The Forgotten Security

July 7, 2015

I used to work for a firm where I was on call 24-7-365. So I had to have round-the-clock access to the company's workflow and file sharing applications. Wherever I was in the world, I accessed the applications from my laptop or cell phone.


At the time, SaaS was still in its infancy and no one had really figured out the security aspects of access yet (whether it was an internal application hosted in the cloud, or a third party SaaS provider). Today, this isn't unique. Nearly all companies, large and small, take advantage of cloud hosting models, making enterprise applications available in the cloud, often by using Amazon Web Services or another public cloud hosting provider.


In fact, according to a study released earlier this year by Rightscale, only three percent of enterprises had no cloud strategy.


I was also on the company's internal systems, accessible only via computers physically located in the company offices or accessed through a VPN. When I left, my old ID and password became inoperable, and my code for the front door was changed. But while my departure resulted in the shutting off of my access to the office network, the company never cut off my access to the web-based applications.


This isn't unusual. According to a recent survey by Intermedia, 89 percent of adults retain access to at least one application from a former employer. Half of the employees questioned say they actually logged into an account to which they weren't supposed to and still have access. Even more worrying, 45 percent retain access to confidential data.


At my old company, keeping people off the "system" meant locking doors and throwing away any available keys. The building is a fortress when it comes to protecting the company and their hardware and on-premises software from unwanted intrusions. After I was gone, my boss' administrator emailed IT to tell them to erase my access ID and password. Our IT was great. They expect these emails, and when they come in they always tried their best to get to them sooner rather than later.


But when it comes to cloud-based applications, paranoia about physical security is still largely absent.


Let the record show that after I left, I never accessed any cloud-based applications for the purposes of accessing employer data that didn't belong to me. But if I had wanted to, it wouldn't have been difficult. Not only did I retain my own access to corporate web applications, but I could have probably talked a colleague into sharing their access with me. According to a recent study by IS Decisions, the majority of employees see no problems with sharing passwords.


And it could have been much worse. Because I've grown up in security firms, I'm fairly conservative about my password hygiene; but most employees aren't. The majority still use the same passwords for their personal and business accounts. It isn't difficult for a hacker to find personal credentials among the millions of those stolen in recent breaches and use them to log into corporate web applications.


Did our infosec group have concerns about moving company applications to the cloud? My guess is yes. Nine out of ten surveyed employers say they view security as a major issue of public cloud computing.


And for good reason. After all, once the company's applications are in the cloud, they're no longer protected by the physical walls of the office and the guard at the front desk. Not surprisingly, one third of respondents to a Bitglass survey say they have experienced more breaches in public cloud applications than on-premises applications.


But at some point the tide turned, and NOT moving some applications off-premises was no longer an option, despite security concerns.


So here we are. Too many companies are still relying on security practices meant for a world with borders. But we haven't lived in that world for some time (this story dates back well over a decade, so the issue of hosted applications isn't new). It doesn't have to be that way. There are companies getting it right; going all in on the cloud without sacrificing security to do it. How?


The best way to ensure that your applications and data are safe is to follow a cloud security checklist from the outset. While it's not very different from a standard identity and access management (IAM) security checklist, it underscores the importance of applying fundamental concepts to any cloud environment.


A solid checklist includes the following areas:


  1. Authentication
    • Federation
    • Multi-factor authentication
    • Proxy- and agent-based support


  2. Authorization
    • App and API user access
    • Web, mobile and API support
    • Role-based and attribute-based support


  3. Account management
    • Support for all use cases
    • Federation
    • Account management via central directory
    • Standards based
    • Support for SCIM


  4. Auditing
    • Standard and reliable 'request' and 'access' data collection
    • Same cloud access data collection for web, API, and mobile
    • Data collection formats for standardized reporting tools



For a more comprehensive overview, check out our guide Cloud Readiness: Securing Access to your Private Cloud.