Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Organizations Are Adapting Authentication for Cloud Applications

Companies see the changing demands of cloud identity management but are mixed in their responses to those demands.

Cloud services are becoming the norm in enterprise IT, but that doesn't mean that they come without concerns. A new survey shows that nearly half of all enterprises believe that their cloud applications make them more of a target for cyberattacks. The cloud ranks third on the list of reasons executives think they might be attacked, just behind unprotected infrastructure such as Internet of Things devices (54%) and web portals (50%).

The report, the "2019 Thales Access Management Index," is based on a survey sponsored by Thales and conducted by Vanson Bourne. The survey received responses from 1,050 executives in 11 countries; it asked them questions about both their concerns and the technology they're employing to respond to those concerns.

"Organizations realize now that they are depending on cloud resources, cloud services, and cloud applications to run their business," says Francois Lasnier, vice president of authentication and access management at Thales. The realization, though, has its limits.

"When you ask a lot of the CISOs, their initial reaction is that they only use a few applications or cloud services," Lasnier says. "But when you start digging, you realize that sometimes there is a factor of 10 between what a CISO or IT administrator recognizes in the cloud application count versus what is actually the cloud usage."

Even without an accurate understanding of their cloud exposure, the IT executives are broadly aware of the threats to cloud applications. Ninety-four percent of the executives say that their organizations' security policies have been influenced by consumer breaches occurring in the last 12 months. The ongoing recognition of email as an attack vector is one of those responses.

"If you can hack into the email system of an organization, then you can start doing ID theft, and then you can start elevating your privilege," Lasnier explains. Once the process has begun, attackers can then create fake identities, navigate within the company network, and wreak havoc.

The survey shows that access management is evolving to respond to the threat facing cloud applications. According to the results, 70% of companies have begun using two-factor authentication, 53% are using single sign-on (SSO), and 36% have begun using "smart" SSO — SSO that uses policy-based privileges for individual applications and network segments, along with multiple authentication stages when privilege escalation is required.

There are ongoing contradictions in the understanding that executives bring to the issues around authentication and application access. For example, nearly half of the IT executives surveyed said that smart SSO (49%) and biometric multifactor authentication (47%) are among the best tools for protecting cloud and web access, while only 24% saw social identity credentials (using Facebook, Google, or Twitter accounts for authentication) as a best practice.

However, more than half (56%) then said that they would allow employees to log in to enterprise resources using social media credentials for authentication.

Lasnier says that the confusion is largely a result of a rapidly changing enterprise environment that has seen the cloud, bring-your-own-device efforts, exceptional employee mobility, and other factors thrown into a mix that requires secure authentication and access management for users.

The access decision that was once black and white is now multivariable, Lasnier says. "Companies are looking now not just at access management that's a single point function, but at bundling identity to provide secure access management to applications and to dictate services like encryption rules that can further protect data assets," he says.

Related content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18862
PUBLISHED: 2019-11-11
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.
CVE-2019-18853
PUBLISHED: 2019-11-11
ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2.
CVE-2019-18854
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring.
CVE-2019-18855
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to potentially unwanted elements or attributes.
CVE-2019-18856
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the SVG Sanitizer module through 8.x-1.0-alpha1 for Drupal because access to external resources with an SVG use element is mishandled.