Engineering

Actual Access Control

Without Getting in the Way of Actual Work: 2023

Zemoso Engineering Studio

Tuesday, January 17, 2023

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C
Text link

Bold text

Emphasis

Superscript

Subscript

According to Cybersecurity Insiders:

Truthbombs about current state of cybersecurity

The reason lies in the distributed mobile workforce that’s not protected by a firewall anymore. Your employees' corporate accounts serve as the gateways to your organization's data vault, and their credentials are the keys to access it. Regrettably, the global workforce struggles to keep these keys secure. 

The increase in adoption of cloud-based Software-as-a-Service (SaaS) applications has exacerbated Identity and Access Management (IAM) challenges for Chief Information Security Officers (CISOs), such as:

Top IAM challenges for CISOs

That’s just one tier of the problem. When we dive into the industry level, the picture looks a bit more concerning.

Manufacturing, financial services, and insurance are the top three most frequently attacked industries, partially because of pandemic-induced tech adoption. It accelerated the shift towards cloud-based SaaS solutions while aggravating ‌data security challenges, particularly in Healthcare and Finance.

Security challenges in Healthcare

Although technology adoption in Healthcare started way back in 2009 with the Health Information Technology for Economic and Clinical Health (HITECH) Act, but it was barely helpful for caregivers in their day-to-day jobs. Before the pandemic rendered all physical options for data exchange moot, healthcare providers used to rely on fax machines to exchange patient data back and forth to different hospitals — talk about the irony of electronic health records.

Now SaaS applications are buttressing the spine of healthcare systems with new patient record management systems, telehealth capabilities, automated healthcare services, and so much more. Simultaneously, accessing, managing, and storing personal information of millions of people. It's all pretty routine unless you wake up one day and find yourself in the middle of a data breach because an unauthorized person got access to your system.

Security challenges in Finance

Like in healthcare, customers would go physically to the bank to open a bank account before the widespread digitization of financial institutions. The best bet for an investor was to call the company directly and ask them to fax over financial documents. ‌A transaction would take much more than a few taps on a screen.

Fast forward to 2023 — it's estimated that there'll be 1.31 billion proximity mobile payment transaction users worldwide. FinTech apps are managing a tremendous amount of data to make that possible. Any data security loose-end can risk exposing Personal Identifiable Information (PII) of millions of users — something the founders of Dave.com, a FinTech unicorn, had to learn the hard way when a security breach resulted in a hacker publishing data of 7.5 million users.

The solution: better identity management and access controls

As alarming as the current state may look, data breaches are preventable, not inevitable. 96% of IDSA’s respondents who have suffered a breach reported that they could have prevented or minimized the breach by implementing identity-focused security outcomes.   

An identity and access management strategy that enables you to maintain confidentiality, integrity, and availability (CIA), where data is consistently available to authorized parties and secure from unauthorized access attempts should be your top priority when designing your security infrastructure.

By implementing proper IAM controls, organizations can ensure that user access is managed and controlled throughout the entire network. This includes the ability to grant, revoke, or modify user access rights; monitor user activity, and enforce policies and rules for access to sensitive data or systems.

Security practices like Multifactor Authentication (MFA) and firewall security add a critical layer of protection by managing user identities, access rights, and privileges, ensuring that only authorized users can access the network and its resources.

While in no way is having only an IAM is enough to prevent accidental or intentional leaks, it is a great place to start, and becomes table stakes for any new product that is handling and managing sensitive information. Some tools we've used and evaluated in the past at Zemoso labs are Keycloak, OpenIAM, Okta, Auth0, and AWS Cognito. Each of them offers a unique set of capabilities and varying levels of efficiencies, making one better than the other in certain scenarios.

How to pick the right IAM tool for your product?

Like most things in the product context, it comes down to the lifecycle stage your product is at. You are always answering the classic build v/s buy question. Early stage products racing to market on borrowed time don't have the time to build their own IAM solution, with or without the help of an open source solution. Ergo, managed tools like Okta, Auth0, and AWS Cognito are better suited to ensure security and protection while meeting those go-to-market deadlines.

However, for enterprise projects, the cost of using a managed solution would eventually get so high that building your own IAM solution using an open source tool is a profitable choice. We usually recommend Keycloak to our enterprise clients considering this option.

(PS: a FinTech unicorn started using Keycloak after our recommendation.)

If you're crafting an identity and access management strategy for an early stage product, here's a detailed evaluation of managed tools for our engineers' vault to help you choose the best. 

Measurement metrics: 1 – ○, 2 – ◔, 3 – ◑, 4 – ◕, 5 – ●. 5 is the best rating.

Evaluation chart: Okta v/s Auth0 v/s AWS Cognito

How did we implement IAM for our partners based on their use case?

Here's a peek into how we enabled multiple partners across industries to secure access points and manage identities using different tools.

For an open source cloud security platform

AWS Cognito was our preferred choice for an open source cloud security platform revolutionizing the industry. Considering the open source nature of the product, Cognito's ability to connect to other Identity Providers (IdP) to fulfill the authentication/authorization requirement played in our favor, making it our first choice.

For a new-age InsurTech platform

While working with an InsurTech client, security was one of the top concerns given that the platform will access sensitive health data of an individual from within an insurance carrier's database. We chose Okta as the gatekeeper of this data and for establishing user roles and control. We created a security layer over every API call to protect sensitive information. Additional verification and validation of user access status was mandated before any data or insight was shared.

For a disruptive data SecureTech solution

We used Okta to triple layer security for a data SecureTech solution simplifying how companies protect their proprietary resources. Okta was chosen for Single Sign-On (SSO), MFA, audit trails, token management, and creating a log management dashboard as a part of the platform. It made it easy for us to cover all the security bases for this client and ensure there were no loose ends that threat actors could leverage.

In conclusion, the new reality of fluid access and identity management challenges requires a versatile solution that can provide comprehensive coverage. The right IAM strategy enabled by the right tool will ensure apt employee access to the resources they need, while also protecting sensitive information and maintaining compliance with industry regulations.

References:

Zemoso team

https://brocoders.com/blog/auth0-vs-cognito/

https://developer.okta.com/docs/guides/identity-providers/

https://www.techrepublic.com/article/auth0-vs-okta/

https://github.com/auth0

https://github.com/oktadev

https://stackshare.io/stackups/amazon-cognito-vs-auth0-vs-okta

Got an idea?

Together, we’ll build it into a great product

Follow us on

Dallas, USA

London, UK

Waterloo, Canada

Hyderabad, India

©2024 Zemoso Technologies. All rights reserved.