Mitigating risk in cloud apps with federated authentication
Mitigating risk in cloud apps with federated authentication

A funny thing happened on the way to the cloud. As organisations moved to cloud-based tools, they lost secure access to their data. 

This is a problem. The defences these organisations had spent (in some cases) millions of dollars setting up (including firewalls, intrusion detection, strong authentication solutions and anti-virus) were no longer protecting them and their sensitive information.

That sensitive information is now residing elsewhere: in the cloud. All the expense that was put into defences are no longer serving the role they were ultimately designed for: protecting data. Instead, that data is living beyond internal servers, on the wrong side of those internal defences in cloud-based server farms which you don't own.

This new reality requires a new take on Identity and Access Management (IAM), one that takes cloud storage into account. In other words, how can an organisation ensure the maximum amount of security for their cloud-hosted data? 

We see four ‘roads' for how your data travels in the cloud and how to best deliver an IAM solution for it:

1) Open access: Accessible on the public internet. Username and password are managed by Software-as-a-Service (SaaS) providers. This solution offers the least amount of protection for your data and no solutions specifically for your organisation to control access. 

2) Behind the VPN: This option enables remote users to first authenticate to the VPN (most likely via a one time password solution), then via a username and password. 

3) Federated identity management: User authenticates to central portal through which they gain access to multiple applications.

4) Native strong authentication: Strong authentication deployed separately in each, individual cloud software application. 

Each of these options must be able to stand up to external and internal threats and the winning solution must not sacrifice user convenience or the ability for employees to participate in the bring your own device (BYOD) phenomenon. So, which of the four ‘roads' can stand up to all potential threats without sacrificing user experience? 

Open access simply doesn't qualify. While the easiest to implement, since it doesn't involve doing anything, it doesn't deliver the required security measures. Behind the VPN seems at first sight an obvious choice, since it leverages all that existing investment in perimeter defences, but it has some substantial issues – it's inconvenient for users, who have to go through two login steps to access the application. It also doesn't scale well to BYOD since it requires VPN clients to be deployed to a wide range of different personal devices.

Early indications are that end-users are not willing to use traditional VPN two-factor methods (such as OTP tokens) when authenticating from a tablet or mobile phone. This also provides no additional protection against internal threats. Native strong authentication would work great but is quite inconvenient, with each application requiring its own, specific security solution.

Clearly, federated identity management is the ideal choice. According to a recent Gartner study, federated identity management is less than two years away from mainstream adoption.

There is a reason for this. It has some very strong plus points for these types of deployments, such as:

• Flexibility of different authentication methods

• No requirement to install on end-user devices

• Centralised audit record of which applications were accessed by which user and when, a strong plus point for compliance.

For organisations aiming to mitigate risk both internally and externally, without sacrificing employee convenience, it is now clear that federated identity management is the best way to address data moving to the cloud: not only with SaaS applications, but also with internal apps which are stored elsewhere.

It gives users a single location to access the applications they require to do their jobs, and gain access to the far flung data those applications own. What type of solution is your organisation implementing to ensure data stays secure in the cloud?

 

 

Julian Lovelock, senior director of product marketing at ActivIdentity