Identity and access management

What about enterprise identity management for 'non-users'?

Identity and access management for service, machine and application accounts is as important as it is for individuals, so be sure your IAM strategy considers so-called non-users. Continue Reading

How does a WDC vulnerability put hardcoded passwords at risk?

Several vulnerabilities were found in Western Digital's My Cloud, including one that affects the default hardcoded password. Learn how to avoid such risks with expert Nick Lewis. Continue Reading

How Azure AD uses cloud access control to protect credentials

Features such as Microsoft Azure AD Smart Lockout and Password Protection add security via trusted authentication. Learn more about cloud access control from expert Ed Moyle. Continue Reading

Weighing privileged identity management tools' pros and cons

Products that help security pros manage access privileges are essential to IT security. Learn how to evaluate market offerings and acquire the best for your company. Continue Reading

LG network: How can attackers use preauthenticated commands?

A vulnerability was found in the LG network involving remote preauthenticated commands. Learn how researchers created a malicious password to show how it issue can be abused. Continue Reading

OneLogin security chief delivers new security model

How did cloud identity and access management vendor OneLogin rebuild its security after a breach? We ask OneLogin security chief Justin Calmus. Continue Reading

With Pwned Passwords API, annoying password policies can finally go away

Update password policies at your company by following the 2017 NIST regulations—improving user experience drastically, and the Pwned Passwords API can help. Continue Reading

10 unified access management questions for OneLogin CSO Justin Calmus

Enterprise security veteran Justin Calmus, who describes himself as an avid hacker, joined OneLogin as the CSO earlier this year. After last year's breach, who would want this job? Continue Reading

Advances in access governance strategy and technology

Recent advances in IAM policy, strategy and technology are raising companies' ability authenticate identities and manage access to their systems and data. Continue Reading

Reddit breach sparks debate over SMS 2FA

Using two-factor authentication with one-time passwords sent via SMS has come under question again after a Reddit breach was blamed on the faulty 2FA method. Continue Reading

Physical security keys eliminate phishing at Google

Successful phishing attempts have been eliminated among Google employees following a requirement to use physical security keys in order to gain access to all Google accounts. Continue Reading

Cloud misconfigurations can be caused by too many admins

Cloud misconfigurations have reached a point where sensitive data can't be protected with manual control, says BetterCloud's David Politis. And part of the issue is too many admins. Continue Reading

Microsoft launches Identity Bounty Program, offers up to $100,000

Microsoft introduced its new Identity Bounty Program that offers up to $100,000 in rewards for reported vulnerabilities in its identity services, such as Azure Active Directory. Continue Reading

As AI identity management takes shape, are enterprises ready?

Experts at the Identiverse 2018 conference discussed how artificial intelligence and machine learning are poised to reshape the identity and access management market. Continue Reading

Security in Network Functions Virtualization

In this excerpt of chapter 4 of Security in Network Functions Virtualization, authors Zonghua Zhang and Ahmed Meddahi discuss Identity and Access Management in NFV. Continue Reading

The threat of shadow admins in the cloud to enterprises

Having shadow admins in the cloud means unauthorized users can access everything a legitimate administrator can. Expert Ed Moyle explains how this works and how to stop it. Continue Reading

Risk & Repeat: Is AI-driven identity management the future?

In this week's Risk & Repeat podcast, SearchSecurity editors discuss Identiverse 2018 and how artificial intelligence is being applied to identity and access management. Continue Reading

Why a zero-trust network with authentication is essential

Zero-trust networks are often deemed compromised and untrusted, making authentication variables essential to security. Expert Matthew Pascucci explains a zero-trust security model. Continue Reading

Yubikey is hot in the security space, so we tested the consumer experience

How easy is it to use Yubikey and would I recommend it? Continue Reading

GlobalSign, Comodo launch competing IoT security platforms

Rival certificate authorities GlobalSign and Comodo CA have strengthened their presence in the IoT security market with new platforms for connected devices. Continue Reading

Ping adds AI-driven API protection with Elastic Beam acquisition

Ping Identity increased its focus on API security with the acquisition of Elastic Beam, a startup that uses artificial intelligence to apply behavioral security on enterprise APIs. Continue Reading

How does a SAML vulnerability affect single sign-on systems?

Researchers at Duo Security discovered a SAML vulnerability that enabled attackers to dupe single sign-on systems. Expert Michael Cobb explains how the exploit works. Continue Reading

How the BloodHound tool can improve Active Directory security

Auditing Active Directory can be made easier with tools like the open source BloodHound tool. Expert Joe Granneman looks at the different functions of the tool and how it can help. Continue Reading

Sexy, but stupid: Biometrics security requires balancing risks

When it comes to biometrics, security coexists with stupidity, unless implementers take the time to understand the limits, according to Adam Englander at RSAC 2018. Continue Reading

Akamai touts network perimeter security shifts, zero-trust model

As network perimeter security grows less practical, Akamai talks at RSA Conference about moving beyond firewalls to improve authentication with a zero-trust model. Continue Reading

SSH announces new key and certificate management service

A new key and certificate management service is now offered by SSH, which teamed up with AppViewX to provide a way to administer cryptographic keys and digital certificates. Continue Reading

Will biometric authentication systems replace passwords?

Biometric authentication systems have gained traction on mobile devices, but when will they become dominant within the enterprise? Expert Bianca Lopes weighs in on the topic. Continue Reading

How TLS mutual authentication for cloud APIs bolsters security

Secure access to cloud APIs is necessary but challenging. One viable option to combat that is TLS mutual authentication, according to expert Ed Moyle. Continue Reading

WebAuthn API gets standards nod from W3C, FIDO Alliance

W3C and the FIDO Alliance have given websites a new tool for doing FIDO-compliant authentication, as the WebAuthn authentication protocol is promoted to W3C Candidate Recommendation. Continue Reading

Risk & Repeat: Trustico certificate drama a cause for concern

In this week's Risk & Repeat podcast, SearchSecurity editors discuss how a controversial move by reseller Trustico led to 23,000 Symantec SSL certificates being revoked. Continue Reading

23,000 Symantec certificates revoked following leak of private keys

DigiCert revoked 23,000 Symantec SSL certificates amid a public spat between the company and former reseller partner Trustico, which claimed the certificates were 'compromised.' Continue Reading

Single sign-on best practices: How can enterprises get SSO right?

Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good start. Here's how to do it. Continue Reading

New SAML vulnerability enables abuse of single sign-on

Duo Security discovered a new SAML flaw affecting several single sign-on vendors that allows attackers to fool SSO systems and log in as other users without their passwords. Continue Reading

Facebook's 2FA bug lands social media giant in hot water

Facebook came under fire after a two-factor authentication bug sent non-security notifications to users' phones, sparking a debate about media coverage and 2FA adoption. Continue Reading

Symantec's untrusted certificates: How many are still in use?

A security researcher found that a significant number of popular websites are still using untrusted certificates from Symantec, which will be invalidated this year. Continue Reading

Bypassing facial recognition: The means, motive and opportunity

Researchers bypassed Apple's facial recognition authentication program, Face ID, in under a week. Expert Michael Cobb explains why it's not a major cause for concern for users. Continue Reading

New Comodo CA leadership talks competition, IoT devices

Comodo CA's new chairman Bill Conner and CEO Bill Holtz talk with SearchSecurity about competition in the certificate market and how the internet of things will fuel growth. Continue Reading

Comodo calls out Symantec certificate issues, applauds Google

Bill Conner and Bill Holtz, who recently joined Comodo CA as chairman and CEO, respectively, discuss Symantec's certificate issues and their effect on the certificate market. Continue Reading

Risk & Repeat: Let's Encrypt certificates offer pros, cons

In this week's Risk & Repeat podcast, SearchSecurity editors discuss Let's Encrypt certificates and weigh the positives and negatives the free certificate authority provides. Continue Reading

Advanced Protection Program: How has Google improved security?

Google added a layer to its account security system with Advanced Protection Program. Matt Pascucci explains how individuals can better defend themselves from malicious actors. Continue Reading

What is emotional data and what are the related privacy risks?

SearchSecurity talks with UC Berkeley professor Steven Weber about the concept of emotional data, where it comes from and how it can potentially be used -- and abused. Continue Reading

QakBot malware: How did it trigger Microsoft AD lockouts?

QakBot malware triggered hundreds of thousands of Microsoft Active Directory account lockouts. Discover the malware's target and how these attacks are being carried out. Continue Reading

OneLogin data breach: What does the attack mean for SSOs?

A OneLogin data breach affected all of the company's U.S. customers after threat actors abused an Amazon Web Services API. Discover what this means for customers and SSO companies. Continue Reading

Cryptographic keys: Your password's replacement is here

As passwords become targets of phishing attacks, password management has become increasingly difficult. Expert Nick Lewis explains how cryptographic keys could replace passwords. Continue Reading

LDAP injection: How was it exploited in a Joomla attack?

After eight years, Joomla discovered an LDAP vulnerability that could be exploited by threat actors. Learn how the attack works from expert Matt Pascucci. Continue Reading

How machine learning-powered password guessing impacts security

A new password guessing technique takes advantage of machine learning technologies. Expert Michael Cobb discusses how much of a threat this is to enterprise security. Continue Reading

Use caution with OAuth 2.0 protocol for enterprise logins

Many apps are using the OAuth 2.0 protocol for both authentication and authorization, but technically it's only a specification for delegated authorization, not for authentication. Continue Reading

Security Controls Evaluation, Testing, and Assessment Handbook

In this excerpt from chapter 11 of Security Controls Evaluation, Testing, and Assessment Handbook, author Leighton Johnson discusses access control. Continue Reading

Researchers bypass iPhone X security feature Face ID

News roundup: In under a week after its release, researchers were able to bypass the main iPhone X security feature, Face ID. Plus, Microsoft patched a 17-year-old flaw, and more. Continue Reading

Risk & Repeat: Sale of Symantec Website Security completed

In this week's Risk & Repeat podcast, SearchSecurity editors discuss the sale of Symantec Website Security to DigiCert and what it means for Symantec's troubled certificate business. Continue Reading

Learn how to identify and prevent access control attacks

Once an attacker has gained entry to a network, the consequences can be severe. Find out how the right access control tools can help prevent that from happening. Continue Reading

How should security teams handle the Onliner spambot leak?

A security researcher recently discovered a list of 711 million records used by the Onliner spambot. Expert Matt Pascucci explains what actions exposed individuals should take. Continue Reading

Google Docs phishing attack: How does it work?

A Google Docs phishing attack used OAuth tokens to affect more than a million Gmail users. Nick Lewis explains how it happened, and how to defend against such an attack. Continue Reading

Samsung S8 iris scanner: How was it bypassed?

Hackers bypassed the Samsung S8 iris scanner, which could spell trouble for biometric authentication. Expert Nick Lewis explains how it happened and how to stay protected. Continue Reading

Advanced Protection Program locks down Google accounts

Google's Advanced Protection Program greatly increases the security of user accounts, but the usability tradeoffs may not be worth it for average users. Continue Reading

What knowledge factors qualify for true two-factor authentication?

Can two-factor authentication be applied to a mobile device that's used as a 2FA factor? Michael Cobb explores the different knowledge factors and uses for mobile devices. Continue Reading

Running a private certificate authority: What are the risks?

Running a private certificate authority can pose significant risks and challenges to meet baseline requirements. Michael Cobb explores what enterprises should know. Continue Reading

WoSign certificates: What happens when Google Chrome removes trust?

Google Chrome has started removing trust in certificates issued by WoSign. Matthew Pascucci explains this decision and what it means for companies using WoSign certificates. Continue Reading

Fearmongering around Apple Face ID security announcement

As fears grow over government surveillance, the phrase "facial recognition" often triggers a bit of panic in the public, and some commentators are exploiting that fear to overstate any risks ... Continue Reading

Apple claims iPhone X Face ID has better security than Touch ID

Apple announced the new iPhone X Face ID system, which replaces Touch ID in favor of facial recognition and may offer 20 times fewer false positives than fingerprint scanning. Continue Reading

What is the best way to secure telematics information?

SMS authentication is often used to secure telematics information, but it may not be strong enough. Expert Judith Myerson discusses why, and how to improve the protection of this data. Continue Reading

Are biometric authentication methods and systems the answer?

Biometric authentication methods, like voice, fingerprint and facial recognition systems, may be the best replacement for passwords in user identity and access management. Continue Reading

What tools can bypass Google's CAPTCHA challenges?

The ReBreakCaptcha exploit can bypass Google's reCAPTCHA verification system using flaws in Google's own API. Expert Michael Cobb explains how the attack works. Continue Reading

The Symantec-Google feud can't be swept under the rug

The Symantec-Google feud regarding the antivirus vendor's web certificate practices appears to be over. But that doesn't mean it should be minimized or ignored. Continue Reading

SHA-1 collision: How the attack completely breaks the hash function

Google and CWI researchers have successfully developed a SHA-1 attack where two pieces of data create the same hash value -- or collide. Expert Michael Cobb explains how this attack works. Continue Reading

Industry reacts to Symantec certificate authority trust remediation

As the Symantec certificate authority scrambles to transition its certificate-issuance operations to a subordinate certificate authority, the CA industry sharpens its knives. Continue Reading

Symantec certificate authority business reportedly for sale

As Google and Mozilla prepare plans to reduce trust for Symantec's certificate authority, the antivirus vendor is reported to be seeking a buyer for its web certificate business. Continue Reading

Risk & Repeat: Should IAM systems be run by machine learning?

In this week's Risk & Repeat podcast, SearchSecurity editors discuss the identity and access management industry and how machine learning algorithms could govern IAM systems. Continue Reading

Q&A: Ping CEO on contextual authentication, intelligent identity

Ping Identity CEO Andre Durand talks with SearchSecurity about the data-driven move toward contextual authentication and intelligent identity and what this means for enterprises. Continue Reading

WoSign CA certificates get end-of-trust date in Chrome

Google to distrust all WoSign CA certificates in Chrome starting in September, as the troubled certificate authority passed a key audit and is seeking a new CEO to help return trust. Continue Reading

How does the Microsoft Authenticator application affect password use?

The Microsoft Authenticator application enables smartphone-based, two-factor authentication and attempts to reduce the use of passwords. Expert Matthew Pascucci explains how. Continue Reading

Risk & Repeat: Symantec, Mozilla spar over certificate issuance

In this week's Risk & Repeat podcast, SearchSecurity editors discuss Mozilla's suggested deadline for Symantec to turn over its certificate issuance operations. Continue Reading

Privileged user management trips up NSA

News roundup: DOD inspector general found NSA failed to implement secure privileged user management post-Snowden. Plus, Honda hit by WannaCry, Trump met with tech CEOs and more. Continue Reading

Machine learning in cybersecurity is coming to IAM systems

Machine learning in cybersecurity applications for identity management systems are becoming more common today. But will algorithms be the best option for authenticating and authorizing users? Continue Reading

How the use of invalid certificates undermines cybersecurity

Symantec and other trusted CAs were found using bad certificates, which can create huge risk for internet users. Expert Michael Cobb explains how these incidents can be prevented. Continue Reading

Ping embeds multifactor authentication security in mobile apps

At the 2017 Cloud Identity Summit, Ping Identity launched a new software development kit that will embed multifactor authentication security features in mobile apps. Continue Reading

How does Facebook's Delegated Recovery enable account verification?

Facebook's Delegated Recovery aims to replace knowledge-based authentication with third-party account verification. Expert Michael Cobb explains how this protocol works. Continue Reading

Symantec certificate authority aims for more delays on browser trust

Is the Symantec certificate authority operation too big to fail? That seems to be the message the security giant is sending in its latest response to a proposal from the browser community to turn ... Continue Reading

How can the latest LastPass vulnerabilities be mitigated?

More LastPass vulnerabilities were recently discovered. Expert Matthew Pascucci explains the flaws, as well as what enterprises can do to mitigate the threat they pose. Continue Reading

Users' SSO information at risk after OneLogin security breach

News roundup: OneLogin security breach puts SSO data at risk but is vague about the details. Plus, Gmail boosts its phishing detection features, and more. Continue Reading

How SSH key management and security can be improved

The widespread use of SSH keys is posing security risks for enterprises due to poor tracking and management. Expert Michael Cobb explains how some best practices can regain control over SSH. Continue Reading

Okta Adaptive MFA gives companies flexible authentication

Okta Adaptive MFA offers businesses a range of flexible authentication methods that use different contexts to determine which factors provide users with access. Continue Reading

RSA Authentication Manager offers a variety of authentication methods

With authentication methods ranging from risk-based to tokens, RSA Authentication Manager gives companies a number of ways to employ multifactor authentication. Continue Reading

Summing up Symantec VIP Service, a multifactor authentication tool

Expert David Strom looks at the Symantec VIP multifactor authentication product and how it can benefit enterprise security. Continue Reading

An in-depth look at Gemalto's SafeNet Authentication Service

Expert David Strom provides an in-depth look at Gemalto's SafeNet Authentication Service, a SaaS-based multifactor authentication product for boosting login security. Continue Reading

How did a Slack vulnerability expose user authentication tokens?

A Slack vulnerability exposed user authentication tokens and enabled hackers to access private data. Expert Matthew Pascucci explains how and why this hack was successful. Continue Reading

SecureAuth IdP: An overview of its multifactor authentication ability

Expert David Strom looks at how SecureAuth IdP uniquely combines multifactor authentication and single sign-on login capabilities in a single product. Continue Reading

VASCO IDENTIKEY Authentication Server and a look at its key features

Expert David Strom takes a closer look at VASCO's IDENTIKEY Authentication Server, one of the leading multifactor authentication products on the market. Continue Reading

Are separate administrator accounts a good idea for enterprises?

Separate administrator accounts are becoming a normal part of access policies in enterprises. Expert Matthew Pascucci explains why this is a good idea and how to implement it. Continue Reading

Quest Defender protects businesses with two-factor authentication

Through the Defender Management Portal, Quest Defender lets users request hard and soft tokens to provide valuable two-factor authentication and monitor all token activity. Continue Reading

Risk & Repeat: Symantec offers plan to restore certificate trust

In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss Symantec's continued struggles with certificate trust, and what Mozilla and Google are doing about it. Continue Reading

Mozilla: Symantec certificate remediation plan not enough

Mozilla reviews the counterproposal from Symantec and urges the CA giant to opt for Google's recommendation to outsource its certificate activities. Continue Reading

Symantec certificate authority offers counter-proposal to Google

Symantec certificate authority proposal takes the pain out of sanctions for misissued certs, offers more audits, greater transparency and promise of "continuous improvement." Continue Reading

Is your IAM policy a roadmap to security or leading you off a cliff?

Identity and access management, or IAM, has long been a crucial consideration in the formulation of corporate security strategy. IAM policy today must contend with a variety of major changes sweeping the world of IT. One of the latest is the spread of cloud-based services, particularly the relativity new identity as a service. IDaaS and other products are having a significant impact on the market, as cloud-based IAM is now being released by both "establishment" players (i.e., Microsoft and Oracle) and next-gen companies like Ping Identity and Okta.

This Information Security magazine Insider Edition tackles these seismic changes in the "identity layer" and considers other factors affecting IAM policy now and how they have an impact. In addition, we look at multifactor authentication, which is an established identity security practice. But multifactor is not without its own challenges when to comes to implementation and maintenance. We also take a careful look at the specific risks to cloud-based IAM tools, from shadow IT, mobility and more.

Readers of the special edition of Information Security magazine on IAM policy and security concerns will come away better equipped to assess their current IAM policy and adapt it to the current and future world of IT.

 Continue Reading

Start redrawing your identity and access management roadmap

Securing enterprise systems and information requires an IAM roadmap that helps you identify effective policy, technology and tools. Continue Reading

Identity and access management strategy: Time to modernize?

More likely than not, your company's identity and access management strategy needs an update. Learn how to decide if that's the case and, if so, what you should do now. Continue Reading

Risk & Repeat: Mozilla joins the Symantec certificate authority debate

In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss mounting pressure on the Symantec certificate authority business to provide answers about its practices. Continue Reading

Identity and access management strategy: Time to modernize?

 Continue Reading

Start redrawing your identity and access management roadmap

 Continue Reading

Strong authentication methods: Are you behind the curve?

 Continue Reading