huge advantage over the competition, and at the same time opens the door to potential customers who so far were afraid of changes related to the implementation of multi-factor authentication solutions.

Mateusz Bodio

Managing Director

RKKVC

Even when the network and infrastructure are secured enough, social engineering and passwords can be used to gain control of the system by attackers. Multifactor authentication is the current trend. Secfense addresses this and allows you to build zero trust security and upgrade your current systems to passwordless applications within minutes, solving this problem right away,” said Eduard Kučera, Partner at Presto Ventures and cybersecurity expert – former Director in hugely successful Czech multinational cyber security firm Avast.

Eduard Kučera

Partner

Presto Ventures

One of the biggest challenges the world is facing today is securing our identity online. That’s why we were so keen to have Secfense in our portfolio. They make it possible to introduce strong authentication in an automated way. Until now, organizations had to selectively protect applications because the deployment of new technology was very hard, or even impossible. With Secfense, the implementation of multi-factor authentication is no longer a problem, and all organizations can use the highest standards of authentication security.

Stanislav Ivanov

Founding Partner

Tera Ventures

We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that the User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.

Krzysztof Słotwiński

Business Continuity and Computer Security Officer

BNP Paribas Bank Poland

Two-factor authentication is known to be one of the best ways to protect against phishing; however, its implementation has always been difficult. Secfense helped us solve that problem. With their security broker, we were able to introduce various 2FA methods on our web applications at once.

Dariusz Pitala

Head of IT

MPEC S.A.