Securing cloud-based apps

By Stuart Sharp, VP of solution engineering at OneLogin 

A quarter of a century into the web era, it seems astonishing that protecting the personal and business accounts on which it depends remains a mortal challenge. There are many dimensions to this problem, starting with the weakness of the security model that assumes that a password and username offers a reliable authentication that someone is who they claim to be. Additional layers such as Multi-Factor Authentication (MFA) and behavioural modelling have been added to supplement the process of verifying identity, but they remain as complex to implement as they are diverse. Uptake among consumers remains incredibly weak while even some businesses have baulked at the management overhead, assuming applications even support MFA in the first place.

Perhaps the biggest challenge isn’t so much technical as it is old fashioned risk – the scope and value of resources protected by online accounts has expanded so dramatically that the entire fate of many businesses depend on their integrity.  Where once these were a way to access a limited palette of services, business accounts in particular offer attackers the sort of foothold inside organizations that can fuel everything from phishing and Business Email Compromise (BEC) attacks to the wholesale compromise of shared servers and cloud services. When cyberattackers find a way to undermine an employee account, they gain not simply an insight into that individual’s job and data but, potentially, a way to compromise the whole organization.

In the financial sector, the effects of this are not hard to find, with a 2019 report conducted by Vanson Bourne on behalf of data loss prevention company Clearswift finding that 70% of organizations had suffered some form of cybersecurity breach in the previous year. While this is unlikely to surprise anyone working in this sector, what stood out was how many ways these incidents were occurring, from malicious insiders to employees accidentally sharing or failing to secure sensitive data. There is a tendency to see threats to data as being external but it’s clear that the sheer complexity of managing data in modern organizations can allow account and company data to leak out in a multitude of ways that are rarely noticed.

Stuart Sharp

For complex financial services companies, protecting standalone accounts, applications and services is simply unsustainable, leading large organizations to invest over the last decade in the more sophisticated approach offered by cloud-based Identity as a Service (IDaaS) solutions. The first job that IDaaS does is to impose rational design on the different elements of identity and access. For example, passwords often fail as a security protection because employees use weak ones or have too many to manage without reusing the same ones over and over.  IDaaS impose policies on this while allowing users to access multiple services, including cloud services, using the wrapper of single sign-on (SSO), which in turn requires that popular applications be pre-integrated. Similarly, what users can do is easily constrained using access controls that limit geographical or time access.

A second innovation of IDaaS is allowing organizations to start using more sophisticated authentication controls in the form of real-time risk assessment carried out using machine learning, which trigger additional checks such as Multi Factor Authentication (MFA) if anomalies are spotted. This is a big difference between consumer and business account security. Adding additional factors to a home user login such as online shopping would probably be enough in most cases. Employees, on the other hand, make more demanding use cases, which is why imposing tighter MFA rules and challenges are required for added security.

Nevertheless, if IDaaS offers useful technological integration, its biggest plus is simply that it solves access challenges created by the move to cloud applications themselves. It’s easy to be lulled into thinking that a cloud application looks very similar to a business application hosted on a server sitting in a data centre. From the user’s point of view that might be true, but behind the scenes the cloud application exists outside the data centre network, which creates new and hidden challenges for security. IDaaS is a cloud-centric way to integrate these two worlds – the data centre and the corporate network – into something with a single, integrated layer of security management rather than allowing it to exist as separate silos. Looked at this way, it’s arguable that IDaaS in some form isn’t simply convenient but inevitable.

Who’s accessing what

A core ethos of IDaaS is automation, specifically the ability to control which employees are accessing which applications and data and in what context. This is not only positive for compliance but makes the underlying questions asked by compliance more meaningful. Do all the users with access to application data have the right to access it? Are users who’ve left an organization being quickly de-provisioned? Within the context of cloud applications managed through IDaaS, the answer should always be yes. Any good IDaaS system should be able to explain the state of its user and data control through comprehensive, automated controls.

Thanks to the weak state of older models of digital identity, the move to cloud applications was always going to be a tough challenge. The tech world has spent more than 20 years trying to fix this with numerous innovations and technologies, not all of which have proved helpful in the long run. Now, with open standards for many of the underlying security components, and the emergence of technologies such as IDaaS which can manage these technologies as a logical entity, businesses can at last embrace the cloud without fear that they are storing up problems for the future.