Asia's Source for Enterprise Network Knowledge

Monday, May 1st, 2017

Secure Your Apps

Cloud federation – simplifying access control

The quest for business agility, availability, collaboration and cost savings, among other competitive advantages, has led many companies to adopt cloud computing and empower employees with ready access to critical applications and data via an array of mobile devices.

But these benefits often come at a cost. The presence of more avenues for attack through the cloud and mobile devices means that cybercriminals have more options for stealing credentials and data. Further, the need for up-to-the-minute access control and consistent security policy enforcement across cloud services creates identity and access management (IAM) risks.   

So, along with web fraud protection solutions that can be quickly deployed to secure critical enterprise and mobile apps, organizations must manage cloud usage; prevent identity theft and tampering; and preserve customer confidence. For instance, device and user authentication attempts can be monitored to detect any compromised device and reduce potential incidents of fraud.

Simply put, the implementation of controls over cloud services should eliminate the silos of individual cloud service providers' own IAM systems and enhance security. Organizations will have to synchronize or integrate internal IAM systems with those of various software-as-a-service (SaaS) providers for usernames, passwords and access control enforcement.

Managing numerous IAM systems creates security risks such as password fatigue and delays in deletion of expired accounts, and reduced productivity from delays in creation of new accounts.

Attackers can also take advantage of compromised super-user or administrator's access rights to cloud services and intercept, steal or tamper with critical information and assets without being easily detected.

Related to this, the Cloud Security Alliance found that 50% of companies have a policy on acceptable cloud usage today but only 16% of companies have a policy that is being fully enforced. When it comes to enforcing these policies, 63% of companies prefer to leverage their existing firewall or proxy to control access to cloud services, while a whopping 95% of companies with more than 5,000 employees prefer this approach versus installing device agents.

The most desired quality in access controls is usability. Restrictive and inconvenient controls push users away to try less secure and productive methods of storing and transferring personally identifiable or confidential information. Hence, to handle the dynamic nature of mobile and cloud computing, organizations need to establish a proper IAM architecture or model.

One such model is the F5 Cloud Federation Architecture, which eliminates SaaS drawbacks and silos by ensuring consistent security between internally maintained IAM systems and external services.

But the benefit of foremost importance here is the data protection that comes from the ability to decommission user accounts of former employees and contractors promptly, and reflect any change in authorization instantaneously by cross-referencing systems across IAM silos.

The F5 Cloud Federation Architecture achieves this by using Security Assertion Markup Language (SAML), an XML-based data format for exchanging authentication and authorization data between parties. SAML technology eliminates the need to manage independent user accounts across SaaS providers by enabling web browser single sign-on (SSO).

Additionally, organizations can:

  • Enforce consistent security policy across all systems
  • Reduce management costs for access account commissioning and decommissioning
  • Capitalize on the benefits of SaaS while better managing security risks

With the F5 Cloud Federation Architecture, organizations can also deploy stronger authorization solutions, including two-factor authentication, IP geolocation enforcement and device inspection.

"Few SaaS providers offer enhanced multi-factor authentication," says Nathan Pearce, senior technical marketing manager at F5. "They lack the security controls that many enterprises have come to expect as standard. The key to solving this problem is security consistency and integration. The F5 Cloud Federation solution delivers common single sign-on across the board, enhancing security, improving productivity and enabling safe adoption of the SaaS model."

Over the next few years, federation standards such as SAML and OpenID/OAuth will be mainstream in medium-to-large organizations' access management and cloud usage. Ultimately, to deliver on the promise of federation amid the diverse array of identity protocols and directories, such as Active Directory, SQL, LDAP and web services, organizations will have to federate the identity layer.

A more multi-faceted approach, according to Gartner, recognizes that perimeter defense is inadequate and advocates "security-aware application design, dynamic and static application security testing, and runtime application self-protection combined with active context-aware and adaptive access controls". In other words, every app needs to be self-aware and self-protecting.

This is a QuestexAsia feature commissioned by F5 Networks Asia Pacific.