Software-as-a-service (SaaS) security breaches are on the rise. Earlier this year, compromised user credentials impacted numerous companies utilising Snowflake’s cloud data platform.
The breach resulted in the leak of sensitive personal and financial information. Other data breaches that occurred this year include Microsoft, UnitedHealth, Caesars, MGM, and Clorox.
According to a report by AppOmni, 31% of organisations encountered a SaaS data breach in 2024, an increase from 26% in 2023. Notably, the majority of these attacks were identity-based.
To tackle this issue, Okta, the San Francisco-based identity and access management company, introduced a new comprehensive identity security standard during its flagship event, Oktane, held in Las Vegas.
Called the Interoperability Profile for Secure Identity in the Enterprise, or, in short, IPSIE– the vision behind this new, open standard, is to create a framework that allows SaaS companies to enhance the end-to-end security of their products. It is expected to ensure robust security at every interaction within its technology stack.
“We’ve seen that a lot of attacks from malicious actors towards companies and their applications and infrastructure tend to be identity-based attacks,” Shiv Ramji, president of customer identity at Okta, told AIM at the sidelines of Oktane 2024.
What’s IPSIE?
Developed in partnership with the OpenID Foundation and companies like Microsoft, Google, Ping Identity, Beyond Identity, and SGNL, IPSIE aims to enhance existing security controls while introducing new mandates that will benefit the SaaS community.
These include mandating Single Sign-On for centralised login, lifecycle management for secure user onboarding and offboarding to mitigate risks from orphaned accounts and shadow directories, and entitlements that enforce least privilege access while moving towards zero standing privileges.
( Shiv Ramji speaking at Oktane 2024)
Additionally, IPSIE facilitates risk signal sharing, allowing a seamless exchange of security insights across the entire security ecosystem. It also provides session termination, which allows the immediate shutdown of all user sessions in response to detected threats.
According to Okta, applications built to these standards will automatically achieve a higher level of security through governance, entitlement management, multi-factor authentication (MFA), posture management, and real-time universal logout.
“The current lack of standardisation is a major barrier to effective security. When applications within your ecosystem don’t communicate using a common language or are developed independently, it falls on you to assess your vulnerabilities, often resulting in a lack of visibility. This is why we are introducing a central standard for identity security—to help reduce the fragmentation seen across SaaS applications and create a more cohesive security framework,” Ramji said.
During the event, the company also announced a new programme to help companies reduce their identity-critical security debt to zero. Called Security Identity Assessment (SIA), it is likely to help enterprises identify vulnerabilities such as admin sprawl, enhance their identity infrastructure, and continuously implement the strongest possible security posture.
( Okta CEO Todd McKinnon addressing the keynote session at Okta 2024)
Standardisation Remains a Challenge
While it’s encouraging to see Okta take the lead in establishing security standards for SaaS and advocate for standardisation, the industry’s widespread adoption of these standards is yet to be determined.
Many of these SaaS enterprises have implemented their own standards internally. Adopting IPSIE would mean scrapping these existing standards.
According to Ramji, Okta is already implementing these standards, which will greatly help with adoption.
“Many B2B SaaS companies utilise our Customer Identity Cloud. By building on our platform, they inherently adopt and implement all these standards, Ramji said.
Moreover, at Oktane, Okta CEO Todd McKinnon encouraged customers to ensure that their SaaS vendors have adopted these security standards to ensure robust protection against identity threats and to facilitate a more secure and compliant digital environment.
Okta also plans to host global events aimed at educating customers about the significance of standardisation.
“It’s a journey, and our goal is to educate the entire ecosystem about the visibility gaps in security. We’ve gained valuable insights ourselves and are actively encouraging the industry to develop and ultimately adopt these standards,” Ramji said.
Brett Winterford, regional chief security officer, APAC, Okta, spoke with journalists at the sidelines of Oktane and said that some of the major SaaS breaches we witnessed this year could have been prevented if such standards had been in place.
He points out that the Okta security breach in 2023 is also a good example of a breach that could have been prevented if these security standards had been in place. Another good example is Snowflake.
“Several attacks on Snowflake customers a few months ago illustrated vulnerabilities not caused by Snowflake itself. Attackers exploited weaknesses in downstream applications, bypassing identity providers due to factors like infostealing and malware that extracted passwords from unmanaged devices. But I can clearly see that the root cause of many of these issues stems from how application and service providers integrate with identity providers,” Winterford said.
Why is Okta Leading the Charge?
Okta is a leading identity management platform that provides secure single sign-on, multi-factor authentication, and lifecycle management solutions. It enables organisations to protect user identities and streamline access across cloud applications.
According to Winterford, around 80% of all attacks enterprises generally witness are identity-led. “In all of my discussions with large SaaS companies, everyone agrees it’s a problem to be solved, but they’ve been waiting for someone to lead and suggest a framework. The specifications for the interoperability profile will undoubtedly be a subject of ongoing debate; however, it’s clear to everyone in the ecosystem that a viable path forward exists,” he told AIM.
The initiative’s support by Microsoft, Google, and SGNL indicates the industry-wide problem that needs attention.
The post Amid Rise in Data Breaches, Okta Announces New Security Standards for SaaS appeared first on AIM.