Companies should consider their identity and access management (IAM) systems as a likely point of attack, according to IAM software supplier SailPoint.
“The easiest way to get into a server room is to break into the key cabinet,” said Darran Rolls, chief technology officer and chief information security officer at SailPoint.
“Likewise, breaking into an organisation’s IAM system will give a hacker access to every IT system within that organisation,” he told the 2015 European Identity & Cloud (EIC) conference in Munich.
For this reason identity-as-a-service (IDaaS) is a particularly big attack surface, he said, because it is connected via the internet to a gateway on-premise.
“This is something organisations should be concerned about and it should be an issue they are focused on because IDaaS is potentially a massive attack surface,” said Rolls.
Keeping this high-value target safe is the combined task of the software supplier, the consultancy service or deployment partner, the IDaaS service provider and the user organisation, he said.
Read more about IDaaS
First, the software must be secure by design and able to withstand basic and common attacks such as cross-site scripting (XSS).
The software must also use the most secure forms of encryption, developers must be trained to create secure code, and code needs to be rigorously security tested.
“The software industry needs to take responsibility for setting and following best practices to ensure code is secure by design,” said Rolls.
Consultancy services or deployment partners should ensure deployments are hardened, default passwords are changed, HTTPS is used everywhere and that they understand and compensate for the supplier’s weaknesses and follow best practice.
IDaaS suppliers need to understand the attack surface and mitigate any weaknesses “supercharge” their cryptography, “supercharge” their secure sockets layer (SSL), use DevOps for their security and engage outside specialists to test and advise.
User organisations need to ask the right questions beforehand and then rigorously security test implementations, understand the vulnerabilities and monitor behaviour so they can respond if any anomalies are detected.
“Asking the right questions includes finding out how IDaaS providers test their services and what incident response plans they have in place,” said Rolls.
“User organisations should prepare for an attack because it is coming,” he said.