Not all IDaaS are created equal

1 November 2016 Access Control & Identity Management, Integrated Solutions

“The identity data is already in the cloud anyway – at the service providers – so why does it matter?” is a valid question asked by customers who are both looking into leveraging cloud identity services and thinking about issues around how and where user data is stored and processed.

“The answer to this question is more nuanced than customers might initially think,” says Darren Platt, senior director of technology at RSA, the security division of EMC.

He explains that a SaaS application may store a username, credential, and some profile information for its own purposes – to enable users to authenticate to them directly and access application functionality.

“So, if a threat actor is able to compromise the user database, they now have access to the functionality that application provides. The result is that the compromise of one security domain (the SaaS provider) enables a bad actor to perform operations within that security domain.”

Platt points out that an Identity as a Service (IDaaS) solution is different though, as it contains the credential information for users at multiple security domains. “If it were to be compromised, the result would be that a bad actor would be able to perform operations within many different security domains – a much bigger vulnerability with much bigger consequences.

As a result, IDaaS solutions are a more valuable target for threat actors, and as such receive a lot more attention – in the form of attacks – from them,” he continues. “So, I think that the argument that ‘the identity data is already in the cloud anyway’ really doesn’t hold water; in fact it sounds to me like ‘we’ve already got one server directly connected to the Internet, why not connect some more?’

“The answer is that both extra identity accounts and extra Internet connections represent an attack surface that can be leveraged by threat actors. It’s critical to consciously reduce that attack surface when possible, not increase it.”

With this in mind, Platt says it is important to take a close look at how IDaaS solutions are handling user data and to understand the security implications.

“Not all IDaaS solutions are created equal; some were built for companies that are ‘all-in’ with cloud technology, while others were built with a hybrid deployment model in mind – one that leverages existing enterprise identity capabilities. In an enterprise environment that has existing user directories and processes for maintaining them, an IDaaS solution should thus leverage those existing capabilities in place, as opposed to replicating them in the cloud – ultimately, creating yet another ‘island of identity’ that increases the attack surface.”

Anton Jacobsz, MD at Networks Unlimited, adds that its becoming increasingly important for the continent’s customers to also ask questions about where an IDaaS solution stores and processes users’ network credentials. “By asking questions, customers are better able to understand how the adoption of IDaaS impacts an organisation’s identity attack ­surface and potential risks,” concludes Platt.

For more information contact Lynne McCarthy, Networks Unlimited, +27 (0)11 202 8400, lynne@nu.co.za





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Access Selection Guide 2024
Access Control & Identity Management
The Access Selection Guide 2024 includes a range of devices geared specifically for the access control and identity management market.

Read more...
Biometrics Selection Guide 2024
Access Control & Identity Management
The Biometrics Selection Guide 2024 incorporates a number of hardware and software biometric identification systems aimed at the access and identity management market of today.

Read more...
Smart intercoms for Sky House Projects
Nology Access Control & Identity Management Residential Estate (Industry)
DNAKE’s easy and smart intercom solution has everything in place for modern residential buildings. Hence, the developer selected DNAKE video intercoms to round out upmarket apartment complexes, supported by the mobile app.

Read more...
Authentic identity
HID Global Access Control & Identity Management
As the world has become global and digital, traditional means for confirming authentic identity, and understanding what is real and what is fake have become impractical.

Read more...
Research labs secured with STid Mobile ID
Access Control & Identity Management
When NTT opened its research centre in Silicon Valley, it was looking for a high-security expert capable of protecting the company’s sensitive data. STid readers and mobile ID solutions formed part of the solution.

Read more...
Is voice biometrics in banking secure enough?
Access Control & Identity Management AI & Data Analytics
As incidents of banking fraud grow exponentially and become increasingly sophisticated, it is time to question whether voice banking is a safe option for consumers.

Read more...
Unlocking efficiency and convenience
OPTEX Access Control & Identity Management Transport (Industry)
The OVS-02GT vehicle detection sensor is the newest member of Optex’s vehicle sensor range, also known as ‘virtual loop’, and offers reliable motion detection of cars, trucks, vans, and other motorised vehicles using microwave technology.

Read more...
Protecting our most vulnerable
NEC XON Access Control & Identity Management Products & Solutions
In a nation grappling with the distressing rise in child kidnappings, the need for innovative solutions to protect our infants has never been more critical. South Africa finds itself in the throes of a child abduction pandemic.

Read more...
Understanding the power of digital identity
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
The way we perceive business flourishing is undergoing a paradigm shift, as digital identity and consumer consent redefine the dynamics of transactions, says Shanaaz Trethewey.

Read more...
Access & identity expectations for 2024
Technews Publishing IDEMIA ZKTeco Gallagher Salto Systems Africa Regal Distributors SA Reditron Editor's Choice Access Control & Identity Management Information Security AI & Data Analytics
What does 2024 have in store for the access and identity industry? SMART Security Solutions asked several industry players for their brief thoughts on what they expect this year.

Read more...