From Target to TalkTalk to whoever gets breached next week, the litany of companies that have lost customer data should be making businesses rethink not just how they protect customer information and accounts, but whether they want to be running customer and consumer identity services themselves.
Despite the fact that attacks are routine, user identity details are often poorly protected. A quick glance at Stack Exchange reveals a worrying number of developers who don’t know how to handle encryption or store usernames and passwords securely. Many companies have support practices that put customer data at risk, from technical mistakes like cross-site scripting vulnerabilities or serving login pages insecurely, to poor architectural decisions like blocking password managers or handling password resets badly, including emailing plain text passwords. The Plain Text Offenders site and security expert Troy Hunt both collect examples, many of them from household names.
And even if you are securing your own customer identities well, you’re at risk when other sites are breached because people routinely reuse user names and passwords.
Identity – as a service
“User names and passwords are valuable for getting into your site but they’re even more valuable for getting into other sites,” says Alex Simons, who runs Microsoft’s Active Directory team. “Every time there is a leak, at least 20 percent matches with some other website. You just don't want your consumer site with all the user names and passwords to be a target, but you don’t want to be responsible for maintain all the patching and the right kinds of encryption, making sure that it’s in a locked state and no-one can get to it.”
Getting identity right takes experience, expertise and continuing research, Simons says – because that’s what the people trying to break in have got:
“You have to keep up with what's going on in the underground, to know where the right place to be is. You’d better have modern encryption technologies, you’d better know how to effectively salt your encryption, and how many iterations to run, and how to make the trade-off between iterations and CPU bandwidth and all those types of things. And you have to keep up with it, because the world of cybercriminals is evolving so quickly. The challenge here is very high; the criminals are professionals, they have supply chains of tools, they can go buy a silent IP address you’ve never seen before, they can get hacking tools on the open market to get in. That’s an organized crime business and you don't want a small set of amateurs protecting you. You want to call in the professionals and have the professionals run it for you.”
Sign up for Computerworld eNewsletters.