PROTECTING YOUR CLOUDS | A ZDNet Multiplexer Blog What's this?

Restricting SaaS to Authorized Users

Once your company has decided to embrace SaaS, it's critical to lock down credentials and keep malicious actors from gaining access. We'll talk about monitoring user activity for insider threats, multifactor authentication, behavior analysis to catch anomalous activity, and other important considerations for safe SaaS deployments.

So you've decided to use a cloud-based SaaS (Software-as-a-Service) provider such as Salesforce, Microsoft Office 365 or Box. How do you make sure that only authorized users can access your organization's data in the cloud? How do you make sure that malicious software doesn't hijack a connection to your cloud environment?

There are many security solutions that integrate with popular SaaS providers, making it as easy as possible for your organization to implement secure access. Ideally, each SaaS application integrates with your existing user database, the most widely used being Microsoft Active Directory, to allow for what is called single sign-on (SSO). With SSO, users can have one set of login credentials that can be used for both the company network and external networks, including SaaS applications.

The simplest and most popular approach to SSO is to use an identity management provider, such as Okta. These tools ensure strong authentication by requiring multiple identification factors, such as a password and a code sent to the user's mobile phone. When a user logs into an identity management app, they get a console that lists their applications, including cloud services like Google Apps and Workday as well as on-premises applications. They establish a session with the provider and then can connect to the applications without further authentication, as long as their session with the identity management provider is open. These providers also have mobile clients that can connect the user directly to the native app on their mobile devices. The applications connected to the service are said to be "federated" with the service, and so the service can authenticate the user to them.

Once you have such a unified management system for identity, you can begin to secure data and applications in a logical and systematic way based on your users and their roles in your organization. Identity management providers offer IT administrators consoles through which to perform management tasks. Users get self-service capabilities for tasks such as password resets.

Centralized identity management also makes it easier to integrate multi-factor authentication with all of the federated apps, and even to require additional identification when a user attempts to connect from an unknown IP address, for example.

Strong identity management also gives you a basis for defining and applying policy with tools that can perform data inspections. The most prominent example is that of DLP (Data Loss Prevention), which is the protection of particular varieties of sensitive data against misuse or theft.

This is where a CASB, like Palo Alto Networks' Aperture, would come into play. Aperture has access to user identity, can examine the actual data within the SaaS application (looking for specific patterns like credit card numbers, internal project code names or bank account numbers, for example), then check policy to see whether that user has permission to do what they are doing with the data. Aperture can log that event and even look at previous logs and existing data for usage patterns.

Palo Alto Networks' next-generation firewalls integrate tightly with Okta, allowing for multi-factor authentication in cases where an access attempt violates a firewall policy. Using an integrated solution helps reduce management overhead and enables administrators to consolidate user, application, and data management in a centralized console.

Because the management is centralized, so is the logging, which is an important security feature. Log management and analysis are essential in detecting attacks, and yet administrators can be overwhelmed with the sheer variety of logs from enterprise applications. In a world of cloud applications, there is no way to manage users and secure access to data unless you have a central facility for doing so. A security solution that consolidates identity and access management functions not only makes it possible to bring cloud providers into your own management scheme, it also opens up secure access to new capabilities.

To learn more about SaaS security, please visit http://www.zdnet.com/topic/protecting-your-clouds.