Identity and Access Management: Leave it to the Experts
By Dr. Manu Kumar, Founder and Chief Firestarter, K9 Ventures
The start of every application ever built usually involves the developer figuring out how to allow users to create accounts and set up passwords. The number of times this wheel has been re-invented is almost mind boggling. Creating usernames, passwords, figuring out the forgotten password flow are something that is recreated time and time again.
"Security is a complex and dynamic landscape that is constantly evolving with new threat vectors and attacks being discovered"
Something that drives me completely batty though is how developers think that by requiring users to pick a complicated password (at least 1 upper case, 1 number, and 1 special character, but you can’t use all special characters etc.) is a good security practice! From banks, to government websites, to social media websites, the password policies are always just a little bit different requiring users to have multiple versions of the same passphrase. The variations introduced by users are often very easy to guess and thereby actually make these passwords less secure rather than more secure. Likewise, requiring users to change their passwords also results in minor modifications to existing passwords, which also make them less secure (see Time to rethink mandatory password changes by Lorie Cranor, Chief Technologist of the FTC).
Meanwhile, we’re experiencing an ever increasing number of security breaches. In any security breach, there are typically two things that can be compromised--either it is the user’s username, password and other personally identifying information (PII) or it is the user’s data. PII breaches tend to be more common and lists of email addresses and passwords are often being sold on the dark web.
Why then, in 2018, do organizations think that they should be reinventing the wheel on identity and access management each time? By doing so they’re taking on an undue security risk and burden. The developer who may be an expert in a particular domain is expected to also become an expert in the most up to date security practices. That is an unreasonable expectation for companies to have.
Security is a complex and dynamic landscape that is constantly evolving with new threat vectors and attacks being discovered. It is almost impossible for developers in every single company to stay current on all of these issues, while still remaining focused on the business application they’re building.
There is a better way.
Companies can rely on Identity as a Service (IDaaS) providers to stop re-inventing the wheel each time. They can save valuable development time by using APIs to implement login, authentication, and identity quickly and easily by reusing pre-built components. Using an IDaaS provider also means that the users PII and most importantly their credentials can be stored with the IDaaS provider. Doing so significantly reduces the risk of loss of PII if a company comes under some kind of malicious hack or cyber attack. At the same time the login, authentication, and identity frameworks are always up to date with the latest and greatest security, that is handled by experts for whom security is the core focus.
IDaaS providers also handle multiple forms of compliance that may be necessary for your business like SOC2, HIPAA, GDPR and more. Most companies have a hard enough time building their own applications. Dedicating engineering resources to non-core areas such as login, authentication, identity, security, and compliance not only comes at a high opportunity cost, but also leaves companies with a higher risk of being compromised in a breach or security incident.
It is with this in mind that K9 Ventures has invested in Auth0. Auth0 provides a highly secure, extensible, and easy-to-implement platform that is loved by developers and trusted by global enterprises. More than 80,000 developers in over 70 countries trust Auth0 as their identity management solution serving over 50 million logins every day. By providing a platform that easily integrates into any existing technology infrastructure regardless of identity provider, protocol, or legacy system, developers can quickly get identity management up and running without compromising the progress of other IT initiatives.
Supporting nearly every industry standards and technology stack, Auth0 scales with any business to future-proof it from the many cyber threats lurking today. Built by developers, for developers, Auth0 is simply the easiest, most powerful and extensible IDaaS platform today.
When it comes to identity and access management, the most rational and logical choice is to not reinvent the wheel yet again, and instead, leave it to the experts and build upon the strong and evolving foundation of security that they provide. This leaves your organization free to transform a potentially critical point of risk into a chance to drive revenue by reinvesting your development resources back into your business.