Mitigating Risk in Cloud Apps with Federated Authentication

jlovelock's picture

Enterprises and other large organizations that moved to cloud-based tools - including SaaS vendors like and HR/Accounting tools like ADP, lost secure access to their data along the way.

This is a problem.

The defenses these organizations have spent, in some cases, millions of dollars setting up (including firewalls, intrusion detection, strong authentication solutions and anti-virus) are no longer protecting them and their sensitive information.

That sensitive information is now residing elsewhere: "in the cloud", and this new reality requires a new approach that takes cloud storage and SaaS into account. We see four "roads" for how data travels in the cloud. Some of them simply ignore the problem, while others are viable solutions:

Open Access: Accessible on the Internet. Username and password are managed by SaaS providers, offering the minimal amount of protection for data and no solutions for your organization to control access.

Behind the VPN: Enables remote users to first authenticate to the corporate VPN (most likely via a One Time Password [OTP] solution), then enter username and password in order to gain access to both internal networks and cloud tools.

Federated Identity Management: User authenticates to central portal through which they gain access to multiple applications. This is also known as Single Sign-on (SSO) to the cloud.

Native Strong Authentication: Strong authentication deployed separately in each, individual cloud software application.

Each of these options must be able to stand up to external threats such as Advanced Persistent Threats (APTs), ad hoc hacking and former employees, along with internal threats such as protection against fraud from internal employees. Also, the solution must not sacrifice user convenience or the ability for employees to participate in the Bring Your Own Device (BYOD) phenomenon.

So, which of the four "roads" can stand up to all potential threats without sacrificing user experience?

Open Access is the easiest to implement, since it doesn't involve doing anything, but it doesn't deliver the required security measures. Behind the VPN seems like an obvious choice, however it's inconvenient for users, who have to go through two login steps to access the application. It doesn't scale well to BYOD, since it requires VPN clients to be deployed to a wide range of different personal devices. Native Strong Authentication would work great, but is quite inconvenient, with each application requiring its own, specific security solution.

Federated Identity Management is an ideal choice. According to a recent Gartner study, Federated Identity Management is less than two years away from mainstream adoption.

There is a reason for this. It has some very strong plus points for these types of deployments, such as:

- Flexibility of different authentication methods
- No requirement to install on end user devices
- Centralized audit record of which applications were accessed by which user, and when

For organizations aiming to mitigate risk both internally and externally, without sacrificing employee convenience, federated identity management is the best way to address data moving to the cloud: not only with SaaS applications, but also with internal apps which are stored elsewhere. It gives users a single location to access the applications they require to do their jobs, and gain access to the far flung data those applications own.

What type of solution is your organization implementing to ensure data stays secure in the cloud?