Applications that reside in the cloud afford enterprises previously unavailable levels of agility, productivity and vital flexibility – all at a crucially lower cost than ever before. However, with many enterprises cloud deployments now successfully up and running, plus the integration of the Bring-Your-Own-Device (BYOD) culture into the workplace, the complex issue of data security and access control have leapt to the fore.
Applications that reside in the cloud afford enterprises previously unavailable levels of agility, productivity and vital flexibility – all at a crucially lower cost than ever before. However, with many enterprises cloud deployments now successfully up and running, plus the integration of the Bring-Your-Own-Device (BYOD) culture into the workplace, the complex issue of data security and access control have leapt to the fore. Unfortunately, more and more organizations are still falling short of sufficiently extending their ‘best practice' security policy to encompass their now sprawling corporate network.
With data now living on the wrong side of conventional internal defenses in cloud-based server farms, the ground has shifted and a one-size-fits-all approach to data protection is not sufficient. As such, it has become more critical than ever to hone in on the linchpin challenge of secure identity management. Traditionally, enterprises have focused on securing the network perimeter, and relied on static passwords to authenticate users internally, within the firewall. However, taking into account the multifarious nature of present-day threats – from Advanced Persistent Threats (APTs) to the internal risk the mass adoption of BYOD brings – it represents a considerable leap of faith to place complete trust in a singular perimeter defense. Moreover, the simple static password comes with its own challenges. For example, employees may lock themselves out of critical applications if they forget them or, more worryingly, they may reuse their passwords from personal web services for corporate applications.
Intrinsic to cloud and mobile working practice, and further complicating security, is the diversity of the user population. To date, much of the security discussion has focused on securing the cloud-platform, but as enterprises continue to move applications into the cloud and take advantage of the Software as a Service (SaaS) model, it is increasingly important that enterprises resolve the challenges around provisioning and revoking user identities across their cloud-based applications, while also delivering secure, frictionless user login to those applications. As such, enterprises need to have an adaptive authentication solution in place that not only serves to manage users – based on their behavior and risk profile – but also crucially addresses where sensitive data lives and considers the way in which user's access information.
Two-factor authentication
As a first step, enterprises should start by extending two-factor authentication measures beyond the brick and mortar locations of ‘the office' to also cover cloud-hosted data and apps. Best practice already requires using strong authentication to secure remote access to corporate networks – therefore, enterprises must extend two-factor authentication to also cover cloud-hosted data and apps. Two-factor authentication measures have typically been confined to physical devices like one-time password (OTP) tokens and display cards, but thanks to a variety of technological advancements these are being replaced by ‘soft tokens' that can be held directly on the user device such as a mobile phone or tablet, or alternatively as browser-based tokens. While OTPs have proved quite popular as an additional layer of security, users have found hardware OTPs and display cards for two-factor authentication to be inconvenient. As such, replacing the token with a soft token presents an obvious solution. These contactless OTPs operate in the same way as physical tokens, generating random passwords which cannot be re-used – and thus guessed.
Given that the user typically accesses the corporate cloud application from a web browser or application on a mobile device, a multi-factor solution such as token-less authentication with single sign-on begins by identifying the device in use. It does so by consulting the configurable device criteria that is pre-set by the organization, and then assigns a risk score to the specific transaction. The organization itself can therefore tailor the level of security based on the risk associated with specific types of transactions, and providing the device or transaction is verified as secure, the cloud application is enabled and the user begins their session. However, should the transaction not pass, the authentication solution can prompt users to further validate who they say they are by sending an SM, asking additional security questions or continuing authentication using a software token that is installed on a mobile device, reducing hardware and maintenance costs. This leap forward in technology provides greater security and better control of the cloud-based tools in use by employees, enabling organizations to take advantage of the substantial cost savings often associated with cloud technologies, without a bump in security costs to support it.
The Device in Use
Unsurprisingly, as BYOD continues to grow, many of these cloud-based applications are being accessed from personal devices, bringing additional challenges. When tackling the issue of the multitude of devices in use in the workplace, whether employee-owned or corporate-issued by the organization itself, implementing a secure ‘zoning' policy creates an encrypted zone contained inside a personal device, allowing corporate data to reside separately to the rest of the device in use. This serves to establish a clear partition between personal and business information. By clearly demarcating the data available, ‘zoning' data enables employees to securely and efficiently access the corporate information available through cloud applications without frustrating them or decreasing productivity through laborious authentication processes.
Ultimately, it is important for enterprises to adopt a layered approach to security, recognizing that no single authentication method is going to address the diverse requirements for multiple devices and scenarios in today's mobile enterprise. Fortunately, the latest technologies ensure enterprises can continue to leverage their preferred two-factor authentication credential anytime anywhere, even when the highest levels of identity assurance and security are required. For example, the enterprise could combine risk-based authentication techniques with standard two-factor authentication tokens to help eliminate the risk of token sharing. How does this work? It's simple really. The first time an employee registers their token for use, the authentication solution will take a fingerprint of the end-point device they are using. The next time the person uses their token for access, the authentication solution will conduct a check on the token and the end-point device and if both elements are validated it will allow access; if something is amiss the authentication solution can make a risk based decision to either allow access by asking for another authentication factor, such as an out of band SMS one time code, or deny access. This layered approach best addresses the evolving needs of corporate data protection and identity assurance.
- by Jordan Cullis, Head of Identity Assurance, APAC