Articles

Okta révolutionne l’identité d’entreprise: dépassement MFA.

Actualités, Méthodes et organisation des process IT

Okta révolutionne l’identité d’entreprise en offrant une authentification multi-facteurs plus sûre et plus facile à gérer. Découvrez comment Okta dépasse le MFA.

Au Oktane23, Okta a révélé de nouvelles solutions pour automatiser la gouvernance d’identité, mettre en œuvre la gestion des accès privilégiés et permettre une authentification et une protection contre les menaces continues.

Okta Automates Identity Governance

Okta’s new identity governance solution automates the process of granting and revoking access to applications and other resources. This helps organizations ensure that users have the right level of access to the right resources at all times, while also meeting compliance requirements. The solution also provides visibility into user access and activity, enabling organizations to quickly detect and respond to suspicious behavior.

Okta Enables Privileged Access Management

Okta’s new privileged access management solution helps organizations secure access to their most sensitive resources, such as corporate networks and databases. The solution provides granular control over who has access to these resources and when, while also providing visibility into user activity. This helps organizations detect and respond to suspicious activity quickly and effectively.

Okta Offers Continuous Authentication and Threat Protection

Okta’s new authentication and threat protection solutions help organizations protect their users from sophisticated cyber threats. The solutions provide continuous authentication and threat protection, enabling organizations to detect and respond to threats in real time. The solutions also provide visibility into user activity, allowing organizations to quickly detect and respond to suspicious behavior.

Conclusion

Okta’s new solutions will revolutionize the way organizations manage identity and access, enabling them to secure their digital resources while removing productivity roadblocks for users. The solutions provide automated identity governance, privileged access management, continuous authentication, and threat protection, helping organizations protect their users from sophisticated cyber threats while ensuring compliance with industry regulations.

Introduction

L’identité a historiquement été considérée comme le moyen d’accorder ou de refuser l’accès aux ressources et applications numériques d’une entreprise. Mais dans le paysage technologique de plus en plus complexe et riche en menaces cyber sophistiquées d’aujourd’hui, l’identité doit se transformer en bien plus. Lors de la conférence annuelle Oktane de l’Okta, leader de la gestion d’identité, des nouvelles solutions innovantes ont été annoncées qui redéfiniront le rôle de l’identité dans la sécurisation de l’entreprise moderne tout en supprimant les obstacles à la productivité des utilisateurs.

Okta Automatise la Gouvernance d’Identité

La nouvelle solution de gouvernance d’identité d’Okta automatise le processus d’octroi et de révocation de l’accès aux applications et autres ressources. Cela permet aux organisations de s’assurer que les utilisateurs disposent du bon niveau d’accès aux bonnes ressources en tout temps, tout en respectant les exigences en matière de conformité. La solution offre également une visibilité sur l’accès et l’activité des utilisateurs, ce qui permet aux organisations de détecter et de réagir rapidement à des comportements suspects.

Okta Permet la Gestion des Accès Privilégiés

La nouvelle solution de gestion des accès privilégiés d’Okta aide les organisations à sécuriser l’accès à leurs ressources les plus sensibles, telles que les réseaux et bases de données d’entreprise. La solution offre un contrôle granulaire sur qui a accès à ces ressources et quand, tout en fournissant une visibilité sur l’activité des utilisateurs. Cela permet aux organisations de détecter et de réagir rapidement et efficacement à des comportements suspects.

Okta Offre une Authentification Continue et une Protection

Source de l’article sur DZONE

27 octobre 2023/par Service comm.

Ne Pas Utiliser de Credentiels dans une CI/CD Pipeline

Actualités, Méthodes et organisation des process IT

Les pipelines CI/CD sont des outils puissants, mais il est important de ne pas utiliser de credentiels sensibles pour éviter les risques de sécurité.

Comment Donner un Accès Sécurisé à des Services Tiers Sans Utiliser de Clés Secrètes

OpenID Connect (OIDC) is a protocol that allows users to authenticate themselves with an external identity provider, such as Auth0 or Okta. It works by exchanging an access token between the identity provider and the application. This token is cryptographically signed and contains a set of claims about the user, such as their name, email, and other attributes. The application can then use this token to authenticate the user and grant them access to resources.

En tant qu’utilisateur qui construit et maintient des infrastructures cloud, j’ai toujours été méfiant du point de vue de la sécurité lorsque je donne un accès à des services tiers, tels que les plateformes CI/CD. Tous les fournisseurs de services prétendent prendre des précautions strictes et mettre en œuvre des processus infaillibles, mais les vulnérabilités sont toujours exploitées et les erreurs arrivent. Par conséquent, ma préférence est d’utiliser des outils qui peuvent être hébergés en interne. Cependant, je ne peux pas toujours avoir le choix si l’organisation est déjà engagée auprès d’un partenaire externe, tel que Bitbucket Pipelines ou GitHub Actions. Dans ce cas, pour appliquer un IaC Terraform ou déployer un groupe d’échelle automatique, il n’y a pas d’autre choix que de fournir à l’outil externe une clé secrète API, n’est-ce pas ? Faux ! Avec la prolifération de OpenID Connect, il est possible de donner aux plates-formes tierces un accès basé sur des jetons qui n’exige pas de clés secrètes.

Le problème avec une clé secrète est qu’il y a toujours une chance qu’elle soit divulguée. Le risque augmente plus elle est partagée, ce qui se produit lorsque des employés quittent et que de nouveaux arrivent. L’un d’entre eux peut le divulguer intentionnellement ou ils peuvent être victimes d’une hameçonnage ou d’une violation. Lorsqu’une clé secrète est stockée dans un système externe, cela introduit un tout nouvel ensemble de vecteurs de fuite potentiels. Atténuer le risque implique de changer périodiquement les informations d’identification, ce qui est une tâche qui n’ajoute pas de valeur perceptible.

OpenID Connect (OIDC) est un protocole qui permet aux utilisateurs de s’authentifier auprès d’un fournisseur d’identité externe, tel qu’Auth0 ou Okta. Il fonctionne en échangeant un jeton d’accès entre le fournisseur d’identité et l’application. Ce jeton est signé de manière cryptographique et contient un ensemble de revendications sur l’utilisateur, telles que son nom, son adresse électronique et d’autres attributs. L’application peut ensuite utiliser ce jeton pour authentifier l’utilisateur et lui donner accès aux ressources.

Les jetons OIDC sont une alternative intéressante aux clés secrètes pour donner aux plates-formes tierces un accès limité aux ressources cloud. Les jetons sont générés par le fournisseur d’identité et peuvent être limités à une durée de vie spécifique et à un ensemble de revendications spécifiques. De plus, ils peuvent être révoqués à tout moment par le fournisseur d’identité si nécessaire. Les jetons OIDC sont donc une solution plus sûre et plus flexible pour donner aux plates-formes tierces un accè

Source de l’article sur DZONE

31 mai 2023/par Service comm.

10 Elements of Landing Pages That Convert

Actualités, Actualités

Landing pages are central to successful marketing campaigns; they allow you to target particular customers with particular solutions to particular problems.

It’s easy to confuse what a landing page is because users “land” on many pages. When we talk about landing pages, we mean a page that is entirely dedicated to a particular type of customer. In fact, if we could create a unique landing page for each individual user, that would be awesome.

You might think your homepage is a landing page, but it’s not; users reach your landing page in various ways — directly, via organic search, or backlink. A landing page is normally dedicated to a specific marketing campaign. It is accessed from a link in an email, via social media, or most often via a PPC (Pay Per Click) advert.

Here are 10 elements of landing pages that are proven to convert successfully:

1. Use A Single Call To Action

Your potential customers must know how to move forward with your product or service as early in the experience as possible.

Are they signing up for a free trial? Are they signing up for your newsletter? Are they buying a product? Are they contacting you? Whatever you need them to do, make it clear.

The Hick-Hyman law of UX says the more choices you give a user, the less likely they are to make any choice at all; conversely, the fewer choices, the greater the likelihood that they’ll move forward.

Give the user one choice: click the button, or don’t click the button. A single CTA will out-perform multiple options.

2. Keep Forms Simple

Often, your landing page will need a potential customer’s information. They might be creating an account, setting up a trial, or just joining your newsletter.

If the potential customer is signing up for a trial, by all means, ask for their email address. But you don’t need their cell number, their mother’s name, the street they grew up on, their birthday, or any of that other junk that’s used to profile users.

Whatever the purpose, keep your form ultra-simple. That means as few fields as possible. If you really want it, give the user the option to fill it in later as part of an onboarding process — when they’re already invested — but not on the landing page.

3. Make the Headline Punchy

The first thing your potential customer sees on your landing page is the headline, so make it count.

Half a dozen words are usually more than enough. Your goal is to keep it short enough that the potential customer has read the headline before they realize it.

Often, you’ll want to clarify the statement with more information. That’s fine as a sub-heading after you’ve grabbed their interest, but make sure you grab their attention first.

The headline “Coyote Anvils” is best followed by the sub-heading “You’ll be eating roadrunner for dinner!”

Your goal for your headline is to explain your product or service in 2–3 seconds.

4. Center Your Content Around Your Value Proposition

What makes your product or service stand out? What makes it better than the competition? If you’re not sure, spend some time checking out companies in your space.

Creating a value proposition can be one of the toughest challenges a business faces because you need to put yourself in your potential customer’s shoes. But if you get this right, it will carry your marketing. You need to find the benefits within your product or service, not the features.

Value propositions are best when backed by facts. The “World’s Most Accurate Anvils” is best backed by proof: “9/10 coyotes said they were more likely to hit their target than themselves when using our patented AccuAnvil.”

5. Lists, Lists, and More Lists

You’ve got seconds to engage your potential customer, perhaps even less. One way to grab them is with a great headline, but you have to keep them interested beyond the headline.

One great way is bullet lists with short entries. Short-item lists naturally pull our eyes down the page because our eyes take in the whole line in one glance; we don’t need to read to absorb the information.

The longer you can keep someone on the page, the greater the likelihood they’ll keep looking, so pulling them down the page with lists is a great tactic.

6. Exploit the Zeigarnik Effect

The Zeigarnik Effect says that people remember incomplete experiences better than they do completed ones. This is because when a task is seen as completed, it can be filed away as a memory, but if it’s incomplete, then it remains at the front of your mind.

This is a boon for designers creating landing pages because we can create a situation where the potential customer begins an onboarding process and is aware that it hasn’t been completed — they might need to verify their email address, for example.

The lack of completion keeps the landing page and the product or service fresh in the potential customer’s mind. So when they see that onboarding email, they’ll use it.

7. Proof

Anyone can put up a website. It’s easy. And as a result, potential customers don’t necessarily trust you.

One way you can combat this is with some form of proof. That may be in the form of official certifications, or featured testimonials, or just independent reviews.

It rarely occurs to potential customers that you’re cherry-picking the testimonials and reviews you’re choosing to display, so even if only some of your reviews are good, it’s worth including them.

But be careful not to sound too good. If you post nothing but 5* reviews, people will smell a rat; that 3* review may actually do you a favor by making the 5*s seem more genuine.

8. Predictive Images

Potential customers lack imagination, they don’t have all the facts, and unless your product or service is very basic, they may not fully understand what the product does for them.

Use images to quickly show them what life may be like using your product or service. Paint an appealing picture. If they can see themselves in the image, they’ll grant you a little more time to persuade them in the form of further content.

9. Continuity

How did the potential customer arrive at your landing page? Chances are it was via a PPC link, or if you were lucky an organic search link. However they arrived, they were in a certain frame of mind, with a certain problem they wanted to solve; they aren’t going to take kindly to being diverted onto a different train of thought.

Your landing page has to match the tone, style, and value proposition of your adverts. The potential customer’s experience of your organization begins with the advert, not the landing page, so make sure that you don’t break the spell. If your landing page doesn’t match your advert, you could lose the potential customer altogether — and increase your bounce rate while you’re at it.

Remember: the customer was attracted by something in your advert, so give them the same attractive qualities on your landing page.

10. Drop the Nav

Most sites have a single main menu and a rich footer with links to customer service, contact pages, and so forth. These are detrimental on a landing page because you’ll leak traffic to other, less-focused parts of your site.

Your landing page is a streamlined selling machine. The only link you want on the page is your CTA.

It’s fine to keep legal text and even links to privacy policies — users rarely click those anyway. You can also link to your homepage using your logo. But don’t add any navigation that invites a click, or you’ll dilute all the work you’ve put in.

Source

The post 10 Elements of Landing Pages That Convert first appeared on Webdesigner Depot.

Source de l’article sur Webdesignerdepot

28 avril 2021/par Service comm.

Use Authorization Code and PKCE for RingCentral API for Client App

Actualités, Méthodes et organisation des process IT

RingCentral APIs use OAuth 2.0 for authorization. But which grant flow is the best practice for client-side apps, such as desktop, mobile app, and web (Single Page Apps)? The answer to that is authorization code with Proof Key for Code Exchange. In this article, I will introduce and show you how to implement authorization code with PKCE flow in Single Page Apps.

Useful Links

RingCentral APIs reference: Authorization in RingCentral APIs.
IETF link: Proof Key for Code Exchange by OAuth Public Clients.

Authorization Code and Implicit Grant Flow

Authorization Code Grant Flow

We can get the full steps of authorization code grant flow in the following diagram. A third-party app will need the RingCentral client ID and client secret to exchange and refresh the access token. The third-party app will stay authorized if it refreshes the RingCentral access token before the refresh token has expired, and will get a new refresh token and access token when it refreshes.

Source de l’article sur DZONE

12 mars 2021/par Service comm.

10 Reasons Your WordPress Site Will Get Hacked (and How to Stop It)

Actualités, Actualités

A hacked WordPress site is as damaging as having your home burgled. It can completely shatter your peace of mind and adversely impact your online business.

Why do hackers target WordPress sites? The answer is relatively simple: WordPress is the single biggest platform for website creation these days, so there’s a larger base to attack; this attracts the attention of online criminals.

So, how can a hack impact your website?

Depending on the type of attack, your website could suffer any of the following:

It could be defaced completely;
It could load or operate very slowly on any device;
It could completely crash and malfunction;
It could display the dreadful “White Screen of Death”;
Its incoming visitors could be redirected to other suspicious websites;
It could lose all your valuable customer data.

This list is not exhaustive but you get the idea.

Now that we know how a successful hack can impact your website and online business, let us look at the top 10 reasons behind WP hacks and prevent them.

1. An Insecure Web Host

Like any website, WordPress is hosted on a web host or server. Unfortunately, most site owners do not pay much attention to the web host they select and choose the cheapest they can find. For example, it is more affordable to host a website on a shared hosting plan — one that shares its server resources with many other websites like yours.

This can make your site vulnerable to hackers as a successful hack into any website on the shared server. A single hacked site can consume the overall server bandwidth and impact all the other sites’ performance.

The only way to fix this problem is to opt for a reliable host and a virtual or dedicated server.

Pro tip: If you’re already using a shared hosting plan, check with your hosts if they offer VPS hosting and make the switch.

2. Use of Weak Passwords

Weak passwords are the main reason behind successful brute force attacks that target your account. Even to this day, users continue to use weak and common passwords like “password” or “123456”; if you’re one of them, your website could land in trouble!

Guessing weak passwords allows hackers to enter the admin accounts where they can inflict the maximum damage.

How do you fix this problem? Simple, ensure all your account users (including admin users) configure strong passwords for their login credentials. With at least 8 characters, passwords must be a mix of upper- and lower-case alphabets, numbers, and symbols.

For added safety, install a password management tool that can automatically generate and store strong passwords.

Pro tip: You can use a plugin to reset passwords for all your users.

3. An Outdated WP Version

Outdated software is among the most common reasons why websites get hacked. Despite being free to download, most site users defer updating their site to the latest version, for fears of updates causing their site to crash.

Hackers take advantage of any vulnerability or bug in an older version and cause issues like SQL Injections, WP-VCD Malware, SEO Spam & other major issues like website redirecting to another site.

How do you solve this problem? When you see a notification about an update on your dashboard, update your site as soon as possible.

Pro tip: If you are worried about updates crashing your live website, you can first test the updates on a staging site.

4. Outdated WP Plugins and Themes

Similar to the previous point, hackers also take advantage of outdated, unused, or abandoned plugins and themes installed on websites. With over 55,000 plugins and themes that are available, it is easy to install a plugin or theme, even from unsafe or untrusted websites.

Plus, many users do not update their installed plugins/themes to the latest version or do not find the updated version. This makes it easier for hackers to do their job & infect sites.

How do you avoid this problem? As with the core WP version, update each of your installed plugins/themes on your site regularly. Take stock of all the unused ones and remove them or replace them with better alternatives.

You can update your plugins/themes from your hosting account.

Pro tip: We suggest setting aside time every week to run updates. Test them on a staging site and then update your site.

5. Common Admin Usernames

In addition to weak passwords, users also create common usernames that are easy to guess.

This includes common usernames for admin users like – “admin”, “admin1”, or “admin123”. Common admin usernames make it easier for hackers to get into admin accounts and control backend files in your WP installation.

How do you avoid this problem? If you are using any such usernames that are easy to guess, change them immediately to a unique username. The easiest way of doing it is through your hosting account’s user management tool, by deleting the previous admin user and creating a new admin user with a unique username.

As the first step, change the default username of your admin user and limit users who have administrator privileges.

Pro tip: WordPress has 6 different user roles with limited permissions. Only grant admin access to users who really need it.

6. Use of Nulled Plugins/Themes

Coming back to the importance of plugins/themes, users have access to many websites that sell nulled or pirated copies of popular and paid plugins and themes. While these are free to use, they are often riddled with malware. They can compromise your website’s overall security and make it easier for hackers to exploit.

Being a pirated copy, nulled plugins/themes do not have any available updates from its development team, hence will not have any security fixes.

How do you fix this problem? Simple, for a start, only download original plugins and themes from trusted websites and marketplaces.

Pro tip: If you don’t wish to pay for paid or premium plugins and themes, opt for a free version of the same tools that will have limited features but are still safer to use than the nulled version.

7. Unprotected Access to wp-admin Folder

To take control of your site, hackers often try to break into and control your wp-admin folder in your installation. As the website owner, you must take measures to protect your wp-admin directory.

How can you protect your wp-admin folder? First, restrict the number of users having access to this critical folder. Additionally, apply for password protection as an added layer of security for access to the wp-admin folder. You can do this using the “Password Protection Directories” feature of the cPanel in your web host account.

Pro tip: Besides these fixes, you can also implement Two Factor Authentication (or 2FA) protection for all your admin accounts.

8. Non-SSL Website

You can easily migrate your HTTP website to HTTPS by installing an SSL certificate on your site. SSL (or Secure Socket Layer) is a secure mode of encrypting any data transmission between your web server and the client browser.

Without this encryption, hackers can intercept the data and steal it. Plus, a non-secure website can have many negative implications for your business – lower SEO ranking, loss of customer trust, or a drop in incoming traffic.

How do you fix this problem? You can quickly obtain an SSL certificate from your hosting company or SSL providers. It encrypts all data that is sent from and received by your website.

Pro tip: You can get a free SSL certificate from places like Let’s Encrypt, but these provide limit protection that will only be sufficient for a starter site or small site.

9. No Firewall Protection

Lack of firewall protection is another common reason why hackers can bypass website security measures and infiltrate the backend resources. Firewalls are the last line of defence against hackers and work like the security alarm installed on your house. Firewalls monitor web requests coming from various IP addresses, including the suspicious (or bad) ones.

They can identify and block requests that are known to be malicious in the past, thus preventing easy access for hackers to your website domain. Web application firewalls can thwart various attacks, including brute force attacks, XSS, and SQL injections.

Pro tip: A firewall provides much-needed security and is your first line of defence. But it’s important to also have a malware scanner installed.

10. Lack of WordPress Hardening Measures

Typically, hackers target the most vulnerable areas or weaknesses within a WP installation, to illegally access or damage the website. The WordPress team has identified these vulnerable areas and has devised a list of 12 hardening measures recommended for every website.

A few of these include:

Disabling the File Editor;
Preventing PHP execution in untrusted folders;
Changing the security keys;
Disallowing plugin installations;
Automatic logout of inactive users;

How do you implement these hardening measures? While some steps are easy to understand, others require the technical expertise of how WordPress works.

Pro tip: You can implement hardening measures on your own. However, some measures require technical expertise so in these cases, it’s much easier and safer to use a plugin.

Featured image via Pexels.

Source

Source de l’article sur Webdesignerdepot

13 novembre 2020/par Service comm.