I recently attended a cybersecurity conference and attended a presentation about the coming of age of cloud authentication solutions. And specifically, the fact that these solutions are now mature and widely adopted.
One of the points made by the speaker was that — cybersecurity professionals can assume all of the solutions discussed in the presentation were sound and secure. The thought sounded logical in the moment but later that evening, I realized how untrue this statement is in today’s world. We can no longer assume — anything. We must verify — everything.
Multi-factor authentication (MFA), now common across enterprises of all sizes, has hackers taking note and adapting, accordingly. To give you a real-world example, consider the Russian attack on US elections where reports confirm hackers were able to bypass MFA systems.
Another famous— or perhaps, I should say infamous — example is the 2011 RSA Hack. At the time, RSA was the MFA market leader, and one of the biggest brands in Cybersecurity — considered the safe choice for IT directors and CIOs. This said in 2011 RSA’s authentication key vault — storing customers’ OTP seeds — was breached resulting in hundreds of thousands of RSA tokens having to be replaced.
More recently, another cybersecurity company, OneLogin was breached and I’m sure it’s not going to be the last. The point is — even cybersecurity companies are vulnerable to hackers.
An Arms Race: Hackers vs. Cybersecurity Professionals
There’s an "arms race" going on between the hackers and the cybersecurity professionals. As lines of defense improve, the bad guys look for the next weak link. And as MFA becomes prevalent, hackers are looking for ways to circumvent it.
Hackers tend to be driven by two factors: 1) how easy it is to break into, and 2) what the reward is. If we are talking about hacking into a cloud service — the reward could be huge especially, if it is multi-tenant. One hack, many breaches.
If you are a looking for a cybersecurity solution you need to consider the following security precautions when selecting a cloud authentication solution:
1. Secure software development and deployment practices — from software development to code reviews to handling of proprietary information to vulnerability scanning to pen-testing
2. Architecture of Cloud solutions — Cloud solutions are architected and compartmentalized to ensure if one customer is compromised, the whole Cloud isn’t compromised
3. Access control to the cloud infrastructure — the right security controls are in place to prevent unauthorized users from gaining access to the Cloud infrastructure while securely auditing all activity.
4. Information security program — confirm your service provider takes a proactive approach to cover all aspects of information security.
5. 3rd party compliance audits — don’t rely on the vendor to tell you his solution can be trusted. Ask what 3rd party certification they can provide.
The moral of this blog…
Don’t assume you are secure, ask questions and always verify.
Jerome Becquart is the Chief Operating Officer at Axiad IDS. Axiad IDS provides trusted identity and access solutions allowing customers to safely interact online; the freedom to access information from anywhere; and the confidence to fully benefit from today’s digital world.
To consult with an Axiad IDS security expert, feel free to reach out to me at firstname.lastname@example.org.
Join the Axiad IDS community of subscribers and get an email update with the latest news including our monthly blog posts.
Jerome Becqart is a Chief Operating Officer at Axiad IDS. Axiad IDS provides trusted identity and access solutions allowing customers to safely interact online; the freedom to access information from anywhere; and the confidence to fully benefit from today’s digital world.
To consult with an Axiad IDS security expert, feel free to reach out to me at email@example.com