“There are technical obstacles with cloud security, as with anything,” said Michael Denning, CA’s general manager, customer security solutions, in an interview here at RSA. “However, getting enterprises into a mindset where they are comfortable controlling something they don’t have their hands on and depends on the ability to deliver technology that feels seamless to end enterprise is the key to being successful -- when the service provider feels like an extension of your company.”
The SiteMinder integration includes risk-scoring, which determines the level of authentication that is to be required, from user ID and password in low-risk conditions, to some form of multifactor authentication as the risk factors are pushed to a higher level. Risk factors can include include user role; the sensitivity of the system, data, or application that is being accessed; value of a transaction; the device that is being used (a managed corporate laptop vs. an unrecognized iPhone, for example); and the location of the client. If the risk is high enough, then a user could be asked to respond to challenge questions, use an OTP, etc., based on corporate policy.
“Previously, everyone was on a LAN, behind a firewall, and you could use network controls, like ACLs,” Denning said. “Now you are in a situation where you don’t know where traffic is going, the workforce is mobile, and applications live outside your premise, so your data is at risk.”
The enhanced service also introduces what CA calls “tagless device identification” to combat fraud and protect user privacy. The Authentication Cloud Service uses this technology, which collects a wide range of data associated with a device, such as a laptop, iPad, or smartphone, to fingerprint it. The service profiles the device and determines the appropriate action, including blocking access, based on risk scoring.
A third new feature is the ability to use smartphones, in essence, as an OTP token. This relieves end users of the burden of carrying separate token devices (often more than one), such as fobs. It also relieves enterprises of the management overhead and cost of deployment, replacement, and revocation of authentication devices. CA says this complements other two-factor mobile authentication methods available within the cloud service and on-premise deployments, including CA ArcotID, a two-factor secure software credential.
Cloud authentication and SSO is getting considerable attention in the cloud security discussion. For example, this week RSA announced plans to launch its Identity Service among the initial offerings in its new Cloud Trust Authority portfolio of services. The Identity Service provides federated identity and single sign-on (SSO) to major cloud providers through synchronization with corporate directories and federation standards, such as SAML. Last week, SecureAuth announced the extension of its certificate-based authentication and SSO capabilities to mobile devices for cloud, as well as remote corporate network access. Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.