StoneBlog.stonesoft.com

Recent discussions about Cloud Computing and security standards it should grant, and about psychological barriers which are slowing down adoption (although less than in the past) focus attention on a fundamental aspect: security of the access.

The countless advantages of a data center “in the cloud” are well described in the streams of ink and… eInk spilled about it.
However, too often the angle is to illustrate flexibility, low impact on maintenance process, ad hoc performances, ubiquitous access… forgetting a key aspect when talking about access to sensitive data and applications.

Hence the question is: if a CIO accept to move corporate IT into the cloud – trusting SLA and security standards of the service provider – which part of the process should be “bomb-proof”?

The answer is too often neglected: Access! Or, better, security level and strength of the access process!

Authentication systems considered “state of the art” such as OTP sent via text message have been recently questioned because of Man in the middle type of attacks, vanishing the whole security measures.
How should you react to the growing threats, strengthening the overall process?

The answer is contained in an historical quote: Divide and Conquer.

Divide concerns the combination of authentication and identity validation systems (each one featuring a good implicit strength level) to create a barrier to protect access; and make this barrier almost impossible to penetrate unless valid credentials are provided.

StoneGate SSL VPN is an Identity and Management (IAM) system featuring over 25 different authentication methods, both native and/or interoperating with existing backend systems in the enterprise. Completes by security posture validation and trace removal at the end of the session, the solution give secure and authenticated access the applications available to a certain user in a given context.

The interesting possibility is the ability to combine multiple instances of the same or different authentication methods to grant an exponential raise of the overall authentication process strength.
For example, let’s consider four authentication methods:

• One time password delivered via SMS
• One time password generated with StoneGate MobileID
• Certificate authentication with client certificate protected by passphrase
• Native Active Directory authentication.

Each of these methods features a good security level (password variability, number of factors in authentication, difficulty of extraction of protected information).

The security level could be maximized if IAM system would allow to combine the four authentication methods, since overall strength and number of factors would be multiplied.

Therefore access to a particularly important application or to special sensitive data could be protected by supersafe authentication schema, such as:

• type in a username and fixed password, OTP will be sent to phone via text message
• present a valid passphrase-protected digital certificate, stored on a smartcard or token
• insert a OTP generated using MobileID free client software, installed on a different device from the one you are using to access
• type in your Active Directory username and password

By combining this process to security context validation (such as antivirus state and check of serial numbers of client HW components) it is possible to reach an unbeatable strength in the authentication and access process, enabling access to the cloud with a security levels accepted by the most demanding customer, without sacrifying (too much) usability of the process itself.

Cloud Computing. Secured!

written by RoarinPenguin - 1,349 views \\ tags: access security, authentication, cloud computing, sslvpn