Enterprise cloud security best practices for locking down your cloud
A comprehensive collection of articles, videos and more, hand-picked by our editors
Incidents of international cyberespionage, attacks on financial institutions and intellectual property thefts help maintain a steady stream of news about information security. Passwords and logins are not the raw material of headline grabbing stories, but they are the security issues IT professionals must face daily. The rise in adoption of cloud computing, Software as a Service (SaaS) and mobile computing has increased the complexity...
of managing users and their identities.
Security practitioners have spent decades developing methods for strong authentication to mitigate these risks that are easy to use and as secure as possible. Single sign-on (SSO) systems allow users to authenticate to a central application one time and then automatically authenticate to other applications and systems.
Fortunately, SSO services for the cloud, known as Authentication as a Service (AaaS), deliver some of the benefits of SaaS to authentication management. Businesses, governments and other organizations adopt AaaS for a number of reasons, including expanded user bases as well as budgetary and time concerns.
The scope of users has expanded beyond organizational boundaries; customers, suppliers, contractors and other people outside the organizations now have access to enterprise Web applications. Provisioning and managing access for these users cannot always be linked to an internal directory or a human resources process.
Authentication and identity management systems can be complex and costly, but AaaS brings the cost benefits of SaaS to authentication. Keeping up with advances in authentication, managing two-factor authentication and incorporating mobile devices can also be time-consuming. Shifting these burdens to a service provider is an appealing option.
Choosing an AaaS provider that fits
AaaS is based on standards such as Security Assertion Markup Language (SAML), WS-Federation and OAuth. These standards define protocols for exchanging security information about users and implementing authentication components, such as secure tokens. Since these protocols are vendor-neutral, organizations running different authentication systems can interoperate. An established market of AaaS providers includes Ping Identity, Okta, OneLogin, Centrify, Symplified and McAfee Cloud Identity Manager.
Since many AaaS providers offer the same core authentication functionality, they distinguish themselves with other services and features. The ultimate goal of deploying AaaS is to control access to applications and systems, so in order to choose the AaaS provider that fits comfortably with your organization, assess these features and consider interoperability with your existing applications and services.
An AaaS provider's support for authentication mechanisms is critical. The limitations of passwords are well known, but they're bound to be part of IT for some time to come. AaaS providers can help mitigate the risks of passwords by supporting password policies that allow customers to define rules for their user base. For example, an AaaS provider might allow customers to define minimum password lengths, rules for password construction -- e.g., the need for a mix of capital and lowercase letters, numbers or other characters -- maximum length of password life and reuse.
Two-factor authentication is much easier to deploy now with the use of mobile messaging services. Phones and other mobile devices eliminate the need for a separate two-factor device. Google offers two-factor authentication for its services, and banks are using two-factor authentication to improve the security of online banking.
Not all applications will support standards, such as SAML and WS-Federation. In these cases passwords may be required, and password vaulting -- the process of securely storing user identifiers and passwords assigned to particular applications -- can be essential functionality of a provider's service.
Organizations have much of their authentication implementation details housed in directories such as Active Directory and LDAP servers. An AaaS provider's services that integrate with these repositories will allow for faster and easier deployments. Since many organizations that use AaaS will likely continue to use their directories, understand how to keep the directories and AaaS repositories synchronized.
AaaS providers typically provide application programming interfaces (APIs) that developers can use to incorporate authentication services into a company's custom applications. Some AaaS providers also offer integration with popular SaaS applications; if single sign-on to your SaaS providers is a requirement for you, ensure your SaaS provider is supported by candidate AaaS systems.
A failure in an AaaS system could make multiple applications inaccessible to a wide range of users. Consider how AaaS providers design for resilience and reliability. Service-level agreements (SLAs) should be clear on availability rates and compensation for downtime. Review requirements for making a claim before you encounter a problem; you may need information from application logs for documentation. You would not want to find out too late that your logs do not contain the necessary information.
AaaS vendors can also be assessed based on their ability to meet your compliance and reporting requirements. Self-service reporting and the ability to generate audit information should be readily available.
Also consider usability issues such as the provisioning process and support for applications portals that allow users -- especially mobile users -- easy access to supported applications.
About the author:
Dan Sullivan, M.Sc., is an author, systems architect and consultant with more than 20 years of IT experience. He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence. He has worked in a broad range of industries, including financial services, manufacturing, pharmaceuticals, software development, government, retail and education. Dan has written extensively about topics that range from data warehousing, cloud computing and advanced analytics to security management, collaboration and text mining.