This content is part of the Essential Guide: RSA 2014: News, analysis and video from RSA Conference 2014
News Stay informed about the latest enterprise technology news and product updates.

For BYOD-SaaS security, consider established IT security controls

Panelists at the Cloud Security Alliance Summit assert that federated identity and gateways, hardly new technologies, are best for BYOD-SaaS security.

SAN FRANCISCO -- Even though the use of Software as a Service (SaaS) applications via bring your own device (BYOD) endpoints represents a challenging, complex security problem for enterprises, experts at the 2014 Cloud Security Alliance Summit advocated controlling that usage with established security controls.

Robert Hansen, security researcher and director of product management for WhiteHat Security, was one of several panelists who spoke Monday at the CSA event, the unofficial kickoff of the 2014 RSA Conference. He acknowledged the complexity that exists in today's BYOD-SaaS world, in which organizations must now rely not only on the security of their own infrastructures, but also of employees' mobile devices, cloud providers and "downstream" entities such as Internet service providers, registrars and business partners.

"It turns out most people can't even mentally model how many people could theoretically impact enterprise data," Hansen said.

He said enterprises benefit from the ongoing gains being made in consumer mobile device security, but adding cloud application to the mix adjusts the security paradigm in unexpected ways. Dealing with the increased attack surface of Internet-exposed cloud applications and ensuring the security of cloud application programming interfaces are just two of the challenges he said enterprises must prepare for.

"It doesn't make you less secure, but it makes you easier to find and attack," Hansen said. "But cloud provider controls may be better than anything you have on your internal network."

Patrick Harding, chief technology officer of vendor Ping Identity, touted federated identity as an effective security control for SaaS applications used in conjunction with BYOD. In this scenario, any user seeking access to any cloud application would be directed to the same centralized authentication system that would govern access to traditional IT resources.

Though he admitted it can be a single point of failure, Harding said federated identity enables a number of other benefits, such as single sign-on (SSO), multifactor authentication and rapid termination of access when necessary, limiting the risk posed by BYOD and third-party clients.

"If I'm working from the library and I log on to, if your company enforces federated SSO, you'd be redirected back to the enterprise to log in, but it can also apply other controls," Harding said. "If the library computer doesn't have the appropriate NAC capabilities on it, you could block access. It's the first step in allowing the enterprise to take control back a little bit."

Wolfgang Kandek, chief technology officer for Qualys, questioned that strategy. If an organization clamps down too much or makes users jump through hoops to gain access to cloud applications, it risks reducing the enhanced employee productivity that BYOD offers.

"You can see how it wouldn't be accepted and even be evaded by employees who are smart and computer-savvy," Kandek said.

Alternatively, Hansen suggested governing cloud access by implementing a centralized cloud gateway server, which would enable policy enforcement at a more "granular level."

Moderator Jay Chaudhry, CEO of vendor Zscaler, said that tactic needs to be modified to account for the distributed access demands of an organization that broadly uses cloud applications. He mentioned that one Zscaler customer with 150,000 employees in more than 100 countries suddenly realized its gateway strategy wasn't working when it implemented SaaS applications and backhauled its traffic to just four gateways, grinding activity to a halt.

The panelists, though, agreed that relying solely on a VPN to govern BYOD access to SaaS applications isn't wise. Responding to an audience question, Harding said enforcing VPN use in that way not only requires careful configuration to only accept certain IP subnet ranges, but also quickly becomes a scaling problem as an organization increases its users, devices and applications.

Neil MacDonald, vice president at Stamford, Conn.-based research firm Gartner Inc., said he was surprised that nobody admitted that "the horse is out of the barn" and that the combination of SaaS and BYOD requires new approaches to security.

"This idea that you're going to VPN in -- I chuckled a bit to myself," MacDonald said. "It's not going to happen."

He said enterprises have to consider the best way to work security into usage scenarios that are being driven by cost and convenience, in which the enterprise doesn't control the device, the network or the cloud service.

"I thought there was a little bit of naiveté that [the panel] didn't acknowledge how serious the problem is and how blind we already are," MacDonald said.

Dig Deeper on Cloud Computing Software as a Service (SaaS) Security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Some very good high-level advice for BYOD implimentation. I agree that privacy issue are an important concideration for any BYOD system. My own advice comes from the fact that we were looking to bring in a larger MDM system for BYOD at our hospital, but the doctors (who own the hospital) felt it was to intrusive since they all wanted to use their own devices, but didn't want IT to have total control over them. Still, they wanted the ability to send HIPAA compliant patient info (mostly text messages) to admin and other doctors. We changed our stratagy and started looking for individual apps to deal with the various security issues. In order to allow for HIPAA compliant text messaging, we got a secure messaging app ( which is HIPAA compliant, and installed it on all the doctors devices. It auto-deletes the messages after X period of time, and IT can still wipe the device if it is lost or stolen, but the doctors didn't feel it violated thier 'privacy' which made it acceptable to them. I think this is a growing trend in the way smaller firms will deal with BYOD and security.
A mix of old and new is a smart approach to keeping technology and data secure. As with anything new, there will be things that a guy at a security desk can't do and a biometric scanner can. So, IT will have to be extra vigilant in learning about all devices people are using and the ways to keep them secure in all environments.