What CISOs Want to Know: 4 Common Resiliency Questions from Chief Information Security Officers

Our IAM resiliency experts spend their days discussing the security and resiliency of the identity access management (IAM) environments of our clients and interested prospects. Through those dozens of daily conversations, we encounter similar questions and experiences that reveal the common misunderstandings around IAM risk and resiliency.  

In a realm as new and evolving as identity resilience, no question is too basic! We have found that there is often confusion about the built in capabilities of major Identity Providers (IdPs). Even among the most experienced security practitioners, we find shock and surprise about what an IdP will and won’t do for their clients.  

Here are some of the most common questions and we get from CISOs about their IAM risk and resiliency.

One

Why does my company need to backup and restore our identities?

Many security professionals wrongly assume that cloud providers provide functional back-ups for their critical data. (Bonus insight: this myth extends beyond IAM providers to other cloud solutions!)

The reality is that just because your IdP – be it Entra ID, Okta or another provider – stores your data in the cloud does not mean they are backing it up. Or, if they are backing up the data, those backups may not cover custom configurations your team has built. Unless you have had a conversation with your IdP about the backups they maintain, any backups are likely insufficient to keep your business running in the event of a disaster.

If the Identity Provider data is inaccessible for any amount of time, users cannot login to access their applications. This could mean employees are unable to do their work, or customers are unable to transact with you.

Backing up identities for potential restoration to a known good state is necessary to keep business running if that information is corrupted or otherwise unavailable.  

Check out these 6 questions to ask your IdP to determine the usability of their backups.  

Two

What are the risks of not having a backup solution for Okta or Entra ID?

If there is an internal misconfiguration and users cannot sign-on through Okta or Entra ID to access their applications, work can’t get done. And while this may seem like a remote possibility, the increasing number of cyber attacks on identity providers make it a much more real risk than security professionals have wanted to consider in the past.  

Think of what happened to MGM Resorts when their Okta went down. The outage is expected to have cost the company $80 million.  

The extreme downside of an outage of this type has led many to think beyond just backup and recovery to a true fail-safe solution: a failover tenant. In this scenario, a company maintains a separate IAM environment – often with a different backup IdP vendor – to ensure a quick and easy transition in the event of a disaster.

Three

My team has scripts in place. Why isn't this enough?

Custom scripts can help. However they take many man-hours to create, and even more to maintain.  We find that many companies do not update or test their scripts regularly, which creates a false sense of readiness. If an incident does occur, scripts can take days or weeks to restore an IAM system to a basic state. Then, the real work - manually rebuilding applications, associations and other details - takes even longer. Every minute of downtime means that an employee or customer cannot access their SSO, losing the ability to perform their work or interact with the company.

Our customers have found that MightyID’s ability to restore an IAM system – granularly or completely – can cut downtime by hours or even days.  

Four

Has anyone actually experienced their Okta tenant go down for a week?

Short answer: no, or not that we know of. But we have seen customers lose access to their tenants for multiple days. Oftentimes, this has to do with an AWS issue that ends up impacting Okta along the way.  

None of us are hoping for an Identity Provider vendor to go down. What MightyID does is provide a business continuity and disaster recovery option. That way, customers are able to respond if their IdP were to experience a first-of-its-kind outage. We make our team available for the event of this type of emergency, and we provide the runbooks and plans needed to set up our customers to be as self-sufficient and successful as possible.

For more information, reach out to a MightyID identity resilience specialist to assess the risk associated with your IAM backup plan.  

‍