The common factor in the current evolution of computing, where BYOD meets cloud, is security. How does IT securely control user access to corporate data via users’ own multiple devices? But there is another common factor between BYOD and cloud: the browser. There may be multiple BYOD devices on multiple platforms, but there are just four market-leading browsers across all of them; and cloud access is almost always via one or other of Chrome, IE, Firefox or Safari. Control this channel and you control access to your cloud.
That is the theory behind SaaSID’s new Cloud Application Manager (CAM). A CAM local agent is added to the browser. The user authenticates to CAM, and CAM authenticates – from within the browser – to policy stored on the corporate server. The policy then controls what the user can access via the browser, and what the user can do.
CEO Ed Macnair and CTO Richard Walters previously worked together in a company that decided to concentrate on securing retail environments. “But we were more interested in the emergence of cloud computing and the consumerisation of IT,” Macnair told Infosecurity. The result is SaaSID and CAM, a company and product that seeks to provide cloud authentication, compliance and governance.
Authentication is achieved via integration with Active Directory and other LDAP solutions, support for standards such as SAML, OpenID and OAuth, and compatibility with 2-factor products such as Symantec VIP and Yubico YubiKey. Granular application access is then controlled by policy rules that can restrict access to the application itself, or any application feature such as tabs, buttons, menu options, or links. This can be done without any change to the existing application, whether proprietary or public. It could be used, for example, to allow reading but not writing to social networks; or editing but not locally printing Google Docs. Finally, detailed monitoring and logging (which can selectively report to third party SIM or SIEM products) provide additional security, governance and compliance.
Security lies at the heart of CAM, CTO Richard Walters told Infosecurity. “All communications between the browser agent and server are encrypted using up to 2,048 bit encryption, combined with additional 256 bit AES encryption for sensitive data.” The user credentials are never stored on the BYOD device. “Universally unique IDs (UUIDs) are generated for each application that the user is authorized to use,” he explained. “These UUIDs are sent to the agent and held in memory, protected in a Java Virtual Machine. Agents are 'tied' to a particular SaaSID server, and there are additional features to prevent session hijacking and man-in-the-middle type attacks.”
CAM doesn’t solve the entire BYOD problem. Users still need to protect their devices from malware such as keyloggers. “As always, defense in depth represents best practice,” said Walters, “and so devices should still be protected with anti-malware products. This is not because SaaSID increases the attack surface of a device; however, it doesn't eliminate the entire attack surface either – keyloggers will still 'work' on an unprotected device.” But what it does do is give IT control over BYOD access to applications.