Dmitry Nikolaev – inventory.adobe.co
JumpCloud has requested its customers to replace their API cryptographic keys following a safety incident
By
-
Cliff Saran,
Managing Editor
Published: 07 Jul 2023 12:30
JumpCloud, which affords directory-as-a-service merchandise, has issued obligatory utility programming interface (API) safety key replacements, following what’s imagine to be an ongoing safety incident.
The firm affords safe entry from any gadget wherever and may combine company WiFi and VPN units utilizing its radius-as-a-service providing. It positions itself as a full cloud alternative for Microsoft Active Directory.
Computer Weekly’s sister publication, SearchSecurity.com, reported that JumpCloud notified customers and printed a help notification on Thursday warning of an API key reset for IT directors that affected a number of companies. SearchSecurity.com famous that JumpCloud offered instructions to generate a brand new API key, however didn’t say what the incident was, what brought about it or whether or not the corporate community had been breached.
Among the services and products which have been listed by JumpCloud as being doubtlessly affected are importing Active Directory; BambooHR; Okta Real-time User and Password Import and the JumpCloud App for Slack.
In a screenshot of the notice despatched to customers, JumpCloud stated: “Out of an abundance of caution relating to an ongoing security incident, JumpCloud has invalidated your existing API keys…We apologise for any inconvenience this causes your organisation, but the action was taken on your behalf as the most prudent course of action.”
Jason Kent, hacker in residence at Cequence Security, stated that an important element in any cryptographic system is the important thing. “As someone who has given words of caution on the use of long-lasting keys in the past and has commented many times on persistent API keys for sensitive controls, the ‘I told you so’ phase just isn’t much fun,” he stated.
“As the teams that utilise these systems now have to see how many integrations have failed, how much backlash it’s going to create internally and will have to set about fixing everything, it’s a very stressful thing.”
JumpCloud’s help web page urged JumpCloud admins which are utilizing a JumpCloud API key with an integration that depends on a JumpCloud admin API key to take motion by updating integrations with their new API key(s).
Kent stated that reissuing keys implies that IT admins now want to set keys on the varied IT methods that use JumpCloud APIs then anticipate reviews of successes and failures. Kent believes optimum key administration wants methods able to producing them on the time of use.
“This is because storage of the keys tends to be found by attackers and compromises like this one end up being a huge problem,” he stated. “Computers are really good at repetitive tasks, have them log in every time. Utilise privileged access management or similar strategy and make sure you protect the key.”
Read extra on Application safety and coding necessities
JumpCloud invalidates API keys in response to ongoing incident
By: Arielle Waldman
SMEs leaning extra closely on MSPs, says analysis
By: Simon Quicke
Why builders want to engineer-in FIDO two issue authentication now
By: Adrian Bridgwater
SMEs cautious about getting again into the workplace due to Delta variant
By: Simon Quicke
…. to be continued
Read the Original Article
Copyright for syndicated content material belongs to the linked Source : Computer Weekly – https://www.computerweekly.com/news/366544136/JumpCloud-issues-notice-to-customers-to-refresh-API-keys