• United States



Risk aware IAM for an insecure world

Jun 12, 20175 mins
Cloud ComputingCloud SecurityData Breach

Public cloud Identity-as-a-Service (IDaaS) providers are not immune to data breaches. IDaaS companies will live and die by their appetite for innovation and speed to market.

Yet another data breach has fallen upon us. This time at the popular cloud Identity-as-a-Service (IDaaS) provider, OneLogin, which spooked more than a few executives because, well, the cloud is more secure than on-prem right?

What we know about the OneLogin data breach so far: OneLogin is used by more than 2000 enterprise customers worldwide. AWS API keys were compromised (stolen) by the attacker(s) surely resulting in unprecedented access to sensitive data. According to OneLogin, the attacker “gained access to database tables containing information about users, apps, and various types of keys.” It may be assumed that, with the API keys being compromised, sensitive customer data and account credentials were also compromised.

Many companies have made the migration to the cloud with the belief that it has a better ROI, with some arguing that it is more secure. The question on every Silicon Valley CEO and IDaaS buyers mind thus resurfaces: is cloud computing more secure than an on-premise solution?

The most common concerns I hear from executives and business leaders are:

  • “We don’t want to be the next massive data breach.”
  • “We want to make sure out IDaaS provider is as secure as it can be.”
  • “We are prioritizing our security spend around that.”

Modern cloud identity service providers are much more than authentication, single sign-on, account provisioning and multi-factor authentication. The current cloud security market offers a growth and learning opportunity for IDaaS companies.

Instead of constantly questioning “Is IDaaS more secure than on-prem?” IT leaders must accept the responsibility that their security posture is more than the sum of the systems they have implemented. Risk aware IAM requires business processes to be enhanced by deeper integration with modern security solutions and automated within an organization’s security operations center for rapid visibility, to continuously assess what is going on, and increase speed to resolution.

Risk comes from many different angles; to be effective, risk insight must be more than an entry on an Excel spreadsheet. The transformation of risk insight into policy enforcement in real-time is an evolution for most companies, and it is one that must be realized for IAM programs to deliver more value to the business.

Risk Aware IAM

Over the past several years, modern cloud security solutions such as user behavior analytics (UBA), cloud access security brokering (CASB) and security information and event management (SIEM) systems were born and matured alongside IDaaS solutions, but their integration and utilization has not always been demanded by IT leaders.

Integrating and uniting these platforms unleashes the full power of a risk aware IAM system. From a market standpoint, integration is inevitable and necessary. Organizations not only have the opportunity to enhance the security of identity, they have the obligation to do so.

IT leaders who haven’t done so already can drive a risk aware IAM agenda in their organizations with the following critical capabilities:

1. Upgrade Single Sign-On with contextual authentication

Many IDaaS solutions now offer excellent contextual based authentication features. A user’s location, where they log in from, what device they are using, the kinds of apps they go to, when they are accessing it and 100s more contextual elements can be factored into authentication decisions.

Most IDaaS solutions extend contextual authentication across many different devices and thousands of applications. Don’t confuse contextual authentication with 2-factor authentication, which has its own limitations.

2. Quantify risk with UBA

UBA services offers the ability to analyze behaviors across different apps and devices that are routinely accessed by users. Firewalls, anti-virus products, intrusion detection systems and identity solutions offer limited visibility into risky user behaviors.

Most CASBs provide a view of user behavior across their entire enterprise cloud environment from a single UI. This enables machine learning and data science to provide anomaly detection and isolate bad actors anywhere in the enterprise. Integrating UBA services with IDaaS/IAM and making authorization decisions based on user risk scores automates remediation.

3. Aggregate on-prem and SaaS user activity with a SIEM

As activity logs are obtained from a variety of sources, a SIEM acts as the hub for aggregation and analysis. Traditionally SIEMs have had a purview of activity logs from on-prem systems and apps, but lacked connectivity to cloud and SaaS services.

Today, SIEMs can provide a holistic view across business-critical cloud services combined with logs from endpoints throughout the enterprise. Security events and threat intelligence that results from SIEM output can then be integrated into corrective controls such as IAM, or logged as an incident for investigation. Such an approach is critical for enterprises to detect cross-cloud threats, ensure compliance, and respond to incidents in a timely manner.

4. Proactively detect and remediate compromised accounts

In Verizon’s 2017 Data Breach Investigations Report a whopping 81% of data breaches involved stolen or weak passwords, a fact we can no longer ignore. Over a billion credential sets were stolen in 2016 alone. Detecting whether a compromised credential is being used prior to or during login becomes paramount to preventing the next data breach caused by weak or re-used credentials.

Avoiding stolen credentials is also important for achieving regulatory compliance, particularly for federal government agencies. Updated guidelines from the National Institute of Standards and Technology (NIST) require screening of new passwords against lists of commonly used or compromised passwords.

(Disclosure: I am the CEO of a company offering services that satisfy this requirement.)

IDaaS solutions will continue to be vulnerable until gaps are filled in each of these critical areas. Enterprises evaluating IDaaS solutions should measure a vendor’s offerings against these critical capabilities before making investment decisions.

Once a business experiences a data breach, something dramatic eventually happens – it shifts priorities and causes the value equation to flip to being more risk aware and security minded. Observing what happens to stock value and consumer sentiment after a data breach should be a wakeup call. And what should IDaaS vendors do about it? Give customers more of what they want and need.


Steve is obsessed with helping transform business by building trust, reducing operational risk and improving user experiences with modern identity & access management. Founder & President of Forte Advisory, he has been a member of the IAM community for 18+ years with a focus on program management, enterprise architecture, and operational excellence for the world’s largest companies in telecommunications, financial services, high tech and Big 4 consulting.

Steve was formerly CEO of VeriClouds and a Director of Cybersecurity & Privacy at PwC. Prior to PwC, he was the head of IAM at VMware (one of the four largest enterprise software companies) where he designed and managed customer and partner facing systems. Prior to joining VMware, Steve was a consultant at Oracle where he led deployments for strategic accounts in the manufacturing and high tech sectors.

As an advisory board member, Steve has helped founders with the development of strategic relationships, business development, market and capital strategy, product design channel and sales strategies. Startups he has helped include Seattle based VeriClouds, and Palerra, the leading cloud access security broker and pioneer of the API-based CASB solution. (Palerra was acquired by Oracle in October, 2016.)

Steve is available for strategic consulting and private workshops at his clients offices throughout the US and Canada. You can reach Steve by clicking the envelope icon above.

The opinions expressed in this blog are those of Steve Tout and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.