OneLogin, a popular single-sign-on vendor has been breached and customer data has been exposed and decrypted. ARS Technica broke the news this morning and this is terrible news for anybody who has been putting their faith into single-sign-on as a solution to SaaS sprawl.According to the OneLogin report, the customer data has been exposed AND decrypted which means that the usernames and passwords to millions of accounts across many thousands of vendors are now in the hands of the bad guys.
As if having your usernames and passwords stolen weren't bad enough, OneLogin is advising its customers to reissue their SAML certificates. This is far from a small endeavor. In fact, one of the reasons that I advocate augmenting SAML as a security mechanism with an independent SaaS reporting and management suite. SSO and SAML are perfectly valid security mechanisms, but who is watching the watchers?
For those customers who prefer to have SaaS vendors connected to a single-sign-on platform such as OneLogin after this breach and intend to change all of their SAML certificates, this is most likely a multi-week undertaking followed by extensive security audits. Undoudebtly this will be expensive and time-consuming. You have my sympathy.
It is unfortunate that this event has occurred but I hope it can be used as an argument at companies around the world to create security not only through centralization of authentication, but through good security, good reporting, and great process.
If you are in the market for the best way to manage many many SaaS vendors, please consider contacting Meta SaaS to learn how we can help.
Did you enjoy this free article? If so, please share it: