Not all IDAAS are created equal
"The identity data is already in the cloud anyway – at the service providers – so why does it matter?" is a valid question asked by customers who are both looking into leveraging cloud identity services and thinking about issues around how and where user data is stored and processed.
"The answer to this question is more nuanced than customers might initially think," says Darren Platt, senior director of technology at RSA, the security division of EMC.
He explains that a SAAS application may store a username, credential, and some profile information for its own purposes – to enable users to authenticate to them directly and access application functionality.
"So, if a threat actor is able to compromise the user database, they now have access to the functionality that application provides. The result is that the compromise of one security domain (the SAAS provider) enables a bad actor to perform operations within that security domain," he adds.
Filling the visibility gaps in endpoint monitoring
Platt points out that an identity as a service (IDAAS) solution is different though as it contains the credential information for users at multiple security domains.
"If it were to be compromised, the result would be that a bad actor would be able to perform operations within many different security domains – a much bigger vulnerability with much bigger consequences. As a result, IDAAS solutions are a more valuable target for threat actors, and as such receive a lot more ‘attention' – in the form of attacks – from them," he continues. "So, I think that the argument that ‘the identity data is already in the cloud anyway' really doesn't hold water; in fact it sounds to me like ‘we've already got one server directly connected to the Internet, why not connect some more?'
"The answer is that both extra identity accounts and extra Internet connections represent an attack surface that can be leveraged by threat actors. It's critical to consciously reduce that attack surface when possible, not increase it."
With this in mind, Platt says it is important to take a close look at how IDAAS solutions are handling user data and to understand the security implications.
"Not all IDAAS solutions are created equal; some were built for companies that are ‘all-in' with cloud technology, while others were built with a hybrid deployment model in mind – one that leverages existing enterprise identity capabilities," he says.
"In an enterprise environment that has existing user directories and processes for maintaining them, an IDAAS solution should thus leverage those existing capabilities in place, as opposed to replicating them in the cloud – ultimately, creating yet another ‘island of identity' that increases the attack surface."
Anton Jacobsz, MD at Networks Unlimited, a value added distributor of RSA products in more than 20 African countries, adds that it's becoming increasingly important for the continent's customers to also ask questions about where an IDAAS solution stores and processes users' network credentials.
"By asking questions, customers are better able to understand how the adoption of IDAAS impacts an organisation's identity attack surface and potential risks," concludes Platt.