illurity-logo
Log in

Site menu:

Categories

Tags

Site search

September 2018
M T W T F S S
« Dec    
 12
3456789
10111213141516
17181920212223
24252627282930

Links:

Archives

Securing SaaS

With last month’s news of a Salesforce.com employee falling prey to a phishing attack, resulting in the SFDC database being mined for subsequent targeted phishing attacks against some number of SFDC’s nearly 1,000,000 users, there’s been a lot of interest in securing Software as a Service platforms.

The first wave of solutions is the conventional lot: user education, anti-spam/anti-phishing technologies, and IP range limiting combined with VPN access for remote users. This is usually followed by the somewhat esoteric second wave: Pure VPN based access (where the SaaS provider offers premium secure access through a massive SSL-VPN platform with some set of its security features), pre-selected image-based site authentication (which has its own demonstrable vulnerabilities), or site-specific dissolvable security agents (e.g. while the user is in a SaaS session, an ephemeral anti-malware agent loads). All useful technologies, but their practicality in a million+ user SaaS environment is limited by scalability and cost.

Where is Two-Factor or Token-based Authentication? Right here and here. Totally available, and almost totally impracticable by users and businesses who were looking for the simplicity of a hosted service in the first place.

So token-based SSO (with or without 2FA) is ostensibly the most secure method for accessing SaaS platforms, but it is also generally prohibitively difficult for the typical SaaS subscriber to implement. How to solve the catch-22? A SSO appliance.

First to mind is the capable OneSign product from Imprivata. While not specifically built for SaaS SSO, it’s effortless application support model is perfectly suited to automating and securing SaaS sign-on, in addition to its broad support for strong authentication options and physical/logical security convergence.

Next is the challengingly named Sxip Identity, an appliancized uber password/form manager (variant available as a firefox add-on). And they even had a a dedicated For Salesforce page long before the SFDC breach. Bonus points for being foresightful rather than just shameless reactive opportunists.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • del.icio.us
  • StumbleUpon
  • Reddit

You must be logged in to post a comment.