RSS Alerts

Share

More services

Related Links

Related Stories

  • Comment: Security doubts about the cloud
    According to VASCO Data Security’s Jan Valcke, strong authentication can surmount end-users’ security concerns and prevents revenue loss for SaaS providers
  • Infosecurity: Do You Eat Your Own Dog Food?
    How many traffic policemen never exceed the speed limit when off duty? How many vicars don’t swear? And how many IT security professionals practice what they preach? No, seriously, do you eat your own dog food? That’s the question Davey Winder has been asking of infosec professionals in an attempt to determine just how secure security experts really are away from the office
    Members' Content
  • Comment: Password Reuse Equals Misuse
    A recent survey by Swivel Secure shows that 55% of people use the same password, or variations of one, to access all their online activities. Chris Russell examines the corporate risks of password reuse and emphasizes the need for multifactor authentication for accessing business critical data
  • Data Breach Spring
    Infosecurity’s Drew Amorosi examines three data breach incidents from the past few months that, by their nature, keep security vendors in business, regulators busy, and CISOs up at night. Find out why industry observers think this rash of massive breaches could lead to a ‘PCI for consumer privacy’
  • Smartphone security software market to reach $2.99 billion by 2017
    Driven by a surge in smartphone sales and concerns over application security, the global market for smartphone security software is predicted to reach $2.99 billion by 2017, according to Global Industry Analysts (GIA).

Top 5 Stories

News

Comment: Security doubts about the cloud

17 March 2010

According to VASCO Data Security’s Jan Valcke, strong authentication can surmount end-users’ security concerns and prevents revenue loss for SaaS providers

Hosted applications, cloud computing, software as a service (SaaS)…these are buzz words used all over the IT landscape at the moment. SaaS comes in many flavours, but the overall concept remains the same: software is no longer purchased and installed on local PCs and servers. Nowadays, organizations buy a license for a software service hosted on the server of the SaaS vendor. Licenses are available through a monthly, quarterly or yearly subscription fees.

The model is very popular, especially in the current economic downturn. SaaS’ promise of flexible pricing has made it attractive to companies that need to reduce their IT costs without compromising the performance of services and applications that are essential to their business.

Furthermore, upfront costs tend be lower, deployment is faster and cheaper, and Saas does not require additional server hardware investments or dedicated staff. As the SaaS model can be extended across the whole enterprise, it is becoming the licensing model of choice across many departments, such as marketing, helpdesk support and human resources.

As a result, computer users both in private or business environments leverage these online applications. Newspaper subscriptions, CRM, HRM, ERP, e-learning services, legal, marketing and real estate services, and online gaming and gambling are all types of hosted applications that are consumed in the notorious cloud.

SaaS applications raise security concerns

For all the added value and cost savings that hosted applications deliver, SaaS has also a downside both for user and vendor. Decision makers choosing SaaS applications over proprietary software or software-in-a-box are often confronted with some resistance from the IT department. IT staff not only see the benefits that SaaS yields, they are mainly occupied with concerns such as integration, customization and – above all – security.

SaaS raises serious questions regarding security issues. How secure are these hosted applications? Is data integrity of business-critical information ensured? And how can you securely access data on an external server while preventing unauthorized access at the same time?

By default, hosted applications offer simple log-on procedures using single-factor authentication. Users log-on using a username and static password, such as the name of their favourite pet. Such passwords, however, are very vulnerable, as they are easy to obtain or intercept and don’t provide sufficient protection against data theft via phishing and key logging attempts.

And what if an employee leaves the company for a job with a competitor and uses his old password to access his previous organizations business critical data? Moreover, static passwords can easily be shared between colleagues, resulting in revenue loss for SaaS providers.

Two-factor authentication solves legitimacy issues

Protecting hosted applications doesn’t necessarily need to be complicated. Strong two-factor authentication overcomes many of the aforementioned objections.

Strong authentication is already commonplace in online banking. End-users generally possess an authentication device that generates one-time passwords. These dynamic passwords can only be used once and expire after a limited amount of time. Two-factor authentication gives application providers the guarantee that the user requesting access is actually who he or she claims to be. The same principle can be applied to SaaS applications, solving security issues related to the legitimacy of users.

Preventing revenue loss

By adding strong user authentication as an extra security layer, SaaS vendors are able to sidestep security issues and turn the concept into a potential success story. However, there still remain some challenges that need to be faced.

How can SaaS vendors ensure their revenue streams? It may seem a superfluous question at first, as they work according to a subscription model that should guarantee a year-on-year revenue stream. But, as previously mentioned, what if subscribers start sharing passwords? How can SaaS vendors prevent their high-praised licensing model from becoming their own revenue trap?

License fraud is common practice by users of hosted applications: they buy a limited number of licenses, which are then shared by a large number of employees. SaaS providers are at risk of lost revenue caused by licensed subscribers sharing their credentials with unlicensed users, minimizing the effectiveness of the application and impacting the number of licenses sold. Simply put: SaaS vendors stand to lose revenue.

Strong authentication offers the golden solution. Authentication enables vendors to link one user to one license. This way the vendor can ensure themselves that only licensed users gain access to accounts that they are licensed to access. Additionally, the vendor can protect its revenue stream while differentiating them from the competition. For example, the vendor offers a solution that complies with the growing regulatory obligations for online security and it is protecting end-users from online transaction fraud or data theft.

Hence, strong authentication addresses the growing requirement for online applications and software-as-a service (SaaS) providers to protect their investment and service.

Jan Valcke is the president and COO of VASCO Data Security. He was co-founder and member of the board of directors of Digiline, the company that developed and marketed the first Digipass strong authentication tokens, back in 1991. From 1992 until joining VASCO in 1996, Valcke served as VP of sales and marketing for Digipass NV/SA, a member of the Digiline International group. In this position, Valcke dramatically strengthened the position of Digipass as the strong authentication solution for financial institutions.

When Digiline/Digipass was acquired in 1996 by VASCO, Valcke took responsibility for the worldwide sales of the new company. In 2000, he became VASCO’s executive VP for sales & marketing, and by the end of 2002, Valcke was appointed VASCO’s president and COO.

VASCO is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk.

This article is featured in:
Cloud Computing

 

Comments

Stu Howden says:

24 March 2010
I totally agree with Jan that that 2FA is important for cloud-based applications; however the article doesn’t address the ‘token necklace’ issue. The last thing people need is to carry different credentials to log onto different applications. The best way to deploy a single solution is as a hosted cloud application itself that can be used to authenticate different SaaS applications.

While solutions to log in once to multiple applications are common-place at the internet level, extending these solutions to the cloud has been problematic. However, the SAML (Security Assertion Mark-up Language) authentication protocol developed by the Organization for the Advancement of Structured Information Standards (OASIS) group is emerging as the enterprise standard underlying many browser-based authentication solutions.

SAML assumes that a user has enrolled with at least one identity provider to provide local authentication services. At the user’s request, this identity provider passes a SAML assertion to a new service or application provider to provide access.

SAML attempts to remove the problems of handling multiple credentials by delivering a federated identity and authentication solution. For example, using Signify’s SaaS Login based on SAML, enables users to log in using their existing 2FA credentials and then have easy ‘one click’ sign-on to each cloud or SaaS application that supports SAML, without requiring further authentication.

It is important that this authentication blind spot is recognised by cloud/SaaS vendors and that they actively encourage their customers to use 2FA. However, instead of building 2FA into their own infrastructure, they should partner with companies such as Signify. This will enable them to quickly and cost effectively offer a flexible enhanced security solution, solve the ‘shared user/reduced license income’ issue, and make the experience better (as well as cheaper) for the end user and the company they work for.

Stu Howden says:

24 March 2010
I totally agree with Jan that that 2FA is important for cloud-based applications; however the article doesn’t address the ‘token necklace’ issue. The last thing people need is to carry different credentials to log onto different applications. The best way to deploy a single solution is as a hosted cloud application itself that can be used to authenticate different SaaS applications.

While solutions to log in once to multiple applications are common-place at the internet level, extending these solutions to the cloud has been problematic. However, the SAML (Security Assertion Mark-up Language) authentication protocol developed by the Organization for the Advancement of Structured Information Standards (OASIS) group is emerging as the enterprise standard underlying many browser-based authentication solutions.

SAML assumes that a user has enrolled with at least one identity provider to provide local authentication services. At the user’s request, this identity provider passes a SAML assertion to a new service or application provider to provide access.

SAML attempts to remove the problems of handling multiple credentials by delivering a federated identity and authentication solution. For example, using Signify’s SaaS Login based on SAML, enables users to log in using their existing 2FA credentials and then have easy ‘one click’ sign-on to each cloud or SaaS application that supports SAML, without requiring further authentication.

It is important that this authentication blind spot is recognised by cloud/SaaS vendors and that they actively encourage their customers to use 2FA. However, instead of building 2FA into their own infrastructure, they should partner with companies such as Signify. This will enable them to quickly and cost effectively offer a flexible enhanced security solution, solve the ‘shared user/reduced license income’ issue, and make the experience better (as well as cheaper) for the end user and the company they work for.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012