SAN FRANCISCO -- Even though the use of Software as a Service (SaaS) applications via bring your own device (BYOD) endpoints represents a challenging, complex security problem for enterprises, experts at the 2014 Cloud Security Alliance Summit advocated controlling that usage with established security controls.
Robert Hansen, security researcher and director of product management for WhiteHat Security, was one of several panelists who spoke Monday at the CSA event, the unofficial kickoff of the 2014 RSA Conference. He acknowledged the complexity that exists in today's BYOD-SaaS world, in which organizations must now rely not only on the security of their own infrastructures, but also of employees' mobile devices, cloud providers and "downstream" entities such as Internet service providers, registrars and business partners.
"It turns out most people can't even mentally model how many people could theoretically impact enterprise data," Hansen said.
He said enterprises benefit from the ongoing gains being made in consumer mobile device security, but adding cloud application to the mix adjusts the security paradigm in unexpected ways. Dealing with the increased attack surface of Internet-exposed cloud applications and ensuring the security of cloud application programming interfaces are just two of the challenges he said enterprises must prepare for.
"It doesn't make you less secure, but it makes you easier to find and attack," Hansen said. "But cloud provider controls may be better than anything you have on your internal network."
Patrick Harding, chief technology officer of vendor Ping Identity, touted federated identity as an effective security control for SaaS applications used in conjunction with BYOD. In this scenario, any user seeking access to any cloud application would be directed to the same centralized authentication system that would govern access to traditional IT resources.
Though he admitted it can be a single point of failure, Harding said federated identity enables a number of other benefits, such as single sign-on (SSO), multifactor authentication and rapid termination of access when necessary, limiting the risk posed by BYOD and third-party clients.
"If I'm working from the library and I log on to Salesforce.com, if your company enforces federated SSO, you'd be redirected back to the enterprise to log in, but it can also apply other controls," Harding said. "If the library computer doesn't have the appropriate NAC capabilities on it, you could block access. It's the first step in allowing the enterprise to take control back a little bit."
Wolfgang Kandek, chief technology officer for Qualys, questioned that strategy. If an organization clamps down too much or makes users jump through hoops to gain access to cloud applications, it risks reducing the enhanced employee productivity that BYOD offers.
"You can see how it wouldn't be accepted and even be evaded by employees who are smart and computer-savvy," Kandek said.
Alternatively, Hansen suggested governing cloud access by implementing a centralized cloud gateway server, which would enable policy enforcement at a more "granular level."
Moderator Jay Chaudhry, CEO of vendor Zscaler, said that tactic needs to be modified to account for the distributed access demands of an organization that broadly uses cloud applications. He mentioned that one Zscaler customer with 150,000 employees in more than 100 countries suddenly realized its gateway strategy wasn't working when it implemented SaaS applications and backhauled its traffic to just four gateways, grinding activity to a halt.
The panelists, though, agreed that relying solely on a VPN to govern BYOD access to SaaS applications isn't wise. Responding to an audience question, Harding said enforcing VPN use in that way not only requires careful configuration to only accept certain IP subnet ranges, but also quickly becomes a scaling problem as an organization increases its users, devices and applications.
Neil MacDonald, vice president at Stamford, Conn.-based research firm Gartner Inc., said he was surprised that nobody admitted that "the horse is out of the barn" and that the combination of SaaS and BYOD requires new approaches to security.
"This idea that you're going to VPN in -- I chuckled a bit to myself," MacDonald said. "It's not going to happen."
He said enterprises have to consider the best way to work security into usage scenarios that are being driven by cost and convenience, in which the enterprise doesn't control the device, the network or the cloud service.
"I thought there was a little bit of naiveté that [the panel] didn't acknowledge how serious the problem is and how blind we already are," MacDonald said.