As your enterprise adopts Software as a Service (SaaS) you will want to make sure that everything within your network is safely secured, and only accessible by those that have the correct permissions. The first part to look at is how your users sign on to the Saas, and what is the best approach for your organization. You have options such as a single sign on (SSO), internet based password sign on, and one time password (OTP). You will have to weigh up the options of how you want to use these within your organization. For a federated SSO implementation here are 10 security tips to help make it a success.
Using Your Existing Directory
If your organization uses Active Directory (AD) or another lightweight directory access protocol (LDAP) as your identity repository, you can leverage this existing directory for both provisioning and authentication. This will give you the ability to deploy SaaS accounts such as Google Apps, and Salesforce.com without reinventing the existing infrastructure. It will also provide a standardized foundation for adding extra applications fast and easily. You’ll be able to pass these demonstrated speed changes on to upper management.
Adding Strong Authentication
After you have moved your critical applications and data to the cloud, you will need to establish an alternative authentication method that is strong, such as OTP. This can provide a stronger authentication than passwords by themselves. Most SaaS providers won’t directly support authentication technology except Security Assertion Markup Language (SAML) or a user id with password prompt.
This might require you to deploy hardware or software OTP capabilities to users. You will need to consider what the costs and integration requirements are for deploying OTP to your users. If for example you select a soft token based approach, rather than a hard token, the management and distribution costs are going to be significantly lower. A soft token architecture allows you to be more flexible, and will also support multi factor authentication for multiple instances of SaaS applications with one token.
A Scalable Solution
You will need to select a solution that is flexible and can apply a range of security capabilities. Different user groups such as in house employees, contractors, and mobile workers all have different and varying access needs. This is also true for the different application categories they will need. Some applications that contain sensitive or often regulated data, require a stronger security approach than applications with lower confidentiality requirements. You have to make sure that the solutions that are being evaluated are adaptive and flexible enough to accommodate access requirements for each of the different user groups and within each application category.
Although the ease of use is a high priority a strong authentication system can deliver great value for money based on the applications that you can protect with it. You should be actively looking for ways to apply a strong authentication to platforms, while also maintaining the usability and assurance levels for the users in your network. A flexible federation system can accept OTP authentication and then give the user a SAML credential that provides an SSO with a protected and hosted application. The federation system can convert a SAML credential into a locally consumable credential when it is functioning in a service provider mode.
If you select a system that uses a soft token based multi factor authentication approach you can then provide the users their own portal that is self service and where they can easily register their mobile devices, change their mobile numbers and select the OTP delivery channel. If the user accidently loses their mobile phone, tablet, or switches to a new network provider, they can easily update the site with the new information, and effectively block the previous device. By taking this type of approach it makes multi factor authentications much easier and cheaper to deploy. Especially if the majority of target users are on smartphones, and much easier to manage in the event of a hacking attack.
What is the number 1 security priority in today’s organizations? Its to make sure that an employee or contractor’s access is immediately disabled or deleted once the contract with that user is finished. Removing user access for all the applications that they have had access too is one of the key requirements of any audit. This can be an issue that is more critical to a business when it comes to SaaS application access since the user can access the applications from any remote location. This is a great selling point for the use of a single system of directory record keeping such as AD, as it contains up to date information on all the user profile and can automatically trigger any de-provisioning in the event that a user’s details require updating.
Audit Record Monitoring
Many of the SaaS applications are subject to internal security checks and regulatory compliance mandates. The logging of all identity events related to cloud applications is an important security capability that should be put in place as quickly as possible. All SaaS application user activity should be monitored including account creation and deletion loin and logoff events and especially when an error occurs. Alerts can be setup to be auto generated to bring attention to real time events, while system logs should be archived for compliance. Some cloud application will provide you with practical audit data, which you should keep separate from the application to ensure high integrity and assurance levels.
Planning for Change
Each organizations IT and federated environment setup is different. A one size that fits all solution won’t work very easily, and is difficult to implement. During any product evaluations you should find out what application performance interfaces (API) and also software development kits (SDKs) will be available and allow you to extend the functionality of the applications to tailor it to your requirements now, and in the future.
There are a variety of ways that SaaS applications can authenticate a user which range from a standards based federated SSo approach to a simple HTML form based user ID and password. You should choose the most secure and flexible model that works for your organization. If you choose SAML over any of the other methods, you will find its one of the most reliable and robust forms of SSO. If your target application doesn’t provide support for SAML you might want to investigate an SSO approach, using an API, which would be preferable to password vaulting.
Understand Services Required
If you have a complex SaaS environment it might be necessary to use a services partner to help implement a security solution. Expecting your internal IT department to try and implement such a solution can present challenges, including incorrectly configured systems, non standard and complex implementations that in the long term can increase maintenance.
If your organization doesn’t have the internal expertise then it will be essential to find an industry expert partner that can help reduce the deployment time, and incorporate the best practises. This will help the internal team cultivate their skills and enhance their knowledge for the ability to meet the organization’s security needs in the future.