Top 5 Overlooked Questions CISOs Should Ask About Cloud-Based IdPs

Identity Access Management (IAM) is one of the most important tools in today’s cybersecurity strategies – especially for large enterprises. IAM vendors – often called Identity Providers (IdP) – are therefore some of the most important third parties utilized by enterprise organizations.

But how closely are security leaders examining their IdPs?

Today’s enterprise organizations are increasingly adopting cloud-based solutions for a multitude of functions; those solutions are often knitted together through a carefully constructed IAM system. As such, it is crucial for Chief Information Security Officers (CISOs) and cybersecurity leaders to thoroughly evaluate the security implications of their IdP choices.  

Beyond the core functionalities of IdPs, there are several key areas that often go unnoticed, and may have an impact on your security posture. In this article, we will explore these overlooked questions and shed light on their significance in ensuring a robust and secure cloud environment.

The Role of Identity Providers in Modern Cloud Environments

Before diving into the overlooked questions, let's first understand the role of Identity Providers (IdPs) in modern cloud environments. IdPs play a critical role in managing user identities and providing secure access to various cloud-based applications and services. They act as a centralized authentication and authorization hub, enabling users to authenticate once and access multiple applications seamlessly. This centralized approach simplifies user management, enhances security, and improves user experience. This also makes them a desirable target for cyber criminals wishing to gain access to credentials or cause disruption.

Some of the most popular IdPs include Microsoft Entra ID (formerly Microsoft Azure AD), Okta, Auth0, and Ping. There are a multitude of additional solutions that fall under the Identity Access Management (IAM) umbrella as well.  

Identity Providers, as the keepers of your IAM environment, serve a critical function in your organization’s operations. It is critical to vet your IdP to ensure they are the right fit for your organization.

What Questions Should You Consider When Vetting Your IdP?

Beyond basic functionality, here are the considerations we often see security leaders miss when evaluating their IdP.  

Question 1: Has the IdP been targeted by cybersecurity threats or outages?

As the value of IdPs and their client data increases, so do the threats of targeted cyber attacks. Well-meaning errors or natural disasters can similarly cause IdP outages that cause catastrophic business disruptions.

As the threat landscape continues to evolve, it is essential for CISOs to stay ahead of emerging threats targeting IDPs. CISOs should ask about the IdP vendor's approach to security, including their vulnerability management processes, incident response capabilities, and proactive threat intelligence. Also, asking the IdP vendor’s ability to seamlessly integrate into the broader cyber ecosystem is critical to avoid creating an island or blind spot in their monitoring ability.  Additionally, inquiring about the vendor's participation in industry-wide security initiatives and adherence to security best practices can provide insights into their commitment to continuous improvement and staying ahead of emerging threats.

Question 2: How does the IdP support during disaster recovery and business continuity?

Today’s security leaders often take a “not if, but when” approach to cybersecurity. This means that rather than solely focusing on preventing breaches, the fast pace and evolution of cyber threats require solid response and remediation strategies.  

Disaster recovery and business continuity planning are paramount in today's digital landscape. CISOs should ask about the disaster recovery capabilities of cloud-based IdPs to ensure uninterrupted access to critical applications and services during unforeseen events. Questions regarding data replication, failover mechanisms, and recovery time objectives (RTOs) are essential to assess the resilience of the IDP infrastructure.  

Additionally, CISOs should inquire about what available levers the IdP environment offers to give them greater control during a disaster or incident.

Question 3: What are the IdP’s auditing and logging capabilities?

Effective auditing, logging, and observability capabilities are crucial for maintaining visibility into user activities and detecting potential security incidents. Not to mention that some compliance standards require auditing and logging of changes and backups.  

More importantly, CISOs should inquire beyond the standard auditing and logging capabilities of cloud-based IdPs and investigate the ability to integrate with the cyber ecosystem. Security leaders should similarly consider what advanced investigative capabilities are built into the platform.  This not only ensures compliance with regulatory requirements and internal security policies but provides the breadth and depth necessary to keep up with evolving threats. Questions regarding the types of logs generated, retention periods, and integration with Security Information and Event Management (SIEM) systems are essential to assess the IDP's ability to provide comprehensive audit trails and facilitate incident response.

Question 4: How portable is my IdP data?

One of the overlooked questions that CISOs should ask about cloud-based IdPs is data portability. It is essential to assess the portability of user identities and associated data in case the organization decides to switch IdPs or maintain a backup IAM environment.  

More and more, large enterprises are maintaining multiple IAM environments – either within the same IdP (i.e. 2 Okta tenants) or across multiple IdPs (i.e. one Okta and one Entra ID). This secondary IAM can serve as a functional backup, allowing for quick failovers in the event of an emergency. Many IdPs are ill equipped to assist in this scenario. Security leaders should thoroughly vet the shared responsibilities in a disaster situation and prepare for the activities required in a potential failover.

Question 5: Am I fully prepared to uphold my end of the shared accountability model common in cloud/SaaS providers?

As the saying goes, you can outsource the service but not accountability.  It’s crucial for CISO’s to ask themselves and their team tough questions about strategies, roles, and responsibilities in the event of a disaster recovery scenario. How will your team go beyond the boundary of the cloud service to ensure you have access, controls, plans, and processes to ensure the greatest visibility and control?  

This clarity in roles and responsibilities will come in handy in the event of a disaster, cyber, or operational incident.  It is essential to create an internal ‘shared accountability’ framework and plan that enables CISOs to not only meet, but exceed expectations.  

In conclusion, CISOs should not overlook the critical questions surrounding cloud-based IdPs. By asking these questions, CISOs can ensure their IdP aligns with their organization's security objectives and provides a solid foundation for their cloud-based environment.

‍