I received a handful of inquires today in response to Okta’s PassProtect announcement, so instead of copying and pasting a canned reply to my friends and colleagues, I thought I’d make a quick post with some of my thoughts.
First of all, congrats to the Okta team for recognizing the value of breach notification and putting some development resources to launch a product. However, it is an unusual product with limited value for the enterprise. This product is nothing more than a PR stunt by a leader in the IDaaS space to raise awareness and create some good will. Good will seems to go a long way these days, but it doesn’t go far enough when planning for enterprise wide security and protection.
Secondly, the specific needs that enterprises have to detect and prevent the abuse of compromised credentials go beyond browser plugins, which doesn’t even scratch the surface of weak passwords. It doesn’t help to answer to the problem, “Has MY password been found in a data breach or reused from other online services?” VeriClouds has found that using a blunt instrument like this results in alerting users 2-6 times more than necessary to a hypothetical risk—as opposed to a real and verifiable risk—and results in a poor balance between user experience and security. In a way, it reinforces bad user training that we need complicated and unmemorable passwords to be more secure online.
Furthermore, when it comes to breach data collection and management for identity threat protection, applying 80/20 thinking will endanger an organization. 20% of the leaked data does not mitigate 80% of the risk. Better data = better customer experience = better company performance.
VeriClouds developed Identity Threat Protection, a platform with a set of modular capabilities that include:
- Automated scripts for data collection and secure data handling
- Data mining and big data security analytics
- Artificial intelligence
- Data masking and encryption
- Continuous monitoring and notification tools
- Integration layer based on Restful APIs
Which mostly looks like this:
VeriClouds Identity Threat Protection
I wrote in December that it is no longer enough to simply answer, “Have I been pwned?” Leading security practitioners assume a state of breach. Forward thinking organizations are already adopting advanced cloud security services that help answer the question, “How at risk are my users and my organization?”
Security and risk management leaders must be engaged with more than breach notification and generic compromised password lists. Your system for monitoring and verification of compromised credentials needs to be able to answer:
- Is my current password leaked or reused?
- How at risk are the executives and privileged users in my organization?
- How can I only notify affected users without forcing a user to change his or her password due to hypothetical risk?
- How can I verify compromised credentials without ever revealing the account identifier or the credential with a service provider?
- Does this user’s leaked credential satisfy or violate my organization’s password policy?
To make it easier for enterprises to adopt identity threat protection, our solution integrates with Active Directory, SailPoint IIQ, ForgeRock Identity Management 6.0, Lieberman RED Identity Manager and other security platforms of the world’s largest Identity and security/CASB vendors and provides a full block against the abuse of compromised credentials.
Breach notification ≠ identity threat protection
There are more nuances to the detection and treatment of user-centric risk than knowing if the credential was involved in a data breach or if the password is considered weak. Me and my team have a heart to help any organization evaluate whether an identity threat protection solution is a good fit or not.
Breach notification ≠ identity threat protection. Consider all of the options on the market today before adopting a free breach notification service for your organization. Consider the true cost of free.
Get your free trial of VeriClouds CredVerify in one easy step at: https://www.vericlouds.com/free-trial/
Or listen to 5 Key Insights for Credential Monitoring and Verification and download a whitepaper written by the VeriClouds product management and research team with key insights that can help you select an appropriate solution for mitigating the risk of data breaches and leaked credentials.