Access Control and User Identities
When it comes to the SaaS solutions, the mechanisms and access controls are as diverse as the plethora of products and line of business applications available on the market. This doesn’t change the fact that controlling who has access to your data is still your problem. From within the application, it will be no different than deploying an application on your premise: you choose the solution that gives you the granularity you require.
There is a fundamental difference, though. When the application lived within your firewalls, you likely leveraged Kerberos (or NTLM) and Active Directory credentials. Even if the application required a separate username/password that it stored within its own facilities, when an employee left your company they lost access to your network and hence the application. In this new world of the Cloud, if you don’t immediately shut down every cloud identity at every application, you won’t be able to stop former employees from continuing to access your data past their employment.
The solution to this problem is to ensure that you first have full awareness of all SaaS applications in use and make sure to enable them with a single sign-on (SSO) solution.
Most firewall vendors now include cloud service reports with their web usage reports. Beyond simply reporting, to monitor which SaaS services are in use and to watch for issues such as data loss, there is a growing market of “cloud application security brokers”. In their article last summer, CRN identified ten that I agree should be watched. These tools will help you keep track of which SaaS applications are in use, and if their usage is in line with your corporate policies.
The next issue is, of course, deploying a single sign-on solution. We at New Signature spend a lot of time deploying Azure Active Directory and we believe that Microsoft has a very strong and compelling offer in this space, but a quick search for the Gartner magic quadrant on “IDaaS” or “Identity and Access Management” will provide a good vision of the competitive market.
Bottom line, you need to know where your data is going and you need to be able to control the provisioning and de-provisioning of access to it.
In the final installment, we will review how incident response remains your responsibility.