Data Access Control Through Online Identities

online-identity-min

Have you ever signed in to a website without having registered an account by using only your Google ID? This is a good example of an online identity. This same principle can be used by corporate organizations to allow employees to access a suite of resources on internal SaaS ecosystems.

To allow the governance of these online identities, we believe that enterprises should strictly enforce comprehensive data access restrictions and checks throughout their SaaS application ecosystems. Vendors such as docontrol.io, for example, can track the use of resources and artifacts in SaaS systems. This also includes permissions for hosted artifacts within SaaS services expiring automatically to prevent overexposure and reduce the overall attack surface.

What are online identities?

Online identities, also called online personas, are user credentials that have a singular purpose which is to authenticate and verify a user’s identity and right to access online resources. The concept is based on active directory user accounts. This online identity is typically utilized to access SaaS applications like online email or internet banking etc.

Defining SSO

In a corporate environment, a similar use case for online identities exists called Single Sign-On (SSO). SSO is used to authenticate users and allow them to gain access to corporate resources that are provisioned in the cloud. In an environment where a Microsoft tenant exists, for example, corporate resources are provisioned inside Microsoft’s Azure cloud, allowing employees to access SaaS applications like Office 365, SharePoint Document repository, and advanced tools such as Microsoft Power BI. Such an online identity is typically based on a user account inside the organization’s active directory hive.

sso-min

Token Passing

This amazing feat is achieved using a concept called token passing. When an employee utilizes the SSO login the environment generates an impermanent token that represents the successful authentication of the user. This electronic token is then utilized as a proof of authentication allowing the user to access all attributed SaaS services in the organizational environment.

Furthermore, the SSO token is utilized both by browsers and applications.

Benefits of Corporate SSO

Some of the benefits of utilizing SSO in a corporate environment are the following:

  • When new users are added to the organizational tenant, they can be added using a single user template, and gain immediate access to all their required SaaS resources.
  • Users do not suffer from password fatigue.
  • In line with the previous point is the benefit that users will inevitably experience better speed when online identities are seamlessly transferred in the background to provide access to applications.
  • Data access control can be performed at a granular level by providing access to what is required by the employee. This would utilize the Zero Trust model, and access would need to be provisioned manually or through inheritance in objects like groups or folders.

Organizational Risk Involved in SSO

Although this technology has many benefits it does introduce notable risk factors into a corporate SaaS environment.

  • When a threat actor gains access to a user’s SSO credentials, such an attacker would have complete access to all the services and applications attributed to the user.
  • If user access is incorrectly configured, users might gain access to resources they are not privileged to.
  • Users then also can download such confidential information and transfer the data to an external device that is outside the organization’s control.

Addressing Organizational SSO Risks

The first line of defense in cyber security is the user’s password. Users need to be educated to use strong to complex passwords for their SSO accounts. Secondly, users need to understand the risk of using their corporate credentials for platforms such as webmail and social media.

To address the issue of erroneous access and consequential data leakage organizations can implement monitoring software in their SaaS environments. These monitoring solutions would then be able to report user access that was granted as well as the modification, removal, and migration of sensitive documents.

 In Conclusion

When it comes to corporate SaaS environments and the application of SSO to access resources, organizations need to implement policies that reflect the way SSO needs to be governed. This is especially true for inheritance and the ability to assign resources in the first place.

 

0 Comments

Leave a reply

Your email address will not be published.

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Log in with your credentials

or    

Forgot your details?

Create Account