Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Organizations Are Adapting Authentication for Cloud Applications

Companies see the changing demands of cloud identity management but are mixed in their responses to those demands.

Cloud services are becoming the norm in enterprise IT, but that doesn't mean that they come without concerns. A new survey shows that nearly half of all enterprises believe that their cloud applications make them more of a target for cyberattacks. The cloud ranks third on the list of reasons executives think they might be attacked, just behind unprotected infrastructure such as Internet of Things devices (54%) and web portals (50%).

The report, the "2019 Thales Access Management Index," is based on a survey sponsored by Thales and conducted by Vanson Bourne. The survey received responses from 1,050 executives in 11 countries; it asked them questions about both their concerns and the technology they're employing to respond to those concerns.

"Organizations realize now that they are depending on cloud resources, cloud services, and cloud applications to run their business," says Francois Lasnier, vice president of authentication and access management at Thales. The realization, though, has its limits.

"When you ask a lot of the CISOs, their initial reaction is that they only use a few applications or cloud services," Lasnier says. "But when you start digging, you realize that sometimes there is a factor of 10 between what a CISO or IT administrator recognizes in the cloud application count versus what is actually the cloud usage."

Even without an accurate understanding of their cloud exposure, the IT executives are broadly aware of the threats to cloud applications. Ninety-four percent of the executives say that their organizations' security policies have been influenced by consumer breaches occurring in the last 12 months. The ongoing recognition of email as an attack vector is one of those responses.

"If you can hack into the email system of an organization, then you can start doing ID theft, and then you can start elevating your privilege," Lasnier explains. Once the process has begun, attackers can then create fake identities, navigate within the company network, and wreak havoc.

The survey shows that access management is evolving to respond to the threat facing cloud applications. According to the results, 70% of companies have begun using two-factor authentication, 53% are using single sign-on (SSO), and 36% have begun using "smart" SSO — SSO that uses policy-based privileges for individual applications and network segments, along with multiple authentication stages when privilege escalation is required.

There are ongoing contradictions in the understanding that executives bring to the issues around authentication and application access. For example, nearly half of the IT executives surveyed said that smart SSO (49%) and biometric multifactor authentication (47%) are among the best tools for protecting cloud and web access, while only 24% saw social identity credentials (using Facebook, Google, or Twitter accounts for authentication) as a best practice.

However, more than half (56%) then said that they would allow employees to log in to enterprise resources using social media credentials for authentication.

Lasnier says that the confusion is largely a result of a rapidly changing enterprise environment that has seen the cloud, bring-your-own-device efforts, exceptional employee mobility, and other factors thrown into a mix that requires secure authentication and access management for users.

The access decision that was once black and white is now multivariable, Lasnier says. "Companies are looking now not just at access management that's a single point function, but at bundling identity to provide secure access management to applications and to dictate services like encryption rules that can further protect data assets," he says.

Related content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.