Identity and access management
Identity is often considered the perimeter in infosec, especially as traditional enterprise perimeters dissolve. Identity and access management is critical to maintain data security. From passwords to multifactor authentication, SSO to biometrics, get the latest advice on IAM here.
Top Stories
-
News
16 May 2023
Coalition: Employee actions are driving cyber insurance claims
After analyzing cyber insurance claims data, Coalition determined that phishing escalated in 2022, ransomware dropped and timely patching remained a consistent problem. Continue Reading
-
News
10 May 2023
Dragos discloses blocked ransomware attack, extortion attempt
Dragos Inc. published a blog post that outlined a likely ransomware attack it stopped this week, though a threat actor obtained 'general use data' for new hires. Continue Reading
-
News
30 Jan 2018
New Comodo CA leadership talks competition, IoT devices
Comodo CA's new chairman Bill Conner and CEO Bill Holtz talk with SearchSecurity about competition in the certificate market and how the internet of things will fuel growth. Continue Reading
-
News
25 Jan 2018
Comodo calls out Symantec certificate issues, applauds Google
Bill Conner and Bill Holtz, who recently joined Comodo CA as chairman and CEO, respectively, discuss Symantec's certificate issues and their effect on the certificate market. Continue Reading
-
Podcast
17 Jan 2018
Risk & Repeat: Let's Encrypt certificates offer pros, cons
In this week's Risk & Repeat podcast, SearchSecurity editors discuss Let's Encrypt certificates and weigh the positives and negatives the free certificate authority provides. Continue Reading
-
Answer
16 Jan 2018
Advanced Protection Program: How has Google improved security?
Google added a layer to its account security system with Advanced Protection Program. Matt Pascucci explains how individuals can better defend themselves from malicious actors. Continue Reading
-
Answer
26 Dec 2017
What is emotional data and what are the related privacy risks?
SearchSecurity talks with UC Berkeley professor Steven Weber about the concept of emotional data, where it comes from and how it can potentially be used -- and abused. Continue Reading
-
Answer
20 Dec 2017
QakBot malware: How did it trigger Microsoft AD lockouts?
QakBot malware triggered hundreds of thousands of Microsoft Active Directory account lockouts. Discover the malware's target and how these attacks are being carried out. Continue Reading
-
Answer
19 Dec 2017
OneLogin data breach: What does the attack mean for SSOs?
A OneLogin data breach affected all of the company's U.S. customers after threat actors abused an Amazon Web Services API. Discover what this means for customers and SSO companies. Continue Reading
-
Tip
14 Dec 2017
Cryptographic keys: Your password's replacement is here
As passwords become targets of phishing attacks, password management has become increasingly difficult. Expert Nick Lewis explains how cryptographic keys could replace passwords. Continue Reading
-
Answer
08 Dec 2017
LDAP injection: How was it exploited in a Joomla attack?
After eight years, Joomla discovered an LDAP vulnerability that could be exploited by threat actors. Learn how the attack works from expert Matt Pascucci. Continue Reading
-
Tip
07 Dec 2017
How machine learning-powered password guessing impacts security
A new password guessing technique takes advantage of machine learning technologies. Expert Michael Cobb discusses how much of a threat this is to enterprise security. Continue Reading
-
Tip
30 Nov 2017
Use caution with OAuth 2.0 protocol for enterprise logins
Many apps are using the OAuth 2.0 protocol for both authentication and authorization, but technically it's only a specification for delegated authorization, not for authentication. Continue Reading
-
Feature
28 Nov 2017
Security Controls Evaluation, Testing, and Assessment Handbook
In this excerpt from chapter 11 of Security Controls Evaluation, Testing, and Assessment Handbook, author Leighton Johnson discusses access control. Continue Reading
-
News
17 Nov 2017
Researchers bypass iPhone X security feature Face ID
News roundup: In under a week after its release, researchers were able to bypass the main iPhone X security feature, Face ID. Plus, Microsoft patched a 17-year-old flaw, and more. Continue Reading
-
Podcast
08 Nov 2017
Risk & Repeat: Sale of Symantec Website Security completed
In this week's Risk & Repeat podcast, SearchSecurity editors discuss the sale of Symantec Website Security to DigiCert and what it means for Symantec's troubled certificate business. Continue Reading
-
Tip
08 Nov 2017
Learn how to identify and prevent access control attacks
Once an attacker has gained entry to a network, the consequences can be severe. Find out how the right access control tools can help prevent that from happening. Continue Reading
-
Answer
07 Nov 2017
How should security teams handle the Onliner spambot leak?
A security researcher recently discovered a list of 711 million records used by the Onliner spambot. Expert Matt Pascucci explains what actions exposed individuals should take. Continue Reading
-
Answer
26 Oct 2017
Google Docs phishing attack: How does it work?
A Google Docs phishing attack used OAuth tokens to affect more than a million Gmail users. Nick Lewis explains how it happened, and how to defend against such an attack. Continue Reading
-
Answer
24 Oct 2017
Samsung S8 iris scanner: How was it bypassed?
Hackers bypassed the Samsung S8 iris scanner, which could spell trouble for biometric authentication. Expert Nick Lewis explains how it happened and how to stay protected. Continue Reading
-
News
20 Oct 2017
Advanced Protection Program locks down Google accounts
Google's Advanced Protection Program greatly increases the security of user accounts, but the usability tradeoffs may not be worth it for average users. Continue Reading
-
Answer
20 Oct 2017
What knowledge factors qualify for true two-factor authentication?
Can two-factor authentication be applied to a mobile device that's used as a 2FA factor? Michael Cobb explores the different knowledge factors and uses for mobile devices. Continue Reading
-
Answer
19 Oct 2017
Running a private certificate authority: What are the risks?
Running a private certificate authority can pose significant risks and challenges to meet baseline requirements. Michael Cobb explores what enterprises should know. Continue Reading
-
Answer
04 Oct 2017
WoSign certificates: What happens when Google Chrome removes trust?
Google Chrome has started removing trust in certificates issued by WoSign. Matthew Pascucci explains this decision and what it means for companies using WoSign certificates. Continue Reading
-
Blog Post
15 Sep 2017
Fearmongering around Apple Face ID security announcement
As fears grow over government surveillance, the phrase "facial recognition" often triggers a bit of panic in the public, and some commentators are exploiting that fear to overstate any risks ... Continue Reading
-
News
13 Sep 2017
Apple claims iPhone X Face ID has better security than Touch ID
Apple announced the new iPhone X Face ID system, which replaces Touch ID in favor of facial recognition and may offer 20 times fewer false positives than fingerprint scanning. Continue Reading
-
Answer
15 Aug 2017
What is the best way to secure telematics information?
SMS authentication is often used to secure telematics information, but it may not be strong enough. Expert Judith Myerson discusses why, and how to improve the protection of this data. Continue Reading
-
Tip
09 Aug 2017
Are biometric authentication methods and systems the answer?
Biometric authentication methods, like voice, fingerprint and facial recognition systems, may be the best replacement for passwords in user identity and access management. Continue Reading
-
Answer
09 Aug 2017
What tools can bypass Google's CAPTCHA challenges?
The ReBreakCaptcha exploit can bypass Google's reCAPTCHA verification system using flaws in Google's own API. Expert Michael Cobb explains how the attack works. Continue Reading
-
Blog Post
08 Aug 2017
The Symantec-Google feud can't be swept under the rug
The Symantec-Google feud regarding the antivirus vendor's web certificate practices appears to be over. But that doesn't mean it should be minimized or ignored. Continue Reading
-
Tip
27 Jul 2017
SHA-1 collision: How the attack completely breaks the hash function
Google and CWI researchers have successfully developed a SHA-1 attack where two pieces of data create the same hash value -- or collide. Expert Michael Cobb explains how this attack works. Continue Reading
-
News
20 Jul 2017
Industry reacts to Symantec certificate authority trust remediation
As the Symantec certificate authority scrambles to transition its certificate-issuance operations to a subordinate certificate authority, the CA industry sharpens its knives. Continue Reading
-
News
13 Jul 2017
Symantec certificate authority business reportedly for sale
As Google and Mozilla prepare plans to reduce trust for Symantec's certificate authority, the antivirus vendor is reported to be seeking a buyer for its web certificate business. Continue Reading
-
Podcast
12 Jul 2017
Risk & Repeat: Should IAM systems be run by machine learning?
In this week's Risk & Repeat podcast, SearchSecurity editors discuss the identity and access management industry and how machine learning algorithms could govern IAM systems. Continue Reading
-
Feature
12 Jul 2017
Q&A: Ping CEO on contextual authentication, intelligent identity
Ping Identity CEO Andre Durand talks with SearchSecurity about the data-driven move toward contextual authentication and intelligent identity and what this means for enterprises. Continue Reading
-
News
10 Jul 2017
WoSign CA certificates get end-of-trust date in Chrome
Google to distrust all WoSign CA certificates in Chrome starting in September, as the troubled certificate authority passed a key audit and is seeking a new CEO to help return trust. Continue Reading
-
Answer
06 Jul 2017
How does the Microsoft Authenticator application affect password use?
The Microsoft Authenticator application enables smartphone-based, two-factor authentication and attempts to reduce the use of passwords. Expert Matthew Pascucci explains how. Continue Reading
-
Podcast
23 Jun 2017
Risk & Repeat: Symantec, Mozilla spar over certificate issuance
In this week's Risk & Repeat podcast, SearchSecurity editors discuss Mozilla's suggested deadline for Symantec to turn over its certificate issuance operations. Continue Reading
-
News
23 Jun 2017
Privileged user management trips up NSA
News roundup: DOD inspector general found NSA failed to implement secure privileged user management post-Snowden. Plus, Honda hit by WannaCry, Trump met with tech CEOs and more. Continue Reading
-
News
22 Jun 2017
Machine learning in cybersecurity is coming to IAM systems
Machine learning in cybersecurity applications for identity management systems are becoming more common today. But will algorithms be the best option for authenticating and authorizing users? Continue Reading
-
Tip
22 Jun 2017
How the use of invalid certificates undermines cybersecurity
Symantec and other trusted CAs were found using bad certificates, which can create huge risk for internet users. Expert Michael Cobb explains how these incidents can be prevented. Continue Reading
-
News
21 Jun 2017
Ping embeds multifactor authentication security in mobile apps
At the 2017 Cloud Identity Summit, Ping Identity launched a new software development kit that will embed multifactor authentication security features in mobile apps. Continue Reading
-
Answer
07 Jun 2017
How does Facebook's Delegated Recovery enable account verification?
Facebook's Delegated Recovery aims to replace knowledge-based authentication with third-party account verification. Expert Michael Cobb explains how this protocol works. Continue Reading
-
Blog Post
06 Jun 2017
Symantec certificate authority aims for more delays on browser trust
Is the Symantec certificate authority operation too big to fail? That seems to be the message the security giant is sending in its latest response to a proposal from the browser community to turn ... Continue Reading
-
Answer
02 Jun 2017
How can the latest LastPass vulnerabilities be mitigated?
More LastPass vulnerabilities were recently discovered. Expert Matthew Pascucci explains the flaws, as well as what enterprises can do to mitigate the threat they pose. Continue Reading
-
News
02 Jun 2017
Users' SSO information at risk after OneLogin security breach
News roundup: OneLogin security breach puts SSO data at risk but is vague about the details. Plus, Gmail boosts its phishing detection features, and more. Continue Reading
-
Tip
25 May 2017
How SSH key management and security can be improved
The widespread use of SSH keys is posing security risks for enterprises due to poor tracking and management. Expert Michael Cobb explains how some best practices can regain control over SSH. Continue Reading
-
Feature
18 May 2017
Okta Adaptive MFA gives companies flexible authentication
Okta Adaptive MFA offers businesses a range of flexible authentication methods that use different contexts to determine which factors provide users with access. Continue Reading
-
Feature
17 May 2017
RSA Authentication Manager offers a variety of authentication methods
With authentication methods ranging from risk-based to tokens, RSA Authentication Manager gives companies a number of ways to employ multifactor authentication. Continue Reading
-
Feature
15 May 2017
Summing up Symantec VIP Service, a multifactor authentication tool
Expert David Strom looks at the Symantec VIP multifactor authentication product and how it can benefit enterprise security. Continue Reading
-
Feature
15 May 2017
An in-depth look at Gemalto's SafeNet Authentication Service
Expert David Strom provides an in-depth look at Gemalto's SafeNet Authentication Service, a SaaS-based multifactor authentication product for boosting login security. Continue Reading
-
Answer
12 May 2017
How did a Slack vulnerability expose user authentication tokens?
A Slack vulnerability exposed user authentication tokens and enabled hackers to access private data. Expert Matthew Pascucci explains how and why this hack was successful. Continue Reading
-
Feature
11 May 2017
SecureAuth IdP: An overview of its multifactor authentication ability
Expert David Strom looks at how SecureAuth IdP uniquely combines multifactor authentication and single sign-on login capabilities in a single product. Continue Reading
-
Feature
10 May 2017
VASCO IDENTIKEY Authentication Server and a look at its key features
Expert David Strom takes a closer look at VASCO's IDENTIKEY Authentication Server, one of the leading multifactor authentication products on the market. Continue Reading
-
Answer
09 May 2017
Are separate administrator accounts a good idea for enterprises?
Separate administrator accounts are becoming a normal part of access policies in enterprises. Expert Matthew Pascucci explains why this is a good idea and how to implement it. Continue Reading
-
Feature
05 May 2017
Quest Defender protects businesses with two-factor authentication
Through the Defender Management Portal, Quest Defender lets users request hard and soft tokens to provide valuable two-factor authentication and monitor all token activity. Continue Reading
-
Podcast
04 May 2017
Risk & Repeat: Symantec offers plan to restore certificate trust
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss Symantec's continued struggles with certificate trust, and what Mozilla and Google are doing about it. Continue Reading
-
News
02 May 2017
Mozilla: Symantec certificate remediation plan not enough
Mozilla reviews the counterproposal from Symantec and urges the CA giant to opt for Google's recommendation to outsource its certificate activities. Continue Reading
-
News
28 Apr 2017
Symantec certificate authority offers counter-proposal to Google
Symantec certificate authority proposal takes the pain out of sanctions for misissued certs, offers more audits, greater transparency and promise of "continuous improvement." Continue Reading
-
E-Zine
19 Apr 2017
Is your IAM policy a roadmap to security or leading you off a cliff?
Identity and access management, or IAM, has long been a crucial consideration in the formulation of corporate security strategy. IAM policy today must contend with a variety of major changes sweeping the world of IT. One of the latest is the spread of cloud-based services, particularly the relativity new identity as a service. IDaaS and other products are having a significant impact on the market, as cloud-based IAM is now being released by both "establishment" players (i.e., Microsoft and Oracle) and next-gen companies like Ping Identity and Okta.
This Information Security magazine Insider Edition tackles these seismic changes in the "identity layer" and considers other factors affecting IAM policy now and how they have an impact. In addition, we look at multifactor authentication, which is an established identity security practice. But multifactor is not without its own challenges when to comes to implementation and maintenance. We also take a careful look at the specific risks to cloud-based IAM tools, from shadow IT, mobility and more.
Readers of the special edition of Information Security magazine on IAM policy and security concerns will come away better equipped to assess their current IAM policy and adapt it to the current and future world of IT.
Continue Reading -
Opinion
19 Apr 2017
Start redrawing your identity and access management roadmap
Securing enterprise systems and information requires an IAM roadmap that helps you identify effective policy, technology and tools. Continue Reading
-
Feature
19 Apr 2017
Identity and access management strategy: Time to modernize?
More likely than not, your company's identity and access management strategy needs an update. Learn how to decide if that's the case and, if so, what you should do now. Continue Reading
-
Podcast
19 Apr 2017
Risk & Repeat: Mozilla joins the Symantec certificate authority debate
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss mounting pressure on the Symantec certificate authority business to provide answers about its practices. Continue Reading
- 19 Apr 2017
- 19 Apr 2017
- 19 Apr 2017
-
Guide
11 Apr 2017
How to deal with Identity and access management systems
An identity and access management system is increasingly essential to corporate security, but technological advances have made managing an IAM more complex than ever. Continue Reading
-
Answer
05 Apr 2017
Insecure OAuth implementations: How are mobile app users at risk?
Mobile apps using insecure OAuth could lead to over one billion user accounts being attacked. Expert Michael Cobb explains how developers can implement OAuth securely. Continue Reading
-
News
04 Apr 2017
Symantec certificate authority issues listed by Mozilla developers
Mozilla developers respond to questionable Symantec certificate authority practices, as the security provider questions Google's proposed solutions. Continue Reading
-
Podcast
31 Mar 2017
Risk & Repeat: Google slams Symantec certificates
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss Google's proposed plan to distrust Symantec certificates following more allegations of mis-issuance. Continue Reading
-
Answer
29 Mar 2017
How does a U2F security key keep Facebook users safe?
Universal second factor devices can be used to strengthen authentication on major websites such as Facebook. Expert Matthew Pascucci explains how U2F works. Continue Reading
-
Answer
27 Mar 2017
How do identity governance and access management systems differ?
Identity governance and access management systems overlap naturally, but they are still distinct. Expert Matthew Pascucci explains the difference between these two aspects of IAM. Continue Reading
-
Opinion
23 Mar 2017
The best SSO for enterprises must be cloud and mobile capable
The best SSO today can handle the apps mobile workers use, identity as a service and more. Learn to make single sign-on, and other identity management approaches, more effective. Continue Reading
-
Tip
23 Mar 2017
Enterprise SSO: The promise and the challenges ahead
It was inevitable that enterprise SSO would encounter the cloud. Learn how to adjust your company's approach to single sign-on so it keeps working well. Continue Reading
-
Answer
06 Mar 2017
SHA-1 certificates: How will Mozilla's deprecation affect enterprises?
Mozilla browser users will encounter 'untrusted connection' errors if they use SHA-1 signed certificates. Expert Michael Cobb explains why, and what enterprises can do. Continue Reading
-
News
23 Feb 2017
SHA-1 deprecation more important after hash officially broken
SHA-1 deprecation in browsers comes as researchers create hash collisions and Google offers website and developer tools to protect against malicious uses. Continue Reading
-
News
16 Feb 2017
Q&A: Yubico brings FIDO authentication protocol to the masses
Yubico founder and CEO Stina Ehrensvard spoke with SearchSecurity at RSAC 2017 about FIDO authentication and how Google uses it to secure logins and cut costs. Continue Reading
-
Answer
08 Feb 2017
HTTP public key pinning: Is the Firefox browser insecure without it?
HTTP public key pinning, a security mechanism to prevent fraudulent certificates, was not used by Firefox, and left it open to attack. Expert Michael Cobb explains how HPKP works. Continue Reading
-
News
03 Feb 2017
Google G Suite updates aim to improve phishing protection
News roundup: Google updates G Suite with stronger authentication. Plus, WordPress secretly patches vulnerabilities, malware is likely to infect entire OSes, and more. Continue Reading
-
Podcast
01 Feb 2017
Risk & Repeat: Bad Symantec certificates strike again
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss the discovery of more bad Symantec certificates and what it means for the antivirus software maker. Continue Reading
- 30 Jan 2017
-
News
27 Jan 2017
Symantec CA report offers more clarity on certificate transparency catch
One week after certificate transparency revealed a Symantec CA improperly issued over 100 digital certificates, Symantec offers more details on the incident. Continue Reading
-
News
27 Jan 2017
Google creates its own root certificate authority
Google is expanding its certificate authority capabilities by creating its own root certificate authority, but experts are unsure of Google's plans moving forward. Continue Reading
-
News
24 Jan 2017
Certificate Transparency snags Symantec CA for improper certs
Symantec CA could be in for more trouble after a security researcher, using Certificate Transparency logs, discovered more than 100 improperly issued certificates. Continue Reading
-
Answer
18 Jan 2017
How do facial recognition systems get bypassed by attackers?
Researchers found that facial recognition systems can be bypassed with 3D models. Expert Nick Lewis explains how these spoofing attacks work and what can be done to prevent them. Continue Reading
-
News
17 Jan 2017
Gmail phishing campaign uses real-time techniques to bypass 2FA
Researchers saw a Gmail phishing campaign in the wild using clever tricks to access accounts including a difficult 2FA bypass only possible in real time. Continue Reading
-
Answer
04 Jan 2017
How can two-factor authentication systems be used effectively?
Two-factor authentication systems require more than using codes sent through SMS and smart cards. Expert Michael Cobb explains how to properly and effectively implement 2FA. Continue Reading
-
Tip
03 Jan 2017
FIDO authentication standard could signal the passing of passwords
The FIDO authentication standard could eventually bypass passwords, or at least augment them, as government and industry turns to more effective authentication technologies. Continue Reading
-
Feature
03 Jan 2017
How to buy digital certificates for your enterprise
In the market to buy digital certificates? Learn exactly how digital certificates work, which features are key and how to evaluate the available options on the market. Continue Reading
-
Answer
02 Jan 2017
What new NIST password recommendations should enterprises adopt?
NIST is coming up with new password recommendations for the U.S. government. Expert Michael Cobb covers the most important changes that enterprises should note. Continue Reading
-
Tip
24 Oct 2016
Preventing privilege creep: How to keep access and roles aligned
Privilege creep can result in the abuse of user access and security incidents. Expert Michael Cobb explains how enterprises can keep user roles and privileges aligned. Continue Reading
-
Feature
01 Jun 2016
Strong authentication methods: Are you behind the curve?
Not sure who's really behind that username and password? Google, Facebook and others may finally give multifactor authentication technology the 'push' it needs. Continue Reading
-
Answer
06 May 2016
How can Kerberos protocol vulnerabilities be mitigated?
Microsoft's Kerberos protocol implementation has long-standing issues with its secret keys. Expert Michael Cobb explains how to mitigate the authentication vulnerabilities. Continue Reading
-
Answer
22 Mar 2016
What's the difference between two-step verification and 2FA?
The terms two-step verification and two-factor authentication are used interchangeably, but do they differ from one another? Expert Michael Cobb explains. Continue Reading
-
News
15 Dec 2015
Old Microsoft Kerberos vulnerability gets new spotlight
A new blog post detailed authentication vulnerabilities in Microsoft Kerberos that cannot be patched and could lead to attackers having free rein over systems. Continue Reading
-
Feature
03 Aug 2015
Is third-party access the next IAM frontier?
Identity and access management of employees is so complex that many companies have faltered when it comes to securing programs for trusted partners. Continue Reading
-
Answer
18 Jun 2015
Can simple photography beat biometric systems?
Simple photography cracking biometric systems highlights the need for two-factor authentication in enterprises according to expert Randall Gamby. Continue Reading
-
Buyer's Guide
13 May 2015
Multifactor authentication: A buyer's guide to MFA products
In this SearchSecurity buyer's guide, learn how to evaluate and procure the right multifactor authentication product for your organization. Continue Reading
-
Feature
30 Jan 2015
The top multifactor authentication products
Multifactor authentication can be a critical component of an enterprise security strategy. Here's a look at the top MFA products in the industry. Continue Reading
-
News
22 Jan 2015
Report: Popularity of biometric authentication set to spike
Juniper Research claims that the popularity of biometric authentication will rise dramatically in the next five years, incorporating innovative technology beyond today's fingerprint sensors and voice authentication systems. Continue Reading
-
Answer
15 May 2014
When single sign-on fails, is a second SSO implementation worthwhile?
After a failed SSO implementation, is there any benefit to an enterprise trying again? Expert Michele Chubirka discusses. Continue Reading
-
Answer
28 Mar 2014
Authentication caching: How it reduces enterprise network congestion
Michael Cobb explores the pros and cons of authentication caching and whether the practice can truly calm network strain. Continue Reading