jro-grafik - Fotolia

Consider identity federation for mobile cloud app requirements

While traditional IT perimeter security worked well for decades, today's mobile cloud apps demand a different approach: identity federation.

The cloud and mobile applications render traditional perimeter security obsolete, said Kevin Sapp, vice president of strategy at Pulse Secure LLC, based in San Jose, Calif. The company specializes in centrally managed, secure access from anywhere, on any device.

"The first thing is the recognition that the perimeter security model is busted," Sapp said in this podcast. "Instead of having a perimeter around the network, the applications are essentially what's being secured."

The result is akin to having perimeters around individual mobile-device or cloud-based applications, rather than the overall corporate networking environment. That application-level perimeter encompasses access control, identity federation, authentication and authorization.

When it comes to mobile devices, [security] is all over the place.
Kevin Sappvice president of strategy, Pulse Secure

Attacks are getting more sophisticated, Sapp said. "Just the proliferation of tools for hackers is amazing. What a lot of people don't realize [is] they think it's always the expert hacker getting into these systems, but what really happens is the expert hackers write the tools that make the amateur hackers appear to be experts." It's not a good trend.

The problem with traditional perimeter security, according to Sapp, is that once someone penetrates that wall -- whether invited in or not -- they have carte blanche to almost anything. The remedy, Sapp said, is identity federation, which adopts a granular approach to access control based on knowing each device and each user.

Though perimeter security has had decades to mature into just a handful of strategies, the proliferation of mobile manufacturers, device types and operating system variants is more reminiscent of the Wild West, Sapp said. "When it comes to mobile devices, [security] is all over the place. Some platforms, like Apple's iOS, are probably much more secure right out of the gate than Windows was … 15 years ago. When it comes to Android, it has multiple versions from dozens of manufacturers running on hundreds of devices -- vastly different than Apple's tightly controlled ecosystem.

"Fundamentally, Android's security model is very similar to the iOS security model. The problem comes down to the fragmentation issue, where you have various handset vendors doing their own things to differentiate on that platform," he continued. "Not all of those guys implement the security model in a uniform way."

Access to networks via perimeter was governed by firewalls, supplemented with technologies -- such as VPN or proxy -- that provided for secure access. With software as a service (SaaS) apps or cloud infrastructure, it's not possible to put a firewall in front of each. "The way people are solving this access problem is through identity federation," Sapp said. "This involves a central, identity-management platform that knows about all of my users. In there, I can specify who has access to what."

In the podcast, Sapp goes on to discuss the idea of identity management to authenticate and differentiate users and devices. He also probes the need to recognize that SaaS apps have widely varying security considerations for cloud infrastructure, devices and software.

Dig Deeper on Cloud security tools