"As a CTO, I really don't want to be responsible for a data leak that showed passwords and user logins and those kinds of things. I'm 100% sure that Auth0, a company that is built around this, will have better ability to take care of the security than I'm able to do — your entire business depends on it," says Rolf Bekkstrand, former CTO, 4human HRM.
He's not alone.
No one wants to be the person who tried to save budget using a lesser level of encryption — and got hacked. Or, worse, exposed customer data by storing it poorly.
In a broader sense, security is about trust. When your customers share their identity with you, they're trusting you to keep it safe — and while blogs posts and webinars can help convey that a third-party vendor is trustworthy, it's not enough for a company to just claim that it's secure. We need to prove it.
That need for proof has gone far beyond being a business requirement. GDPR's data protections may have come into force in 2018, but many countries already maintained strict requirements and others have data privacy plans in the works. All of this regulation is part of a global trend inspired, at least in part by the rising number of data breaches.
Global Data Privacy Trends Include Civil Action
Breaches are happening at such a rapid rate that USA Today now maintains a ranked breach index. In the first half of 2018 alone, there were 668 breaches and over 22 million records exposed.
According to the Ponemon Institute, the global average cost of a data breach rose to $3.86 million last year (Forbes puts it at $7.91 million in the U.S.) — and those calculations are pre-GDPR. With €50 million in non-compliance fines leveled at Google, a suit already filed against eight other companies including Apple and Amazon, and an EU judge ruling that civil action against Facebook is viable, security and compliance are about much more than your perimeter.
Lest you think that these concerns only apply to your EU customers, the shift towards protecting data privacy is a global trend, but one where different countries might use GDPR as a baseline, but tweak it for their needs. A case in point is California's data privacy law, coming into force in 2020, which looks likely to provide the basis for a Federal data law in the U.S. You can find in-depth look at expected data privacy trends in 2019 here.
The likelihood that data has been exposed is part of the reason behind all the regulation, but due to the rising number of data breaches, it's no longer just companies and partners that want to be protected, says John McKim, VP of Product & Technology, A Cloud Guru, "Customers want to know that their data is going to be protected and secured, and identity is a critical part of that. Having confidence that the systems that hold their very personal information... is really critical. That's why we like to use Auth0."
Proving Trust with Accreditation
Accreditations are often on a required term-of-business checklist, but the reasoning for that placement lies in trust, says Auth0 CISO/VP of Operations Joan D. Pepin. "That certification means an external third-party has verified that we meet a professional standard — and it's not a one-and-done effort. We have to work to maintain that accreditation. Just as you need to regularly update the software on your laptop, we need to continually update our security."
This continuous improvement and monitoring happen alongside our development efforts, helping us to continue building in security as we innovate.
Companies who choose Auth0 instead of building identity in-house benefit from our accreditations.
Certifications like SOC 2, HIPAA, and ISO 27001 require an upfront investment to achieve the accreditation plus yearly costs to maintain it. "Most Fortune 500 companies won't sign deals if you don't have the applicable certifications," says Auth0 Senior Manager of Governance Risk and Compliance Adam Nunn. "Yearly tooling costs can vary from organization to organization, ranging from $25,000 to multi-millions, depending on the size of the org."
Auth0 invests yearly on third-party auditors, salaries for the staff who make sure we're compliant, and internal compliance tools (excluding engineering tools and/or tools deployed for security purposes), and continually improving our processes — eliminating both certification worry and cost for our customers.
For companies protecting large amounts of sensitive and regulated data, like healthcare collaboration platform ACT.md, realizing it doesn't have to be painful can come as a surprise.
"We hadn't expected to be able to find a partner like Auth0 who would be so focused on security, proper authentication, and yet create a platform that's incredibly well-documented, easy to test, and is HIPAA compliant," Narath Carlile, Chief Medical Information Officer, ACT.md.
Getting the 'Jump' on Fraudulent Users
Working with identity experts means dealing with fewer bugs, vulnerabilities, and introduced workarounds, but active security features like anomaly detection and brute force protection can remove a significant amount of worry for your and your customers — even if you're doing business in a challenging space.
"Marketplaces can be a heavily fraudulent space. A lot of scammers list fake cars and they have different mobile numbers and email addresses or whatever, and they try to convince people to wire transfer money," says former Cox Automotive Australia CTO Jeremy Gupta. Instrumenting Auth0 in the private seller experience allows Autotrader to verify mobile and email using out-of-the-box flows plus customization.
"We also get some really strong moderation through the Auth0 platform, which allows our customer service team to jump on fraudulent users ahead of time," says Gupta.
Security ROI
"I'm a big proponent of letting experts do what they do best. If you get identity management wrong, it falls apart horribly, and you get put on the front page of the newspaper as having exposed a large number of people to really bad things. I didn't want to rely on building it ourselves," David Bernick, former Director of Cloud and Technology, Harvard Medical School
Since we control the front door to our customers' applications, we are a security company. Auth0 takes protecting our customers identity transactions seriously. "We invest heavily in our Security team, building out a cutting edge program and hiring talented engineers who want to build the security of a security company," says Auth0 Senior Director of Security Duncan Godfrey.
That behind-the-login-box effort pays off for our customers. "Security is often misunderstood, and when it is an afterthought, left to the end, it tends to bite you in the butt.," says Stephen Berard, former Senior Global Software Architect, Schneider Electric. "We didn't have to kick the proverbial can down the road every time a new security or authentication question came up, whether the question was hypothetical, practical or mission critical.
Resources
The Real ROI of Auth0
The Real ROI of Auth0, Part 1: Time To Market
The Real ROI of Auth0, Part 2: Innovation
The Real ROI of Auth0, Part 3: Security (you're reading Part 3)
The Real ROI of Auth0, Part 4: Maintenance
Guidance: Auth0's Approach to Information Security details our approach to information security and our list of certifications and compliance capabilities so that you can better understand how Auth0 protects your data.
Docs: Customers often cite the benefit of our clear documentation and Jumpstarts. Get started here.
Questions? Please reach out to an Auth0 Resource if you'd like to learn how we can support your specific project or digital transformation.
About the author
Jenny O'Brien
Business Content Manager