Securing enterprise cloud applications

By Ian Lowe, senior enterprise solutions manager, Identity Assurance, HID Global.

  • Monday, 10th June 2013 Posted 11 years ago in by Phil Alsop

Deploying increased amounts of corporate information and critical IT resources into the cloud inevitably raises concerns about data security and requires a fresh take on Identity and Access Management practices. With the rise of Software-as-a-Service (SaaS) and a myriad of other cloud applications in everyday use, enterprises must find a way to secure access to their corporate data that – in many cases – is no longer residing behind their traditional security firewall.


For organisations aiming to mitigate risk both internally and externally, without sacrificing employee convenience and corporate security, any solution must begin by addressing the current security policies in place, the type of devices employees are using and what type of cloud application the employee is accessing. For example, is it personal (such as LinkedIn or Facebook) or business (Salesforce.com)?


Cloud working and its companion Bring-Your-Own-Device (BYOD) are dramatically altering the way in which employees access information stores. So while the use of cloud applications eliminates the hassle of dealing with hardware, middleware and software deployments, this new way of working means that securing data and managing identities in the workplace is becoming increasingly complex. Though the economic and operational benefits of cloud computing are attractive, enterprises are grappling to implement a security solution that offers a comfortable equilibrium between security and user-convenience.


One size does not fit all
With mobile access becoming commonplace and data stores now residing beyond conventional internal defences and operational parameters in cloud-based server-farms, traditional defences such as firewalls, intrusion detection and anti-virus are no longer serving the role they were designed to fulfil. Further complicating security, and intrinsic to cloud and mobile working practice, is the diversity of the user population and the multitude of devices in use, meaning a one-size-fits-all security blanket approach just does not cut it and is impractical at best. Enterprises need to look to implementing an adaptive authentication solution that addresses where the sensitive data lives and considers the user risk factor, as determined by their behaviour patterns and purpose of activity. Though the lines may be blurred by way of the abundance of devices in use, the principles of data protection and the need for user identity assurance remain the same.


Given that the user typically accesses the corporate cloud application from a web browser or application on a mobile device, a multi-factor solution such as Tokenless Authentication with Single Sign-On begins by identifying the device use by consulting the configurable criteria that is pre-set by the organisation, and then assigns a risk score to the specific transaction. The organisation itself can therefore tailor the level of security based on the risk associated with specific types of transactions, and providing the device or transaction is verified as secure, the cloud application is enabled and the user begins their session. However, should the transaction not pass, the authentication solution can prompt users to further validate who they say they are by sending an SM, asking additional security questions or continuing authentication using a software token that is installed on a mobile device, reducing hardware and maintenance costs.


Securing data on the move
When tackling the issue of the multitude of devices in use in the workplace, whether employee-owned or corporate-issued by the organisation itself, implementing a ‘containerisation’ policy creates an encrypted zone inside a personal device, allowing corporate data to reside separately to the rest of the device in use. Managing multiple identities over a swathe of devices can quickly descend into management chaos so a policy of ‘containerisation’ serves to establish a clear partition between personal and business information. By clearly demarcating the data available, containerisation enables employees to securely and efficiently access the corporate information available through cloud applications without frustrating them or decreasing productivity through laborious authentication processes. Compartmentalising and ring-fencing access to data into a designated zone and further pre-determining the conditions under which a user accesses what information from where, ensures not only security and operational peace of mind, but compliance in an environment where borders are blurred.


Ultimately, the rise of the cloud for enterprise data storage and application-hosting has changed the way IT professionals must interact with their users, their networks and their data. Moreover, the increased impact of BYOD as a means of accessing the cloud applications at play in the work environment means that securing the corporate network outside of the office is an ever increasing priority. Luckily, recent technological breakthroughs ensure enterprises can continue to leverage their preferred two-factor authorisation credential beyond their brick and mortar locations and extend it across almost all cloud applications. This leap forward in technology enables more secure, rapid cloud adoption, better control of the cloud-based tools in use by employees and the substantial cost savings often associated with cloud technologies without a bump in security costs to support it.