This year’s RSA Conference proclaimed that IT security is more relevant than ever, and that both cloud service providers and the security community at large are quickly adapting to address today’s business challenges. While there were countless takeaways from the event, I wanted to share a few points that stood out.
This year’s conference was kicked off with the Cloud Security Alliance (CSA) Summit, and some of the industry’s great luminaries laid out where they see the current state of the market. Some of my takeaways were:
Attacker Strategies & Crimeware-as-a-Service
Highly targeted attack campaigns continue to advance in sophistication and scope. Some interesting stats came out of the recent 2015 Verizon Data Breach Investigations Report (DBIR), including:
- 95% of incidents involved harvesting credentials stolen from customer devices, then logging into web applications with them.
This reinforces the position that user identity, stronger authentication, and access control are more important today than ever.
Shadow IT & High Risk Applications
SkyHigh Networks highlighted the increasing risk of Shadow IT. Their recent Q1-2015 Cloud Adoption & Risk Report drew attention to some interesting findings:
- The average company has over 923 cloud services in use.
- The average employee uses 28 cloud services, and among the top 20 enterprise cloud services were Office365, Salesforce, Box, and ServiceNow.
Unfettered access to cloud applications and gaining control over shadow IT continue to challenge leaders as they seek ways to reign in the chaos. And traditional web filtering approaches are insufficient. With over 200K new sites coming online daily, many with high risk applications running behind them, URL filtering vendors simply can’t keep up with these categorization demands in order to protect users from potentially visiting these sites.
SaaS-based Cloud Services Offer Greater Security
Organizations are looking to the cloud to help them better manage risk and shift the burden away from internal resources. The growing acceptance of SaaS applications and trust of 3rd party service providers to host business critical data has resulted in a greater partnership between vendors and customers. Additionally, this is encouraging greater cooperation between cloud service providers, security firms, and certification entities to collectively raise security and compliance standards. Some interesting statistics were presented on the current state of cloud services:
- 16% provide multi-factor authentication.
- 4% are ISO-27001 certified.
This tells me that the industry has room to improve. Fortunately, OneLogin already meets these requirements.
Access Controls & Contextual Policies
A successful security posture is influenced by both user behaviors and context-aware controls, thus organizations are taking proactive measures to ensure users don’t become a beachhead for attacks. This includes:
- incentifying employees to forego security workarounds in favor of using services that meet both IT security requirements and user experience standards.
- introducing contextual controls and policies that take into consideration attributes such as the user, their role, their location, the device in use, and the type of data being accessed to ensure that the right security is delivered at the right time.
The RSA Conference opening keynote by RSA’s President introduced some thought provoking challenges to the thousands in attendance. He proposed the industry shift its mindset and offered 5 tenets to combat security risks. You can read more here in “Amit Yoran Calls for Security Industry to Throw Out Old Maps: Chart New Course.”
But I do want to call attention to his 3rd item:
Identity & Authentication Matter More Than Ever
OneLogin is in a unique position to reduce the risk of compromise based on stolen user credentials, thereby shutting down attack campaigns before they get started. Establishing digital trust, introducing new factors of authentication and controlling access is more important than ever given the risks associated with public cloud adoption and basic user credential theft.
OneLogin is fortunate to have been an early adopter of SAML (Security Assertion Markup Language) which essentially replaces passwords with digital certificates. By introducing an Identity Provider (IdP) as an intermediary, the application session between user and their cloud service providers is inherently more secure.
OneLogin also supports stronger authentication requirements by providing integrations with numerous multi-factor authentication (MFA) technologies from vendors like Duo Security, RSA Security, Yubico, and Vasco.
- 2015 is proving to be the year for Cloud Identity and Access Management. And the industry is recognizing that cloud identity is more than password vaulting and SSO (single sign-on). It includes things like:
- Hosting highly scalable and resilient data centers around the globe that support customers’ operational and security requirements.
- Providing an exhaustive catalog of pre-integrated cloud applications to streamline deployment.
- Automating user provisioning and de-provisioning to quickly grant, update, and revoke access to cloud services.
- Leveraging existing systems of record such as Active Directory (AD) to streamline user access to the cloud.
- Delivering powerful API’s that allow application developers to easily embed security capabilities into their cloud service offerings without having to be security experts themselves.
- Providing domain expertise and professional services required to advance customer initiatives in a more secure and compliant manner.