Cloud(ed) Judgment: OneLogin’s Breach Continues to Fuel the Security Debate

When it comes to the next big data breach, it’s never a matter of if, but a discussion of when.

This time, the target was identity and access management firm OneLogin, which recently shut down its U.S. data center due to compromised Amazon Web Services (AWS) keys. With the company serving more than 2,000 enterprises across 44 countries, the incident has been referred to as a “massive leak” and once again raised questions about cloud security.

As we continue to learn, everything that the cloud represents is great… until it’s not.

In the case of OneLogin, we see that convenience continues to trump security. Storing all personal log-in credentials in the password management service’s AWS cloud created a single point of failure, and hackers gained wholesale access to user data.

Despite these risks, businesses continue to pursue a one-stop shopping solutions approach to the cloud finding that a managed service fits all their needs. And large migrations to the cloud continue to be implemented for all kinds of business-critical functions, including identity.

Bottom Line: Identity Companies are Not Security Companies

The problem lies in the fact that identity companies are not security companies. They don’t design their solutions to be secure. So for enterprises looking to avoid becoming the next OneLogin, they must have both identity and security.

If compromised, identity is an incredibly effective vector to the compromise of other assets. As such, it’s one of the most important aspects of your system to protect. Unfortunately, bad actors have made note of identity’s default mechanism of (in)security, and the shift to APIs in the cloud have encouraged attacks on the very solutions providing the service.

While IAM isn’t equipped to thwart these attacks, API Security Gateway technology embodies an all-encompassing approach to identity, one that bridges together the capabilities of IAM with the data inspection and security necessary at the enterprise-level. These tools offer a secure abstraction layer, and feature multi-factor and multi-context authentication to provide the essential context critical to validating user behavior with exchanged information.

Forum Systems champions a ‘security by design’ approach and believes that Identity Access Management (IAM) requires a hybrid cloud computing model where user information is always stored internally within the organization, not externally in the cloud, particularly because user credentials and user attribute information represents the most sensitive of business information. IAM provides the concepts of centralized identity but most IAM technology solutions are not security focused, or security hardened. A foundation of security, including strong encryption provides the assurance that the enforcement points of deployment are not subject to cybersecurity attack and compromise. API Security Gateway technology allows for the potential of cloud-based IAM to be realized but ensures the protection of critical user data on-premises, where it belongs.

While the OneLogin breach led one affected customer to “rebuild their whole authentication security system,” our award-winning API Security Gateway, Forum Sentry, was built from the ground up with security as the fundamental design concept, not as an afterthought. For more information about Forum Sentry’s identity authentication capabilities in the cloud, please visit this page.