Within today’s software development ecosystem, third-party vendors are a common part of system architecture.
Specifically, Authentication-as-a-Service (AaaS) is growing fast. Their out-of-the-box capabilities enable engineering teams to focus on building features valuable to business rather than spending time and resources on reinventing the wheel of securing application access.
But outsourcing isn’t as simple as it sounds. Vendor management is time-consuming and can introduce significant risks to the business if due diligence isn’t observed.
This blog post is an excerpt from Performing Due Diligence on Authentication Vendors.
The need for due diligence
The 2017 Equifax data breach consumed many organizations, including mine where I was on the information security (Infosec) team. The breach exposed the personal data of hundreds of millions of people: social security numbers, names, addresses, and more. Thankfully, our organization had the right policies in place to safeguard the personal data and no data was compromised.
If you do outsource authentication capability, then putting in your due diligence is a must.
Due diligence is a series of steps that requires research and testing the capabilities of a third-party vendor. Going through this very intentional exercise is absolutely crucial before you onboard an AaaS into your system, as it can prevent future issues with security, performance, engineering, and pricing.
Think about the security standards of the authentication provider
Security is at the top of the list of due diligence tasks and should come as no surprise. Letting unauthorized parties get access to systems leads to loss of consumer confidence and financial penalties from regulators. Putting in effort to make sure an AaaS offers proper security is critical.
Authentication providers should have strong guardrails to protect your users’ confidential data and minimize the possibility of security breaches.
Work with potential authentication providers and your internal stakeholders on the following items to ensure security standards are met before integrating a vendor’s offering:
- Include all business and technology stakeholders to facilitate the security review. This will allow you to map which business segments will rely on the authentication provider. Make a practice of communicating your findings with these stakeholders as you move through these steps.
- Ask your vendor to fill out a questionnaire. This is a standard practice to understand security policies established by authentication providers. These questions should cover all security details, for example, how often are passwords reset? How are credentials stored? Where are they stored?
- Ask for an encryption policy. It should have guidance on hashing, digital signature policy, and cryptography topics, and these policies should align with your internal security standards. For TLS, the standard is to use 128-bit, 192-bit, or 256-bit encryption to prevent unauthorized access to data in transit. Does your authentication provider offer encryption of data at rest?
- Common Vulnerabilities and Exposures (CVEs) happen. How does your vendor respond when a CVE occurs. How quickly is a fix released and how do they communicate the security issues to you?
- Understand who will own responsibility in case of a cyber attack. Lawsuits arise when responsibilities are not well understood, so take particular care here. You should have a workflow diagram labeling each section with vendor’s name or your company’s name to indicate each party’s areas of responsibility.
- During the procurement process, obtain all required security policy documents applicable to your industry or business. Ensure security policies cover PII, HIPAA, and GDPR, Article 33 standards if your business falls under specific industry criteria. You should also obtain SOC2 reports from any potential AaaS. This auditing procedure ensures that data and privacy are securely managed to protect the interests of your organization and the privacy of your clients.
There’s always more to do with security, but the items above should be a good place to start.
What else should you consider?
While important, there are other aspects to consider when performing due diligence. Various other areas you should be checking into for a potential AaaS include:
- Engineering implementation effort
To learn about those aspects and more, read Performing Due Diligence on Authentication Vendors.