What about access protection when data is outsourced to the cloud? Find out which elements need to be taken into account in order to provide users with simple and user-friendly access in cloud or hybrid environments.
Small companies in the service and industrial sectors in particular do not hesitate for a minute to outsource their data and applications to cloud services due to the tempting cloud offers. Access protection often receives little or no attention, although various very sensitive, highly complex spear phishing attacks and other dangers are currently lurking on the Internet. Surprisingly, attackers often manage to gain access to user data using the simplest of means. Although the majority of cloud services already offer integrated access mechanisms and make them available free of charge, companies often do not use them – in other words, access is not sufficiently protected.
Status quo: Decentralized IAM and password chaos
Cloud services are often all rolled out individually with different user administrations and therefore with different passwords. Instead of creating a central user directory, users are expected to manage their credentials themselves. As a result, users are flooded with an unnecessary number of passwords. If users lack an overview, this often leads to the selection of insecure passwords, the use of the same password for several services or the writing down of passwords. This problem can be countered with a password safe tool or a user-friendly single sign-on solution. Unfortunately, both are often missing.
How does secure user access to cloud services work?
The following key questions arise in the area of Identity & Access Management for cloud services:
- Where is the central user directory?
- How is user data connected, synchronized, managed and maintained?
- How are the cloud services connected to the user directory? Are the cloud services compatible?
- How can a single sign-on be established? How does the connection via federation work, for example?
- How does the integration of mobile devices (iOS/Android) work compared to Windows devices?
Individual IAM Quick Check
Get your open questions about IAM answered by professionals. The IAM Quick Check from United Security Providers offers you quick and cost-effective answers for a cloud- and future-proof IAM that fits your company’s IT strategy.
Secure login for cloud offerings: Enhanced Authentication
Increasingly mobile working means that users can access cloud applications from anywhere. As described above, access to cloud offerings is often only protected with a user name and password. Where there used to be integration into the company’s IT, key elements are often missing today. One of these elements is enhanced authentication or multi-factor authentication.
The German Federal Office for Information Security BSI has published a comprehensive key points paper on security recommendations for cloud computing providers. It states:
“…Service consumers with high security requirements for the services provided should only be able to access the services after strong authentication (e.g. two-factor authentication) if the service used is accessed directly via the Internet. If a customer accesses the cloud services via a VPN from the secure customer network, for which they must authenticate themselves with two factors, additional two-factor authentication is not absolutely necessary to use the cloud services. “
Two-factor authentication is not always the right method
The concept of two-factor authentication (2FA) is the subject of much debate. According to the Federal Information Security Directive (WiSB), true two-factor authentication exists when two security elements (factors) consisting of knowledge and credit are combined (e.g. smartcard solution).
In the mobile environment, such a 2FA is usually not feasible. For this reason, multi-factor or enhanced authentication is often used today. Cloud providers now offer various options here: Be it SMS tokens, a time-based token or quasi-biometric factors as additional factors for authentication.
The integration of these resources into the existing company IT, the conversion of the existing infrastructure and, in particular, the migration to the new world of authentication presents the IT department with a number of unanswered questions.
To make matters worse, cloud providers often release new features and options every two weeks or month, which makes continuous planning on the part of the company practically impossible.
Adaptation of your own IT security architecture for the integration of cloud offerings
With this in mind, it is advisable for companies to take the planning into their own hands and adapt their IT security architecture so that it functions independently of the offerings of the various cloud providers. Particular attention should be paid to an organization’s DMZ and IAM architecture.
Depending on the protection requirements of the data, it must be decided whether additional measures (e.g. special apps with app security mechanisms for mobile device management) are required.
Access governance: traceability of data access
In addition to authentication mechanisms, access governance plays an enormously important role today. Because data is leaving the company boundaries for the cloud and traditional network boundaries are disappearing as a result, it is becoming all the more important to monitor who has accessed which data and when. In the event of a security incident, the traceability of access is extremely important in order to be able to derive the necessary measures. There is definitely a shift from purely protective measures to measures in the area of detection and response. Access to cloud services must be systematically monitored and incorrect manipulation must be detected and dealt with.
End-to-end single sign-on all the way to the cloud
A modern cloud-oriented IAM enables users to have single sign-on to all cloud services used by the organization. Such a solution offers a whole range of advantages: The company is able to perfectly track access to its data at all times, whether in the company network or outside in the cloud, detect misconduct and initiate measures if necessary.
A cloud single sign-on offers users increased convenience. The risk posed to users by insecure passwords is minimized by only using a single, but secure password in combination with an additional factor.
Cloud Single Sign On also offers the option of controlling the selection of the additional factor for authentication yourself. In this way, companies reduce their dependency on the various cloud providers in terms of the authentication methods offered and can control themselves which factors they want to offer users for login. In this way, companies are laying the foundations for concepts in the area of context-based authentication.
Reduce complexity: External help from a professional
In many companies, IAM was a problem child even before the cloud age. No wonder they find it particularly difficult to integrate cloud offerings into their IAM. If you want a secure, user-friendly IAM solution that is suitable for the various cloud services in the long term, there is no getting around a few adjustments in the area of DMZ and IAM. However, it is worth laying the right foundations today and choosing a concept that can also cope with future requirements and growing complexity.
IAM Quick Check for the cloud
External IAM specialists are familiar with the rapidly changing cloud world and its products and support companies in making their IAM concept fit for the cloud. With the IAM Quick Check, United Security Providers offers companies an individual overview of the status of user management, access and access control to data and applications. As a result, companies receive a brief report with a graphical evaluation of the results, a prioritized list of recommended actions and a categorized list of recommended measures. In a debriefing, the results of the IAM Quick Check are discussed in detail and any remaining questions are answered.
Consulting and conception in the area of Identity & Access Management
United Security Providers helps larger companies with the strategic development of the IAM topic with the creation of an IAM roadmap, concepts or project management.
We will be happy to answer your questions about IAM. Please get in touch with us.
Back to Part 1 “Data protection in the cloud”