Page does not exist at path /content/ping/en/company/blog/authors/john-fitzergerald
The headlines are becoming so common that we barely blink - another security breach. Records compromised. Millions affected. Stolen credentials used to gain access.
The latest victim is Rochester, NY-based Excellus BlueCross BlueShield. In early September, the health insurance company revealed that unauthorized access was gained to IT systems as early as late 2013, but it wasn't discovered until August 2015. Personal information on some 10.5 million people may have been compromised, including names, dates of birth, social security numbers, financial account information and clinical information.
Just like other recent breaches at Anthem, the Office of Personnel Management, Sony and Ashley Madison, the attackers appeared to have used stolen credentials to gain access to corporate networks, and because they're posing as employees, they may not be detected for months or (in this case) years. In fact, you can use this tool to see what pieces of your information have been leaked. My results are scary - I have had every category of data exposed except one.
Excellus said in a statement the investigation has not determined that any of that data was removed from its systems or used inappropriately. But that doesn't mean they're out of the woods. The files reportedly were encrypted, but the attackers had gained administrative access to the files. Most likely they were able to view them in an unencrypted form. So it's reasonable to believe that they could have stolen information without removing it. Infiltrators could simply copy the unencrypted data onto their own system.
Cases like these prove that identity and access management has never been more critical. Passwords alone can no longer be trusted to keep company data safe - they can be lost, stolen or socially engineered away. Federated single sign-on, backed by identity standards, is a strong solution.
Federated SSO replaces passwords with signed assertions or tokens. This is done through the use of identity standards such as SAML, OAuth, OpenID Connect and SCIM, which must be supported by an identity and access management solution. These standards securely transmit user access and provisioning information. They have been independently reviewed by leading security professionals to provide the strongest levels of security, and they also safeguard web and mobile applications, as well as the APIs that support them. Here's a quick rundown of the most important standards and what they do:
Security Assertion Markup Language (SAML) is an open XML standard for exchanging authentication and authorization of data between an identity provider and service provider. SAML allows businesses to safely share identity information across domains.
The System for Cross-domain Identity Management (SCIM) was developed in 2011 using modern protocols like REST and JSON to provide a more straightforward approach to user provisioning and deprovisioning. SCIM enables users to get access to applications and is used to remove users access from applications.
OAuth 2.0 is the industry-leading standard for enabling access to APIs. It allows an application to securely access resources on behalf of the user without requiring their password. It also lets the user understand what kinds of access and information the application is requesting, and then provides consent.
OpenID Connect adds an identity layer to OAuth 2.0 and simplifies existing federation specifications. It enables things like identity federation and delegated authorization, as well as other features that improve interoperability.
These standards can be integrated in many identity and access management systems, including Active Directory and web access management systems. Although these technologies don't directly support Federated SSO, they can each play a role in an enterprise implementation of SSO. AD is often the primary source for user authentication and can be integrated with most SSO solutions. WAM systems can also be integrated into enterprise SSO.
If your company works with partners or contractors that share your files or apps, identity standards can be valuable, too, because it reduces the hassle of integrating security processes between organizations. The standards also apply to any device - desktop or mobile - as well as any browser or client that is accessing information from applications.
Don't become the next headline. Think ahead. Think federated SSO with identity standards.