You may or may not be aware that the world’s largest Identity Management vendor suffered a data breach which made the news because of the number of their customers affected.
We wanted to take this opportunity to reassure you that due to the way in which My1Login is architected, your data is not exposed to the same level of risk.
In regards to cloud-based Identity & Access Management, there are two distinct methods of encryption architecture. The most secure method is where the IAM vendor does not have access to their customers’ encryption keys, with the encryption of customer authentication data (e.g. usernames and passwords) taking place inside the customer’s environment, and the encrypted output of this process being stored with the vendor. This method ensures that the IAM vendor cannot access their customers’ authentication data, and anything that is stored on the IAM vendor’s servers is useless in the hands of malicious actors without the corresponding encryption keys.
However, the most common, and less secure, method of architecture is where the IAM vendor has access to their customers’ encryption keys and the encryption of customer data is carried out on the IAM vendor’s servers. This method carries the greatest risk of exposing unencrypted customer authentication data to those with malicious intent should the vendor be breached.
The method of encryption employed by an IAM vendor is an important question to ask for those who already have an incumbent solution or are considering one.