Lessons Learned from OneLogin’s AWS Breach
On May 31, 2017, a hacker gained access to a set of OneLogin’s AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. Through the AWS API, the actor created several instances in the AWS infrastructure to do reconnaissance and gain additional third party information.
Over the course of seven hours (before the breach was detected), the hackers were able to access database tables that contain information about users, apps, and various types of keys.
While the data may have been encrypted (OneLogin encrypts data at rest), the hackers may have also obtained the ability to decrypt the user data.
Unfortunately, this type of breach isn’t rare. All network resources, whether with AWS, on-premises or in a hybrid environment are at risk. AWS makes it clear that security is a shared responsibility. While it is responsible for security ‘of’ the cloud, their customers are responsible for what’s ‘in’ the cloud.
Secure AWS with AppGate
AppGate uses adaptive and contextual condition checking for multifactor authentication. In this scenario, an IAM provider would potentially be only one factor in the authentication stream, not the only factor.
AppGate seamlessly integrates with existing enterprise SIEM solutions to provide immediate security when changes occur – user location, time of day, device hygiene. Policies and entitlements can be modified in real time to combat these changing variables. SIEM integration also provides instant notification when unexpected / unusual activity occurs. In the OneLogin example, a SIEM solution notification could have been acted on immediately, instead of seven hours after the breach occurred.
AppGate does NOT use Single Sign-On. Unlike many SSO methods that provide the “keys to the kingdom” once the user is authenticated, AppGate protects AWS cloud resources by using a multi-factor authentication (MFA) model, providing user specific access to authenticated resources that the user is specifically authorized to access.
In response to the OneLogin breach, Avivah Litan of Gartner stated that they have long discouraged companies from using cloud-based single sign-on services, arguing that they are the digital equivalent to an organization putting all of its eggs in one basket.
Learn more about how AppGate can secure AWS and reduce operational complexity in doing so.