Comment: Third Parties and Identity Management – Welcome to the World of Marketing

Photo credit: Twin Design/
Photo credit: Twin Design/

In this article, I’m going to cover marketing. Not theory, like advertising or content marketing, but your own company’s marketing team and what they are up to right now.

As part of a business, marketing has changed rapidly. Mobile applications, social media, cloud computing – all these new opportunities are supported by a library of online applications. Customers are more informed and make decisions faster. Marketing staff have to keep pace with this trend, and they turn to cloud apps to do this.

Nearly all companies have websites and social media presences on Twitter, LinkedIn and Facebook. Marketers track activity through analytic tools and use them to distribute content. The sheer number of tools available to marketing can make them extremely productive, with the overall aim of earning more customers.

Marketing is also one of the most porous disciplines within companies. Marketing departments will often include contractors or third-party agencies that have access to all of these tools. Yet, Twitter and Facebook don’t support shared accounts; suddenly you start to see a problem.

What does this mean for IT security? If these applications are being managed properly, then there should no problems. Some marketing folks are extremely tech-savvy and understand how to structure projects in the right way.

However, this is not always true. IT requirements, such as understanding data sovereignty issues through to putting policies like password management in place, may not be followed.

Marketing Applications: Managing Access

Following is an example: for company Twitter accounts, the most common approach is to set up a group email and share the password. This strategy allows all those on the marketing team post updates and respond to requests.

If someone can get access to an individual email, or guess the password, then the Twitter account can be hacked. Alternatively, if the password doesn’t get changed when someone leaves, then you run the risk of unauthorized access.

The Syrian Electronic Army has attacked high-profile Twitter accounts through social engineering and phishing. Microsoft, the Associated Press and the Guardian have all had their accounts defaced and rogue tweets posted. A tweet about an attack on the White House led to US stock markets dropping by around one percent; that one post was responsible for a potential loss of billions in market capitalization.

Strong authentication is available for Twitter and Facebook. Nevertheless, these features lock that account to one person. It’s normally at this point that IT gets brought in, and it is possible to be proactive on this front. IT and IT security departments have experience with identity management and access control, so how can we take this experience and apply it to services that live out in the cloud?

What to Do Next?

The first point is education: marketing folks are concerned with how tools are used and the results that can be delivered. That’s partly why the likes of Twitter, Google Analytics and other marketing tools are used – they achieve a result, and they are often either free or can be bought with a credit card.

Getting marketing team members to think about security is therefore a good first step. Look out for marketing activities in your company, including Twitter, Facebook and LinkedIn campaigns, and then ask if the team is using the company password management policy as part of these activities. If the rules are not being followed, then a gentle reminder can help.

For more certainty, identity management can be extended beyond the walls of the organization. Internal Active Directory profiles can be linked with cloud apps based on standards, such as SAML and OAuth. Portals for access to applications can also be created.

For IT, the main benefit is increased security, while the marketing team can still use shared accounts. Authentication is handled at the portal layer, so it is possible to manage separate two-factor authentication requests for individual users, while the one user email and password remains in place for the service being deployed.

There is one significant benefit here – it becomes impossible to phish for account details, because users simply don’t know what their passwords are. Any request should be automatically viewed as suspicious; even if someone does inadvertently click on a phishing email, the user can’t enter information that they don’t have.

The Friend of My Friend Becomes My Enemy

There is one further challenge in the applications themselves. Apps today include much more use of APIs and aggregated services compared with stand-alone applications. From a security perspective, there is a risk that one of the components within an app will get attacked.

There are examples of this already – Buffer, one of the most popular tools for managing social media, saw its service hijacked, resulting in multiple unauthorized posts in the streams of customers. The problem was linked back to the database platform that the service was running on.

The fault was an app component that did not have its own security in place. When it was compromised, rogue posts were injected into the Buffer database and posted to user accounts.

This is a challenging problem to address from an IT security perspective. The only approach that can help is being proactive in helping choose marketing tools based on what security policies are in place at those providers. This includes checking whether the providers are open about the platforms they use and the security credentials for those services.

The important point is that use of social media crosses over into reputation management. This is the preserve of marketing – it includes responding to crises around product recalls or workplace incidents. An unauthorized tweet can slip into this category.

As more parts of an organization make cloud computing and software-as-a-service (SaaS) tools a part of their daily lives, the IT department’s role and responsibilities must evolve. By taking a more proactive approach, IT can be more of a partner in these activities, rather than dealing with the aftermath.

David Meyer is VP of engineering at OneLogin and is responsible for building the company’s cloud IAM product. He has previously worked on cloud product and strategy initiatives for the likes of Plumtree, BEA and SAP.

What’s hot on Infosecurity Magazine?