From Target to TalkTalk to whoever gets breached next week, the litany of companies that have lost customer data should be making businesses rethink not just how they protect customer information and accounts, but whether they want to be running customer and consumer identity services themselves.
Despite the fact that attacks are routine, user identity details are often poorly protected. A quick glance at Stack Exchange reveals a worrying number of developers who don’t know how to handle encryption or store usernames and passwords securely. Many companies have support practices that put customer data at risk, from technical mistakes like cross-site scripting vulnerabilities or serving login pages insecurely, to poor architectural decisions like blocking password managers or handling password resets badly, including emailing plain text passwords. The Plain Text Offenders site and security expert Troy Hunt both collect examples, many of them from household names.
And even if you are securing your own customer identities well, you’re at risk when other sites are breached because people routinely reuse user names and passwords.
Identity – as a service
“User names and passwords are valuable for getting into your site but they’re even more valuable for getting into other sites,” says Alex Simons, who runs Microsoft’s Active Directory team. “Every time there is a leak, at least 20 percent matches with some other website. You just don't want your consumer site with all the user names and passwords to be a target, but you don’t want to be responsible for maintain all the patching and the right kinds of encryption, making sure that it’s in a locked state and no-one can get to it.”
Getting identity right takes experience, expertise and continuing research, Simons says – because that’s what the people trying to break in have got:
“You have to keep up with what's going on in the underground, to know where the right place to be is. You’d better have modern encryption technologies, you’d better know how to effectively salt your encryption, and how many iterations to run, and how to make the trade-off between iterations and CPU bandwidth and all those types of things. And you have to keep up with it, because the world of cybercriminals is evolving so quickly. The challenge here is very high; the criminals are professionals, they have supply chains of tools, they can go buy a silent IP address you’ve never seen before, they can get hacking tools on the open market to get in. That’s an organized crime business and you don't want a small set of amateurs protecting you. You want to call in the professionals and have the professionals run it for you.”
Jon Gelsey, CEO of developer identity service Auth0, agrees. “The concept of 'security' for an entire Web or mobile app, API or IoT device is complex. Implementing strong security for an application means developers must be constantly aware of rapidly evolving threats, and must have the skill set to properly integrate security into their applications. Since the best security is the one that actually gets deployed, implementation must be as simple as possible for the developer.” He says an identity service will be easier to use, faster to develop with and will provide better security, which he hopes becomes “an incentive for companies to launch applications with proper security in place from day one.”
Marc Boroditsky, who runs Twilio’s Authy service, says the trend to using identity services is well underway in some industries. “Businesses are good at protecting employee information with lifecycle controls but the risk of managing consumer data is beyond their skills. There are really competent service providers that are going to actually deliver a better more deliverable solution. Five years ago, big retailers were starting to work towards offloading that to third party providers. Already the automotive industry, because of the complexity of interactions in the service and manufacturing relationship, is outsourcing identity to a centralised supplier that’s delivering it as a service.”
If you’re accessing OnStar, he points out, you’re going through a service like Covisint.
Security from scale
Real Madrid decided to simplify identity for their developers and they’ve been using Microsoft’s new Azure AD B2C service, which Simons describes as “a private label version of Azure Active Directory to run your consumer site” since it was in private preview. Fans can log in with a username and password, or using a social account like Facebook, and that works on the website or in any mobile apps the team produces. But what they see is a Real Madrid branded page, not a Microsoft one, because it’s easy to style the site.
Improving security with an identity service can save money. “Our pricing is crazy affordable; we can run this for you way, way cheaper than you could run it yourself, and get all the other benefits too,” Simons claims. The first 50,000 consumer identities are free; if your business needs more than that, Microsoft charges “a fraction of a cent per authentication and per stored identity”. That gets you a highly available service running at Azure scale, in multiple data centres around the world (so connections are fast wherever your customers are). “If a data center burns down or a disk goes bad, or whatever we can immediately reroute to another live node so you don’t get any downtime.”
It’s important to note that simply using an identity service doesn’t make you secure. As Troy Hunt notes, “If you don't know what you're doing, how do you know you're choosing the right service?” Rather than attempting to outsource the responsibility of security, CIOs need invest in education. “They should ensure those making such key decisions are properly trained,” Hunt says.
Simons agrees: “There's no substitution for knowledge. You have to make the investment to keep up on these things. You have to think about it at multiple layers and have a good defence in depth story. But there are big pieces of this you can outsource to smart people like us. Your identity security: we can take care of that for you. Then the surface area and the complexity of the threat model you have to worry about is reduced.”
[Related: Why it’s time to say goodbye to passwords]
One area many companies get wrong is support and account management. If your system can mail out a forgotten password, then you’re storing unencrypted passwords at some point. “One of the coolest things about our B2C system is that it's all workflow and metadata driven,” says Simons. “All those workflows like how to reset your password, how to answer a two factor authentication challenge; we generate the emails for you. You declare in metadata ‘here's how I want to have it work’ and we take care of best practice. You never have a user saying ‘hey, support team, send me my password’. We have a nice instrumented flow they go through to prove they own the account, maybe using their phone and they get the chance to reset the password securely. It’s about managing the lifecycle of an identity and it’s all done in policy.”
One advantage it would be hard to get on your own is the scale of an identity service like Azure B2C and what Microsoft has learned from managing the 500 million Microsoft account users who log in every day. To protect them, Microsoft actively looks for what it calls endangered accounts. “We have a team that works with governments and other companies, and also looks on the black market and picks up leaked user names and passwords,” Simons says. “We run these through our services and we can alert you about potentially compromised user names and passwords in your tenant for customers and employees. And we can help you take action, so you can require them to do a multi-factor authentication or reset their password.”
The B2C service will also use a system that’s already in place to protect Microsoft accounts from weak passwords. “If you put in one of the top one thousand most frequently used passwords, we ask you ‘please pick a password that's harder to guess’.”
The password isn’t the only protection for the accounts. “We look at over 90 attributes of context for that user when you log in. If you gave the right username and password but the context you use is wrong - if you're coming from a machine we've never seen and you’re coming from a Tor network, you are not going to be able to log into the service.”
Microsoft also collaborates with services like Google and Facebook to make it easier to spot attacks or compromised accounts across different services (because an attacker who has cracked an account on one service will often be targeting that user on other systems where they might reuse their password, and because one account is often secured by using another account as a way to reset the password).
Plus, its work to help stop botnets means it now controls ten of the largest botnets in the world. It leaves the command and control servers running so it can track which IP addresses are infected with malware when they report in to the servers. Azure Active Directory customers can see if any of their own IP addresses are infected, but Microsoft can also use that in Azure B2C to protect you against infected customers trying to log in to your services.
Protect yourself from partners
The other set of external identities many companies have to deal with is those that give your partners access to your network. As repeated breaches have proved - from banks infected with SQL Slammer by their partners to the HVAC business through which hackers breached Target's network - that's very difficult to get right.
“Traditionally, businesses have followed two models, and both have failed,” Simons says. “The federation model is expensive and from the compliance point of view it's a nightmare. I'm just going to have a token show up from someone. The other model that's also failed is to run a separate directory with partner identities – so now they have different identities to deal with, and I have to have a service they can call to reset passwords, and then when an employee leaves their company I don't know that.”
One alternative is the new, free Azure B2B service for collaborating with other companies. “You can set up trust relationships between tenants in the cloud so you can share applications and documents between companies,” Simons says. This uses the free Azure AD tenant that any business can set up (and many companies already have one because of the widespread adoptions of Azure and Office 365. “When you invite a partner, if they have a tenant we use that and if not we invisibly create the tenant. You can invite specific users, so you have visibility of the relationship in your tenant. You can see your partners and manage them in the sense of adding them to groups for access. If an employee leaves my partner's tenant, they get removed automatically.”
Protecting accounts and logins is something you can no longer think of as just a technology issue, Simons suggests; it’s a key area of business competency. “We know if your usernames and passwords leak, you stock goes down 20 percent and your CEO gets fired. It’s not a small issue any more.”