Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Organizations Are Adapting Authentication for Cloud Applications

Companies see the changing demands of cloud identity management but are mixed in their responses to those demands.

Cloud services are becoming the norm in enterprise IT, but that doesn't mean that they come without concerns. A new survey shows that nearly half of all enterprises believe that their cloud applications make them more of a target for cyberattacks. The cloud ranks third on the list of reasons executives think they might be attacked, just behind unprotected infrastructure such as Internet of Things devices (54%) and web portals (50%).

The report, the "2019 Thales Access Management Index," is based on a survey sponsored by Thales and conducted by Vanson Bourne. The survey received responses from 1,050 executives in 11 countries; it asked them questions about both their concerns and the technology they're employing to respond to those concerns.

"Organizations realize now that they are depending on cloud resources, cloud services, and cloud applications to run their business," says Francois Lasnier, vice president of authentication and access management at Thales. The realization, though, has its limits.

"When you ask a lot of the CISOs, their initial reaction is that they only use a few applications or cloud services," Lasnier says. "But when you start digging, you realize that sometimes there is a factor of 10 between what a CISO or IT administrator recognizes in the cloud application count versus what is actually the cloud usage."

Even without an accurate understanding of their cloud exposure, the IT executives are broadly aware of the threats to cloud applications. Ninety-four percent of the executives say that their organizations' security policies have been influenced by consumer breaches occurring in the last 12 months. The ongoing recognition of email as an attack vector is one of those responses.

"If you can hack into the email system of an organization, then you can start doing ID theft, and then you can start elevating your privilege," Lasnier explains. Once the process has begun, attackers can then create fake identities, navigate within the company network, and wreak havoc.

The survey shows that access management is evolving to respond to the threat facing cloud applications. According to the results, 70% of companies have begun using two-factor authentication, 53% are using single sign-on (SSO), and 36% have begun using "smart" SSO — SSO that uses policy-based privileges for individual applications and network segments, along with multiple authentication stages when privilege escalation is required.

There are ongoing contradictions in the understanding that executives bring to the issues around authentication and application access. For example, nearly half of the IT executives surveyed said that smart SSO (49%) and biometric multifactor authentication (47%) are among the best tools for protecting cloud and web access, while only 24% saw social identity credentials (using Facebook, Google, or Twitter accounts for authentication) as a best practice.

However, more than half (56%) then said that they would allow employees to log in to enterprise resources using social media credentials for authentication.

Lasnier says that the confusion is largely a result of a rapidly changing enterprise environment that has seen the cloud, bring-your-own-device efforts, exceptional employee mobility, and other factors thrown into a mix that requires secure authentication and access management for users.

The access decision that was once black and white is now multivariable, Lasnier says. "Companies are looking now not just at access management that's a single point function, but at bundling identity to provide secure access management to applications and to dictate services like encryption rules that can further protect data assets," he says.

Related content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.