I’m writing this article on Friday morning, after spending the last two weeks at Oktane and Google Cloud Next, immersed in identity management and security. It’s great that the whole industry is talking about zero trust and contextual access, and as always, I love digging into device management and attestation. But after all this, there’s one security issue that keeps me awake at night: Passwords.
Sure, we all know how terrible passwords are—how stolen, weak, or default passwords are involved in so many breaches, how annoying they are for users, how hard they are to manage, and how we want them to go away. I’m preaching to the choir here. But, we can’t deny that this is still one of the most pressing issues today.
In particular, I’m thinking about all the random enterprise SaaS apps out there that aren’t set up with federation and single sign-on (let alone multi-factor authentication). Be honest, how many of these are there at your company?
With these loosely managed apps, it’s hard make sure users set unique and strong passwords. It’s hard to get a consistent overview of user activity when all these apps are in silos. And it’s hard to know what apps a user even has access to, for when you need to deprovision their accounts after they change roles or leave the company.
(Passwords and random apps also keep me awake in my personal life, because I worry about my family and friends. I guess I’m officially a security person now, because I’ve asked my friends if they’re still re-using the same passwords from years ago. I also worry about my parents getting social engineered over the phone, but that’s another story.)
Yes, endpoint management and security hygiene is an important issue, but if your passwords are weak or breached and you’re not using MFA, then the endpoint is irrelevant.
Yes, contextual access is awesome and it’s the future and everything, and we’re seeing important breakthroughs in authentication, but you can’t get started on this if your user identities are all out there in the wild, completely unmanaged.
I think I’ve made my point, but there are a few more anecdotes on my mind from the last two weeks:
- I was speaking on a panel session hosted by Lookout, and the moderator asked us who we thought was doing a really good job in the security space. My answer was any app developer or ISV that makes sure their app supports identity federation standards.
- At Oktane, one Okta customer described how SAML support is now a requirement for any software their company buys.
- For apps that don’t support standards, this week Google Cloud Identity announced that they were becoming the latest IDaaS product to support password vaulting and stuffing. With this, at least you can get some visibility and control, even if the underlying mechanism still involves a password.
So, if you’re looking for a win on security (and on user experience!), setting up federation and single sign-on for as many of your SaaS and web apps is clearly a great place to start.