Do you use a single-sign-on (SSO) solution to get your students and staff logged into multiple systems? If so, you will want to read this blog entry. On Wednesday, May 31, 2017, OneLogin notified its 12 million customers (BBC, 2013) that their SSO solution had been breached:
OneLogin, a company that provides customers with a single sign on for logging into multiple sites and apps, appears to have compromised customer data, including the ability to decrypt encrypted files. The company notified customers via email Wednesday that the incident stemmed from unauthorized access to one of its U.S. data centers. (Source: Threatpost)
“The service says all of its data centers in the US have been hacked, with customer data ‘potentially compromised.'” (Source: C-NET)
Before we explore the implications of the breach, let’s revisit why SSO solutions are so important.
SSO Makes Learning Possible
Only the smallest school districts can manually maintain usernames and passwords for all students and staff using online teaching and learning systems. Each requires staff and students to maintain a unique login and password. For all tasked with memorizing and tracking these login credentials, it requires a Herculean effort.
SSO simplifies keeping track of forty or more usernames and passwords for digital textbooks, online systems, and more. Popular SSO solutions include Classlink, Encore*, Identity Automation, Lenovo/Stoneware, OneLogin, and Tools4Ever. Solution providers deliver services such as Single Sign-On (SSO), Self Service Password Reset, and User Provisioning/De-Provisioning. Other services include IT Productivity, Applicant/Parent Self-Registration, Cloud Security, Multi-Factor Authentication, and more. These are essential services. A data breach of your school district’s SSO solution can mean the exposure of sensitive data for students and staff.
*Please note the statement Encore makes at the end of this blog entry about their recommendations. Statements from other SSO solution providers are being sought.
OneLogin Breach Opens the Door, Again
An established solution, OneLogin’s breach opens the door to 5,000+ valued services (e.g. Blackboard, Moodle, Google, Office365) for those affected school districts. Here are some relevant quotes:
“…the company gave more details about the breach, and revealed that all customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data.…That’s kind of a big deal.” (Source: Solutions Review)
“Gartner Inc. financial fraud analyst Avivah Litan said she has long discouraged companies from using cloud-based single sign-on services, arguing that they (cloud-based SSO providers) are the digital equivalent to an organization putting all of its eggs in one basket. “It’s just such a massive single point of failure,” Litan said. “And this breach shows that other [cloud-based single sign-on] services are vulnerable, too. This is a big deal and it’s disruptive for victim customers, because they have to now change the inner guts of their authentication systems and there’s a lot of employee inconvenience while that’s going on.” (Source: Krebs On Security)
“The breach is the biggest security hiccup for the company since last August, when it admitted an attacker managed to take advantage of a bug in its system to read notes thought to be private in its Secure Notes feature. That incident was two-pronged. A bug in the system the company used for log storage and analytics caused all notes in Secure Notes to be stored in cleartext for one month. During that period, in an unrelated incident, an attacker successfully compromised the password of a OneLogin employee, something that allowed them access to the logging system where the notes were being saved.” (Source: Threatpost)
OneLogin’s Recommendation for the Affected
If you are an education or business customer, OneLogin is quoted as offering the following steps:
- Force a OneLogin directory password reset for your users;
- Generate new certificates for any apps that use SAML SSO;
- Generate new API credentials and OAuth tokens;
- Generate and apply new directory tokens for Active Directory Connectors and LDAP Directory Connectors;
- Update the API or OAuth credentials you use to authenticate to third-party directories like G Suite (Google), Workday, Namely, and UltiPro;
- Generate and apply new Desktop SSO tokens;
- Recycle any secrets stored in Secure Notes;
- Update the credentials you use to authenticate to third party apps for provisioning;
- Update the admin-configured login credentials for apps that use form-based authentication;
- Have your end-users update their passwords for the form-based authentication apps that they can edit, including personal apps;
- Replace your RADIUS shared secrets.
As The Register points out, this is quite a list. Imagine school districts struggling to get this done by themselves.
If your district is using an SSO solution, what can it do going forward?
Encore Technology Group’s President and CTO Michael Knight, a recent speaker at TCEA’s Technology Leadership Summit, was reached for comment. He said “This type of breach demonstrates our position that districts should operate an IAM, Rostering and SSO Platform that is completely within their borders and control so that the district can have complete logging, auditing, analytics, and visibility into the data, transmissions of the data, and data access. The log, auditing, and analytics data can then be fed into a central logging and monitoring platform (ex. SIEM – Security Information and Event Management) that will allow the district to detect and ultimately prevent data breaches.”
*Note: Enboard does not operate on a Central Cloud frame like the provider described in the breach.
Each customer has a completely separate platform with independent security contexts where all Identity Data, Federation Constructs and Metadata, Encryption Keys, Multi-factor Authentication Details, Logging, Auditing and Administrative Credentials/Access are stored separately and are completely unique. All end user SSO credentials are stored encrypted with a dual, unique key in the customer’s Active Directory.
Most importantly, the district has complete control of all data, controls, management, auditing, logging and can restrict all access from providers including access from Encore Support.
Safeguarding sensitive data goes beyond digital citizenship for an organization. When schools work in loco parentis, they have accepted care of our children. Yet districts, even large ones like those that use OneLogin’s solution (e.g. San Jose School District), find themselves outmatched. “Brace for impact!” may be the only advice you can give security-conscious school districts. In these cases, the keys to their respective kingdoms have been lost.
Statement from Identity Automation:
“RapidIdentity, from Identity Automation, is designed to make our customers more secure. And to do that, we’ve taken significant steps to ensure the security of our system itself, especially when hosted in the cloud.
Like OneLogin, RapidIdentity can be hosted on Amazon AWS. Unlike OneLogin, we’ve implemented strict security protocols enforced by RapidIdentity’s Privileged Access Management capabilities that ensure no individual has direct access to a hosted implementation, and there is no backdoor. Any access must be requested and approved by a separate Identity Automation Service Manager, meaning that no individual can breach the system alone. Furthermore, access is granted for a very limited time (the specific time withheld for security reasons), preventing breaches via accidental loss of credentials or access.
Beyond this, RapidIdentity has numerous built-in measures to ensure its security. In addition to requiring second party approval, privileged users are required to use multi-factor authentication when accessing any part of an installation and are limited to a single customer implementation. A combination of symmetric, asymmetric, and hashing cryptographic methods are also used to ensure the confidentiality and integrity of customer data and credentials.”
-Troy Moreland, Co-Founder & CTO, Identity Automation
New information was added as of 06/04/2017.