Another Cloud Hack, Another 50M Passwords – Time for SecureAuth IdP for the Enterprise

The latest cloud hack was LivingSocial.   According to PCMag.com:

Cyber-attackers recently breached LivingSocial’s systems and illegally accessed customer information for more than 50 million users, LivingSocial said. Users need to change their passwords immediately.

All Clouds are NOT created equally

What this hack shows (and the others – see image #1 below), is that all clouds are NOT created equally.    Enterprises need the cloud because of the flexibility, scalability and functionality – the cloud brings.    Unfortunately – there are NO standards on how:  the passwords are stored, how the passwords are encrypted and how password access is controlled.

Account # of Users Date  Details of Incident
LivingSocial      50M April, 2013 Names, E-mail, Birthdate, Passwords
Evernote      50M March, 2013 Names, E-mail, Addresses, Passwords
LinkedIn      6.5M June, 2012 Passwords linked to web
 Twitter      250,000 February,  2013 WhiteHouse account hacked April, 2013
 Facebook  Not Disclosed February,  2013 Targeted by Eastern European hackers
 Apple  Not Disclosed February,  2013 Targeted by Eastern European hackers
 ZenDesk  Not Disclosed February,  2013 Effected Twitters, Pinterest and Tumblr accounts

Image #1:   Hackers, many of them organized and well funded, are targeting the service providers for identity information.

What’s The Objective?   Identity Information

The objective of these attacks is often the password information.     What’s important to note – is that the hacked service provider, e.g. Facebook or Twitter is often NOT the “target” attack site.   The hackers know that most users tend to:

      • Re-use their IDs
      • Re-use their Passwords

 

The ultimate score is to pull 50M id’s and passwords from a LivingSocial or Evernote site.    (See Image #2)

 

cloud-web-before-idp-passwords

Image #2:   In insecure enterprise environments, users are allowed to keep their passwords in EACH of the service providers – allowing hackers to attack the weak cloud sites to obtain identity information.

What is an Enterprise to do?   (To Stop the Cloud Hacks)

An enterprise should retain the identity information in a secure locale – and then SSO from this locale.

Q:   Why do the hackers attack the big (ID) vaults?

A:   Because that is where the identities are!

 

So given, that some enterprises are NOT securing the identies that well.   And given, that these service providers are being probed by the hackers – for the explicit purpose of finding the weak security systems.

And that the flexibility and scalability of the cloud is FAR TOO GREAT to pass up – what is the enterprise to do?   Especially, those enterprises who have to meet security guidelines like PCI DSA, FFIEC, FFIEC, HIPAA/HITECH, etc.

These enterprise NEED to become identity providers – and secure their OWN identity data.   (Please see image #3)

SSO-Current-102-w-Secureauth-passwords-w-cloud-logos

Image #3:   SecureAuth IdP provides enterprise secure identity management and single password functionality for multiple resources – all secured by the holding enterprise..

SecureAuth IdP – Meets the Cloud Identity Problems – For the Enterprise

SecureAuth IdP addresses all of the key problems enterprise are facing with cloud identities including

      • Centralized Identity Control

        • Single User Store
        • Single Password
      • SSO to All Enterprise Resources

        • Cloud Apps
        • Web Apps
        • Network Apps
        • Mobile Apps
      • Configurable Authentication

        • UserID / Password
        • UserID / Password +  2-Factor
        • SMS, Telephony, X.509, USB Key, NFC Prox Card, E-mail OTP,  Static PIN, Help Desk, Kerberos and Others
      • Logging and Accounting

        • Built-in Report Server
        • Or send authN/AuthZ events to your log server
      • Mobile Support

        • Native Mobile App SSO
        • 2-Factor to mobile Apps
        • SSO from enterprise directory
        • X.509 delivery to mobile

 

The “LivingSocial” attack – should never happen to your ENTERPRISE.    Contact SecureAuth - and we’ll help insure it does not.

Please contact us for more information!

SecureAuth is a single appliance solution that delivers configurable 2-Factor and SSO authentication for Mobile, Web, VPN and SaaS based solutions.