Lessons Learned from OneLogin’s AWS Breach

June 20, 2017 |
OneLogin AWS Breach without AppGate

On May 31, 2017, a hacker gained access to a set of OneLogin’s AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. Through the AWS API, the actor created several instances in the AWS infrastructure to do reconnaissance and gain additional third party information.

Over the course of seven hours (before the breach was detected), the hackers were able to access database tables that contain information about users, apps, and various types of keys.

While the data may have been encrypted (OneLogin encrypts data at rest), the hackers may have also obtained the ability to decrypt the user data.

Unfortunately, this type of breach isn’t rare. All network resources, whether with AWS, on-premises or in a hybrid environment are at risk. AWS makes it clear that security is a shared responsibility. While it is responsible for security ‘of’ the cloud, their customers are responsible for what’s ‘in’ the cloud.

Decorative image of OneLogin AWS Breach

Secure AWS with AppGate

AppGate uses adaptive and contextual condition checking for multifactor authentication. In this scenario, an IAM provider would potentially be only one factor in the authentication stream, not the only factor.

AppGate seamlessly integrates with existing enterprise SIEM solutions to provide immediate security when changes occur – user location, time of day, device hygiene. Policies and entitlements can be modified in real time to combat these changing variables. SIEM integration also provides instant notification when unexpected / unusual activity occurs. In the OneLogin example, a SIEM solution notification could have been acted on immediately, instead of seven hours after the breach occurred.

AppGate does NOT use Single Sign-On. Unlike many SSO methods that provide the “keys to the kingdom” once the user is authenticated, AppGate protects AWS cloud resources by using a multi-factor authentication (MFA) model, providing user specific access to authenticated resources that the user is specifically authorized to access.

In response to the OneLogin breach, Avivah Litan of Gartner stated that they have long discouraged companies from using cloud-based single sign-on services, arguing that they are the digital equivalent to an organization putting all of its eggs in one basket.

Learn more about how AppGate can secure AWS and reduce operational complexity in doing so.

Back to Blog Home

Chris Steffen

Christopher Steffen joined Cryptzone in October 2016 as the Technical Director to educate and promote information security and regulatory compliance as it relates to network access management and cloud computing solutions. Before joining the team at Cryptzone, Chris served as the Chief Evangelist – Cloud Security for Hewlett Packard Enterprise (HPE). He has also served in executive roles as the Director of Information Technology at Magpul Industries (a plastics manufacturing company) and as the Principal Technical Architect for Kroll Factual Data (a credit service provider). Steffen has presented at numerous conferences and has been interviewed by multiple online and print media sources. Steffen holds several technical certifications, including CISSP and CISA.

Leave a Reply

Your email address will not be published. Required fields are marked *