The latest cloud hack was LivingSocial. According to PCMag.com:
Cyber-attackers recently breached LivingSocial’s systems and illegally accessed customer information for more than 50 million users, LivingSocial said. Users need to change their passwords immediately.
What this hack shows (and the others – see image #1 below), is that all clouds are NOT created equally. Enterprises need the cloud because of the flexibility, scalability and functionality – the cloud brings. Unfortunately – there are NO standards on how: the passwords are stored, how the passwords are encrypted and how password access is controlled.
Image #1: Hackers, many of them organized and well funded, are targeting the service providers for identity information.
The objective of these attacks is often the password information. What’s important to note – is that the hacked service provider, e.g. Facebook or Twitter is often NOT the “target” attack site. The hackers know that most users tend to:
The ultimate score is to pull 50M id’s and passwords from a LivingSocial or Evernote site. (See Image #2)
Image #2: In insecure enterprise environments, users are allowed to keep their passwords in EACH of the service providers – allowing hackers to attack the weak cloud sites to obtain identity information.
An enterprise should retain the identity information in a secure locale – and then SSO from this locale.
So given, that some enterprises are NOT securing the identies that well. And given, that these service providers are being probed by the hackers – for the explicit purpose of finding the weak security systems.
And that the flexibility and scalability of the cloud is FAR TOO GREAT to pass up – what is the enterprise to do? Especially, those enterprises who have to meet security guidelines like PCI DSA, FFIEC, FFIEC, HIPAA/HITECH, etc.
These enterprise NEED to become identity providers – and secure their OWN identity data. (Please see image #3)
Image #3: SecureAuth IdP provides enterprise secure identity management and single password functionality for multiple resources – all secured by the holding enterprise..
SecureAuth IdP addresses all of the key problems enterprise are facing with cloud identities including
The “LivingSocial” attack – should never happen to your ENTERPRISE. Contact SecureAuth - and we’ll help insure it does not.
Please contact us for more information!
Garret Grajek is CTO and a co-founder of SecureAuth. SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Mobile, Web, VPN and SaaS based solutions.
Sign up and receive updates on resources, case studies and blog posts.
Sign me up!