Securing SaaS with Two Factor Authentication

It is my observation that businesses are ready to move more of their most sensitive information to the cloud. For that to happen - SaaS providers need to support strong security measures to protect the data

12 May 2009

It is my observation that businesses are ready to move more of their most sensitive information to the cloud.

For that to happen - SaaS providers need to support strong security measures to protect the data. SaaS solves many problems for an IT manager, but at the same time introduces some issues of its own. I will focus on one major shortcoming that, if not addressed, will cripple the adoption of SaaS. Fortunately, that flaw can be fixed with some goodwill and foresight. I refer to widely adopted weak authentication mechanisms - customers are given only the good old email/password combination, except for online banking.

The problem is that passwords have long stopped being an adequate method for protecting valuable data. Passwords are relatively easy to compromise and strict composition and retention policies are required to make them secure. The problem with that is that users have a hard time remembering the complex passwords that change every 90 days. They either write them down (thus risking credential loss) or simply forget them and use 'reset password' facilities for almost every login. Consumers have little say here and have to rely on governments to advocate their cause, like with the Federal Financial Institutions Examination Council (FFIEC) requirement to have two-factor authentication for online banking.

Two-factor authentication can be defined as an authentication scheme where, to authenticate (ensure that the user is who she claims she is), two discreet factors are used simultaneously. Another way to look at this is to require the users to present 'something they know' -password, together with the passcode generated by 'something they have' - for example, the hardware token that most of us are familiar with.

The situation is different with enterprise customers. Commercial and government customers, by the virtue of their buying power, can request and get higher security for online access. The question is "In what cases would I need to require my SaaS vendor to provide two-factor authentication?"

Two factor protection is desired if any personally identifiable information is handled outside the corporate firewall. Human resources applications are prime candidates here. Also, if you need to share some highly sensitive information (like company's financial statements, board reports, clinical trial information for life sciences sector etc) that has short term high value - it is prudent to request 'stronger than just the password' authentication mechanisms. The easiest case is when policies or regulatory requirements mandate two-factor authentication for data access. Naturally, those same requirements must be extended to SaaS before sending the data over.

After advising SaaS customers to include the two-factor authentication as requirement if they plan to send sensitive information out of their corporate firewall, I feel providing some ways to address complexity of two-factor in SaaS is in order.

There are many technologies available to provide two-factor authentication. Rushing to implement a solution tailored for the next large prospect and hoping that it will work for all others is not a good strategy. Talking to customers and understanding their needs are crucial. I would also recommend reading the latest revision of NIST Special Publication 800-63 from the National Institute of Standards and Technology - NIST Electronic Authentication Guideline. One must make every effort and get input from security professionals who have experience in implementing various solutions and can provide impartial opinion on benefits and potential problems of a given technology. There probably isn't a single solution for all use cases. Trying to force one may end up in awkwardly 'bolted on' functionality for some users. The best solution is implementing a strong authentication framework that allows for different second factors for different user populations. The ultimate goal is to implement a high-security/low footprint solution that can be extended as customer security needs evolve.

If an acceptable solution to providing flexible two-factor authentication to SaaS is not found - everybody loses. Most applications handling sensitive data cannot be pushed to the cloud, so businesses will have to continue maintaining large IT organizations to support them. Government IT, probably largest buyers anywhere, would not be able to adopt SaaS solutions. Plus - two-factor authentication vendors will continue having trouble penetrating 'consumer-like' use cases.

If customers insist on higher security standards and the SaaS providers make investments (aided with flexible pricing models from two-factor vendors) necessary to provide high security for their customer critical information - there will be wider adoption of SaaS as product delivery model which will benefit all participants. I look forward to sharing more thoughts on these issues in future posts.

Mushegh Hakhinian

Mushegh Hakhinian

Mushegh Hakhinian represents Intralinks at the Cloud Security Alliance SME Council, is a certified information systems security professional, and is a frequent contributor to industry publications. Prior to joining Intralinks, Mr. Hakhinian lead security functions at a multi-tenant online banking service provider and an international bank.