Further, they've discovered that the bad actor was able to access "certain elements" of its customers' information. Together, they've determined that the unauthorized party got into LastPass' cloud service by using information obtained from the security breach it suffered in August this year. To investigate the incident, LastPass has teamed up with security firm Mandiant. Toubba said the company detected an unusual activity within a third-party cloud storage service that it shares with its parent company GoTo, which was formerly known as LogMeIn. We would love to have an architectural discussion to understand your software and security goals.LastPass CEO Karim Toubba has revealed that the password manager has been breached again. EdgeBit makes it simple to utilize confidential computing to operate on encrypted data. Wherever you fall on this spectrum, you can secure your SaaS and protect your customers data without extensive refactoring of your data model. In a B2B world, an enterprise can effectively control their security and collaborate using any SaaS, without having to fully give up control. The combination of secure enclaves + their key + access locked to the enclave(s) allows for a full data plane where the SaaS provider can operate on data but never have it disclosed to attackers or insiders. Privacy-sensitive customers frequently request the ability to bring their own encryption key for their data. Full E2E security with Bring-Your-Own-Key Even an insider or a cloud admin can steal data. This stops the attack we saw from LastPass. Isolating the handling of this data into secured microservices (running in enclaves) and having a verifiable audit trail about their usage. Customer data is handled by secured microservicesĮncrypting most or all of your customer data with per-customer encryption keys and derived data keys. As a provider, you never see the plaintext credential, ever. Secure your most prized data - credentials for partner integrations - by ingesting it directly into an enclave, and then only decrypting and using those credentials in a secure enclave. Of course, other SaaS services exist to use your data - that’s what you pay them for! How is this accomplished if data is secured end to end? We believe that secure enclaves will be the differentiating factor for B2B SaaS providers that want to operate on encrypted data.Įvery business is different, but a sliding scale for E2E security might look like: 1. LastPass has a great stance for your actual passwords, which they have no business reading. It’s never been more clear that all customer or user data needs to be encrypted and protected while it is being handled. This LastPass incident proves why Okta should be worried about the attacks to come derived from the inside knowledge. The attack vector here is chained to the previous security incident in August 2022, in which a development environment was breached and contained enough technical detail to retarget LastPass production, this time successfully.Įarlier this week in December 2022, Okta’s GitHub accounts were accessed by unauthorized parties. LastPass recently updated details on it’s latest security incident, in which cloud storage was accessed that stored unencrypted customer details as well as certain unencrypted data like website URLs that was stored adjacent to the encrypted fields: username, password, secure notes, etc. ThreatVector is an ongoing series where we break down recent security incidents in the news to understand how they happened, how they spread and what the ramifications are for companies as they evolve their defenses.
0 Comments
Leave a Reply. |