There’s a war waging in cloud and enterprise computing, one that makes the Lannisters and Starks look like a rock-paper-scissor affair. The epic saga that wages on is between knowledge workers and security wonks – a battle of convenience versus compliance. This knock-down, drag-out affair pits users who expect one-click access to content from any device, any time, against the security guys and gals who are on the hook to ensure sensitive IP stays within the confines of their organization.
People want to get to data and files quickly to do their job. And organizations want to ensure people are productive, so they extend agents of convenience — SSO, mobile, and consumer-focused SaaS, as well as sites like Box, which make it easy to share large files.
But these weapons of choice come with a warning label: Mobile apps are happy to store credentials, once entered, for easy access to apps. Many cloud SSO vendors have no security policy around granting access to the apps. And front door access is the key to the kingdom. How, then, do organizations keep sensitive content protected, and their trusted reputation strong to bring continued business?
(The security team sometimes feels like the guy in the vest when trying to have their concerns heard.)
Balance can be achieved. A contextual policy enforcement model protects the interests of the organization while providing a seamless experience for its constituents, when users access data in a sanctioned manner. Nothing is going to stop a user from opening a Box account and uploading content. If an organization certifies the service and makes it compelling enough to use for file sharing, users will be less likely to circumvent controls. This means high performance, ease-of-use (such as integrated desktop automatic logic) and deep-linking.
Security concerns can be addressed by using environmental context for evaluating policy. Symplified does this on an individual basis by using any combination of client IP address, device type (user agent), and an organization’s authentication mechanism of choice. A federated technology partner might be granted a different set of applications than a full-time employee. An employee on a workstation on the network might be treated differently than an employee with an iPad at Panera Bread. Preventing an app from being accessed from Firefox, because it only works with IE, improves user interaction.
There are also advantages to having a finer granularity for enforcement. One-dimensional SSO services might be able to protect the front door, but Symplified can enforce robust workflows where certain URLs within the applications require a second factor of authentication, again, based on context or identity attributes. Legacy Web Access Management (WAM) vendors can’t do it for external cloud apps, and other cloud SSO vendors can’t do this for any app. Want to block a certain portion of Salesforce for a subset of users or based on certain conditions? Try Symplified.
Finally, one of the more exciting developments in access control is using risk as context in the access decision process. Risk engines such as Symantec VIP and Oracle Adaptive Access Manager provide a services-factored risk service that can be called based on the device fingerprint, user identity, and geolocation. Symplified can take the risk score and reason(s) from these risk engines and manage access. For example, certain applications might be blocked when the person requesting access is in a blacklisted country, while requiring second factor authentication when coming from an unknown device.
All of this won’t end the war between convenience and security, but it provides a balance that will keep the Wolves and Lions behind their respective walls.
Matthew Carter is a senior systems engineer at Symplified.