User data security has been in the spotlight for years now. It seems like every week, if not every day, brings a report of a new breach or vulnerability discovered. From Target to Equifax JP Morgan Chase, it’s a scary world out there, and for many teams, the path to secure customer identity is vast, complicated, and difficult to navigate. A few quick tips can dramatically improve user data security in most environments. At Okta, securing identities is our top priority, so we want to share a few ideas to help you upgrade quickly.
1 – Separate Your User Store from Your Application Data
One of the first – and easiest – steps to increase customer data security in the cloud is to separate user credentials and personally identifiable information (PII) from application data. Separating the user store ensures that any data collected by or provided to your application is not easily matched to its owner. What you separate depends on the application’s use case, but typically separated user data includes usernames, email, passwords, and PII such as addresses or location data.
This separation of user data provides a few key benefits:
- It can simplify your security overhead by isolating user data, which demands higher security, from application data that may need to be easier to access and manipulate for performance reasons.
- It can make it easier to meet privacy requirements, whether imposed by a government, company or user demand. GDPR, anyone?
- It is a requirement in some parts of the medical and financial industries: this method supports HIPAA compliance, as well as other standards.
And don’t forget, user authentication data and PII should be protected and well-encrypted, both at rest and in transit, which brings us to our second guideline.
2 – Use Advanced Hashing Algorithms to Secure Customer Data and Passwords
We all know that user authentication data shouldn’t be stored in plaintext, but do we all follow that rule? By one estimate, 30% of companies store or transmit passwords in plaintext.
Employing an advanced hashing algorithm like bcrypt, scrypt, or argon2 makes brute-forcing authentication data more difficult and time intensive. These algorithms are designed to take a long time to compute a hash in order to slow down cracking attempts. bcrypt, for example, uses a CPU-intensive algorithm to ensure password attacks require enormous computing power. scrypt takes it one step further by requiring enormous amounts of memory to compute password hashes in addition to its high CPU requirements. argon2 provides a third dimension of computational complexity by penalizing hashing attempts that don't run in parallel amongst a certain number of CPU threads. Thus, attackers are forced to spend lots of time and money to attempt even the smallest of password cracking operations.
In our opinion, it’s faster to use Okta for secure authentication via one of our 15-minute quickstarts as opposed to ensuring your store passwords correctly. We automatically handle password hashing for you to ensure your hashes are as strong as possible and are seamlessly upgraded over time as standards and best practices change.
3 – It’s Simple, Encrypt Everything
Including your backups and database dumps. Forgetting this step introduces a common attack vector in cloud computing.
To encrypt data, we recommend using Amazon's KMS or XSalsa20+Poly1305. If you’re looking for a secure way to store offsite backups, we strongly recommend using tarsnap (created and run by the Colin Percival, the creator of scrypt and the head of security for FreeBSD).
4 – Protect Everyone with Multi-Factor Authentication
As attacks move from targeting infrastructure to people, you can protect your customers and your employees by adding multi-factor authentication across your organization and applications.
With regard to your internal systems, it’s far more likely for an employee to be a victim of credential phishing or social engineering than for hackers to gain access through a vulnerability. The same is true for the user’s of your application. When MFA is in place, users are prompted for an additional r factor after entering in their primary credentials. So even if their credentials are compromised, there is much less chance of data exfiltration as the attacker would also need to know the second factor, often a one-time passcode, physical or software token, or even biometric, in order to gain access.
You can certainly build MFA for your customers yourself, but it’s even easier to deploy MFA for both your employees and your customers with Okta. Our solutions give you the flexibility to deploy our built-in factors, or integrate with existing tokens. Native factors include SMS, and the Okta Verify app for iOS and Android. Additionally, we integrate with YubiKey, U2F Security Key, Google Authenticator, RSA SecurID, Symantec VIP, and Duo Security.
Learn More About Securing Your Organization and Customers
Interested in digging deeper on the topics we cover in this post? You’re in luck, we have some great resources: