Archive for June, 2010

Everyone needs a Twitter strategy, but not a Twitter security blunder

Twitter just agreed to settle Federal Trade Commission charges that it deceived customers and put their privacy at risk by failing to safeguard their personal information. Full article here. This is the first case of this kind against a social networking service and it should be a wake-up call to any provider of cloud-based services.

We cloud vendors all face the same challenges as Twitter. Our business consists of managing our customers’ private or personal data. We use dozens of cloud applications to run our business and most of us have no business applications behind the firewall. The average cloud vendor juggles thousands of passwords every day and the average user is not able to remember a dozen strong passwords.

Here is what the FTC said Twitter failed to do in order to protect their users’ data. 

  • require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks
  • prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts
  • suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts
  • provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users
  • enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days
  • restrict access to administrative controls to employees whose jobs required it
  • impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses

None of these precautions seem unreasonable from a security perspective. Yet, people are creatures of habit, busy, forgetful or simply don’t have the necessary tools to assist them in behaving in a secure way. Once you have typed the same password a hundreds times, it becomes a reflex. It’s now something you uncritically do when you see a password prompt.

One of our customers recently performed a phishing test internally to see how many users would enter their password on a fake Google Apps login page. To everyone’s surprise, 27 percent of the tested individuals did just that.

Completely eliminating passwords or using strong passwords are the best ways to avoid a Twitter security blunder, but leaving it up to each individual user is too much to ask. OneLogin’s lets you generate completely random, strong passwords and automates the login process, which has two big advantages. Users don’t need to write down passwords and since they are impossible to remember, phishing attacks are effectively eliminated.

Get SAML enabled in hours

We have just released SAML toolkits for Ruby on Rails and PHP and we will release more in the coming months. The toolkits are free, open source and you can use them with any identity provider you choose, not just OneLogin.

So why are we doing this? SAML is ideal for web-based single sign-on for a number of reasons. It’s a standard, it’s very secure and and it is very flexible. Unfortunately, as is often the case, flexibility is a double-edged sword and has prevented SAML from being adopted by smaller players because if its relatively high learning curve.

In the cloud, most of the flexibility of SAML is not really needed. If you look at how Google Apps and have implemented SAML, it is very straightforward and with a product like OneLogin, you can configure these services for SAML in a matter of minutes. These are two of the most widely deployed cloud applications and we think those implementations are reflective of what most other vendors would want to offer to their customers.

Therefore, we have put together basic SAML toolkits that give you the same functionality as with Google Apps and Salesforce. The toolkits support both identity provider initiated and service provider initiated single sign-on. We have already walked through the toolkits with several vendors. One CRM vendor got it working with their application in less than an hour – while we were watching on the video conference.

If you are interested in SAML-enabling your own cloud application, take a look at the documentation for the Rails toolkit or contact us at The code is also available on GitHub at: