Think twice before sending users’ digital identities to the cloud

Recent data breaches have organizations rethinking what data they’re willing to trust to third parties. And with good reason. When data like your users’ digital identities are at stake, you can’t be too careful.

In this article, we dig into why you might want to think twice before you give a third-party access to your users’ network credentials.

Adapt your risk threshold to the threat landscape

Recent high-profile data breaches raise important questions about the security of sending identity management to a cloud identity provider (IdP). Specifically, just how big does your attack surface get when you send digital identity to the cloud?

Most importantly, is that a question we can answer at all?

Just look at the recent Okta breach. It makes sending identity management to the cloud look like the trojan horse of risk.

Attackers gained access to client information stored in Okta’s support platform, and from there gained access to client network credentials. This is the risk everyone more or less accepted. But there’s more. The attackers also stole session tokens.

And as we’ve seen, that can open the door to all kinds of truly nasty unauthorized access and lateral movement.

Assess your risk tolerance

What does this mean for IT leaders? First, how your organization approaches identity governance will depend on your unique situation — there’s no one-size-fits all.

If you’re already using a cloud-based IdP, consider how you can mitigate the risks of a larger attack surface (hint: it’s probably bigger than you think it is). For example, make sure you apply MFA on all user network access, and apply admin session binding.

If your organization is moving towards a cloud IdP, but you haven’t yet made the shift, carefully vet how they store your user credentials across the platform. Make sure their security policies and capabilities match what you need for identity lifecycle management.

If your organization currently uses an on-premise enterprise identity provider like Active Directory (AD), your attack surface stays exponentially smaller if you retain AD for user identity management. With strong single sign-on for Active Directory, you can still offer secure, seamless user access to all the benefits of the cloud.

Align software solutions with your risk management strategy

The responsibility to safeguard users’ digital identity is one IT leaders take seriously. Your software solution providers should too. At IS Decisions, here’s our approach to helping safeguard your Active Directory user identities.

We don't store your users’ network access credentials

First of all, we don’t store your users’ network passwords and credentials at all. Active Directory remains your identity provider.

Our on-premise access security solutions, UserLock and FileAudit, act as an extension of Active Directory. This means your AD integration is quick, easy, and doesn’t change any of your existing AD schema. It also means all your user credentials, and even access to our solution itself, stays firmly on-premise — with you, not us.

The result of keeping identity management on premise is a smaller attack surface. We’re probably biased, but we think your control over your attack surface is one of the (mostly) unsung advantages of on-premise identity management.

In the words of our Director of Engineering, Daniel Garcia, “It shouldn’t surprise anyone that when you keep the keys to your house, you’re safer than when you give your keys away.”

Words to live by.

Our support platform doesn't give us access to your infrastructure

But our commitment to data protection goes beyond not storing your users’ digital identities.

When you submit support tickets through your isdecisions.com account, you use an email address and password that are unrelated to the credentials for your Active Directory account.

In other words, our clients’ infrastructure stays completely closed off from us.