Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Organizations Are Adapting Authentication for Cloud Applications

Companies see the changing demands of cloud identity management but are mixed in their responses to those demands.

Cloud services are becoming the norm in enterprise IT, but that doesn't mean that they come without concerns. A new survey shows that nearly half of all enterprises believe that their cloud applications make them more of a target for cyberattacks. The cloud ranks third on the list of reasons executives think they might be attacked, just behind unprotected infrastructure such as Internet of Things devices (54%) and web portals (50%).

The report, the "2019 Thales Access Management Index," is based on a survey sponsored by Thales and conducted by Vanson Bourne. The survey received responses from 1,050 executives in 11 countries; it asked them questions about both their concerns and the technology they're employing to respond to those concerns.

"Organizations realize now that they are depending on cloud resources, cloud services, and cloud applications to run their business," says Francois Lasnier, vice president of authentication and access management at Thales. The realization, though, has its limits.

"When you ask a lot of the CISOs, their initial reaction is that they only use a few applications or cloud services," Lasnier says. "But when you start digging, you realize that sometimes there is a factor of 10 between what a CISO or IT administrator recognizes in the cloud application count versus what is actually the cloud usage."

Even without an accurate understanding of their cloud exposure, the IT executives are broadly aware of the threats to cloud applications. Ninety-four percent of the executives say that their organizations' security policies have been influenced by consumer breaches occurring in the last 12 months. The ongoing recognition of email as an attack vector is one of those responses.

"If you can hack into the email system of an organization, then you can start doing ID theft, and then you can start elevating your privilege," Lasnier explains. Once the process has begun, attackers can then create fake identities, navigate within the company network, and wreak havoc.

The survey shows that access management is evolving to respond to the threat facing cloud applications. According to the results, 70% of companies have begun using two-factor authentication, 53% are using single sign-on (SSO), and 36% have begun using "smart" SSO — SSO that uses policy-based privileges for individual applications and network segments, along with multiple authentication stages when privilege escalation is required.

There are ongoing contradictions in the understanding that executives bring to the issues around authentication and application access. For example, nearly half of the IT executives surveyed said that smart SSO (49%) and biometric multifactor authentication (47%) are among the best tools for protecting cloud and web access, while only 24% saw social identity credentials (using Facebook, Google, or Twitter accounts for authentication) as a best practice.

However, more than half (56%) then said that they would allow employees to log in to enterprise resources using social media credentials for authentication.

Lasnier says that the confusion is largely a result of a rapidly changing enterprise environment that has seen the cloud, bring-your-own-device efforts, exceptional employee mobility, and other factors thrown into a mix that requires secure authentication and access management for users.

The access decision that was once black and white is now multivariable, Lasnier says. "Companies are looking now not just at access management that's a single point function, but at bundling identity to provide secure access management to applications and to dictate services like encryption rules that can further protect data assets," he says.

Related content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
CVE-2019-16307
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
CVE-2019-16294
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
CVE-2019-16309
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.