Identity in the News – Week of June 4

Selections from the top news items this week in the world of identity and application security.

Identity + the Cloud

I followed the CEO of $6 billion Okta around and learned the secrets of a tech conference that landed President Obama as a speaker

From Business Insider: Last week, the conference center at the Aria hotel in Las Vegas was abuzz with excitement. Okta, the $6 billion identity management company, had landed a very special guest speaker in the form of President Barack Obama. Okta has a classic Silicon Valley origin story. It was founded by two early employees of Salesforce: Former Salesforce engineering head and current Okta CEO Todd McKinnon, and Freddy Kerrest, who had been a sales exec at Salesforce, and is now COO of Okta.

The Australian Business Review: Todd McKinnon says Okta getting around passwords

From The Australian Business Review: Much has been made about the death of the password but for most, it still feels like mission impossible. Okta boss Todd McKinnon is confident his company is going about it in a meaningful way, announcing a new set of tools that could finally make the scenario plausible. The CEO, speaking to The Australian on the eve of the company’s Oktane conference, said Okta was aiming to become the glue connecting thousands of services and websites.

Why GDPR won’t be a bloodbath

From IT Portal Pro: With its range of ID and authentication management services, Okta is set to play a leading role in helping with the GDPR transition, particularly with organisations that may need to address dealing with data requests from employees or customers. "We can't solve all the problems, but at least we can give folks a chance,” Chris Niggel, Okta’s head of security and compliance, told ITProPortal at the company’s recent Oktane18 conference in Las Vegas.

Scotland to begin building identity platform prototype this autumn

From ComputerWeekly: The Scottish government’s digital directorate plans to launch a six-to-nine-months alpha phase of its online identity assurance programme. The aim of the alpha phase, which will run from August 2018, is to create a prototype of an identity assurance platform, which can then be tested with end users. According to Scotland’s online identity assurance programme board papers, the country aims to take a flexible approach “to support different Identity Providers, as the landscape evolves”.

A third of IT professionals don't know how many endpoints they manage

From BetaNews: A poll of 1,000 IT professionals across North America and Europe finds that while 88 percent of respondents acknowledge the importance of endpoint management, nearly a third don't know how many endpoints they actually manage. The study by identity and access management company LogMeIn shows a worrying 30 percent of IT professionals don't know how many endpoint devices exist within their organization.

Why Oktane Has Become The Most Important SaaS Event of the Year

From Amalgam Insights: In late May, Amalgam had the opportunity to stop by Oktane18, Okta’s annual end user conference. In our mobility and cloud management coverage, Okta regularly appears as an important identity, access management, and security partner used to coordinate activity with a variety of technology lifecycle management solutions. Cloud and digital strategists who are not attending Oktane risk missing out on key SaaS and IT management strategies emerging in an end-user centric model of IT.

The Best Way to Protect Your Cloud May Be Another Cloud

From PC Mag: One challenge that comes with being a midsize enterprise today is that you're large enough to be a target but not large enough to afford the kind of security that large enterprises use. This is one of the reasons why one of the fastest-growing segments for data breaches is the small to midsize business (SMB). In fact, according to the 2018 Verizon Data Breach Investigation Report, smaller enterprises received over half of all data breach attacks last year.

Cybersecurity

These five states are the worst for data security

From CNBC: Most Americans do not have safe cyber habits, which includes monitoring bank and credit card statements, updating online account passwords and watching carefully for email phishing attempts. Fewer than 1 in 4 Americans routinely practice factors that increase online security, according to a report from Webroot, a cybersecurity company, and Ponemon Research.

Cloud functions present new security challenges

From CSO Online: Serverless apps are deployed over a cloud platform and are designed to use only the amount of computing resources needed to carry out a task. They come into play when needed, and then go away when the task completes. This is great if you’re looking to maximize performance and minimize overhead in a cloud environment. Because they are small, fast and have short lifespans, however, serverless apps pose challenges to security teams.

Establishing Digital Identity Assurance: Who Is in Your Circle of Digital Trust?

From Security Intelligence: Regardless of device or vendor, today’s consumers demand digital convenience and access anytime, anywhere. This expectation for accommodation creates an opportunity for organizations to drive business growth and offerings through new digital channels.

Enterprises use network security in the cloud to combat threats

From TechTarget: Enterprises are investing in network security in the cloud as they manage a growing volume of users and data, both ripe targets for bad actors looking to steal data or hold systems for ransom. Enterprises are investing in network security in the cloud as they manage a growing volume of users and data, both ripe targets for bad actors looking to steal data or hold systems for ransom.

The Cybersecurity 202: Voters' distrust of election security is just as powerful as an actual hack, officials worry

From The Washington Post: As millions of people across the country vote in eight different primaries today, state officials are working hard to secure the elections from hackers. But officials say there’s a more pressing, albeit abstract, challenge: Keeping voters confident that their vote is safe. The U.S. intelligence community has concluded that a major goal of Russia’s campaign to interfere in the 2016 presidential election through cyberattacks on 21 states and national political organizations was to undermine public faith in the U.S. democratic process.

How to protect your company’s passwords

From TechHQ: It’s a good idea to double-check existing passwords against the previously compromised phrases in Troy’s lists (“Pwned Passwords”) when setting up your credentials manager. Among software providers using the publicly-available lists are 1Password and Okta. Okta is a Chrome browser extension which will tell you if your credentials have been compromised: every time you sign up for a new service and enter a password, the extension will tell you whether your choice is wise.

Report: Nearly half of all enterprises were hacked in the last 12 months

From TechRepublic: A recent survey by SailPoint and Vanson Bourne found that organizations are suffering in a number of different ways from the constant barrage of cyberattacks. The researchers highlighted that, of the 400 IT decision-makers surveyed, 44% worked for organizations that had suffered from a hack in the last 12 months and the breaches had cost their companies nearly $1 million on average.

Risk & Repeat: More trouble for federal cybersecurity

From TechTarget: The latest government report on the state of federal cybersecurity brought more bad news for Washington, D.C. The Federal Cybersecurity Risk Determination Report and Action Plan, which was commissioned by the Office of Management and Budget and the Department of Homeland Security, found the vast majority of government agencies have significant gaps in their security postures.

How does a SAML vulnerability affect single sign-on systems?

From TechTarget: A SAML vulnerability was recently discovered by Duo Security Inc., which found the flaw in one of its own products. Duo said the flaw affects single sign-on systems for five vendors, and it could affect many more depending on how companies implement SAML and which open source software libraries they use.

Developers + the Tech Industry

Microsoft Is Buying GitHub for $7.5 Billion in Stock

From the Wall Street Journal: Microsoft Corp. is buying the software-code repository GitHub Inc. for $7.5 billion in stock, a move that could help the software giant persuade more developers to create applications for its cloud-computing business. The deal puts GitHub, a popular service where developers share and collaborate on code, into the hands of a tech giant that is among the leaders in cloud computing, where customers rent digital resources and applications on demand.

Enhancing Pwned Passwords Privacy by Exclusively Supporting Anonymity

From Troy Hunt: When I launched Pwned Passwords in August, I honestly didn't know how much it would be used. I made 320M SHA-1 password hashes downloadable and also stood up an API to query the data "as a service" by either a plain text password or a SHA-1 hash.

Microsoft CEO Satya Nadella On The Extraordinary Potential Of AI

From Forbes: As the AI Age takes hold, Microsoft has unleashed an AI strategy that's as complete and ambitious as any you'll find from any company in the world. It's already in place in fast-food restaurants and in manufacturing plants, and Microsoft is ahead of everyone in extending and unifying AI's capabilities from the cloud to the edge."AI is going to be one of the trends that is going to be the next big shift in technology," Microsoft CEO Satya Nadella said at a recent investor's conference.

Auth0 subdomain flaw puts users at risk

From SC Magazine: Security researchers have discovered a new attack technique, which hackers may be using in the wild, and could put any website utilising Auth0 at risk of attack. Auth0 is an identity-as-a-service offering with 2000 enterprise customers and 42 million logins a day. Essentially, an attacker could spoof a legitimate website using the subdomain name from a different region.

Why to Build an App With an SDK Instead of an API

From the Programmable Web: When it comes to integrating a third party's services with your own, APIs are often the way to go. But in some cases SDKs can offer a number of advantages over direct interaction with the API. But how do you choose? This article looks at the reasons why sometimes it makes sense to use an SDK.

When The Right API Solution Is Not Always The Sensible One

From API Evangelist: None of this will shift me evangelizing the "proper way to design APIs", but it reminds me (once again), at how immovable the business world can actually be. APIs are having a significant impact on how we develop web, mobile, desktop, and device applications, but one of the reasons web APIs have found so much success is that they are simple, scrappy, and flexible.

Five Things You Need to Know About API Security

From The New Stack: An API, or Application Programming Interface, is how software talks to other software. Every day, the variety of APIs and the volume of API calls are growing. Every web and mobile application out there is powered by APIs. By nature of the APIs, many of them have direct line to the heart of the user.

Learn more about the topics in the news this week:

• GDPR: We’re Ready, Are You?
• Using Personal Identity Verification Credentials to Enable Passwordless Authentication
• Announcing PassProtect – Proactive Web Security
• Use Behavior and Context to Secure Access
• Security and the API Journey