Over the last decade, enterprise users have increasingly come to rely on a growing number of cloud services to perform their daily tasks.
The strategic use of cloud services offers a number of immediate benefits to the enterprise, both in terms of required infrastructure, and in providing the necessary tools to a more mobile and geographically distributed workforce.
The drawbacks, however, might be a little less obvious. As more and more sensitive and other data finds its way into various cloud services, it becomes harder and harder for administrators to manage their user accounts, and safeguard the organization’s data against unauthorized access.
These are issues that CloudGate UNO seeks to address.
Most cloud services are publicly accessible, and require little more than an email address and password to authenticate. Password complexity requirements, if at all present, tend to vary widely across services, and there are very few guarantees as to how a given service will hash and store its users’ passwords.
As a lot of services also offer some sort of “Keep me logged in” feature, in most cases the user is not even required to provide their username and password to log in. Instead, the service relies on the presence of a (sometimes very long-lived) browser cookie to determine whether or not the user should be allowed access.
When users finally do need to re-authenticate, they often find that they can no longer remember their passwords, and have to rely on the service’s password reset functionality, which, however convenient, is best summarized as “authentication by email”. Less security-aware users might even feel inclined to reuse the same password across multiple services to avoid having to memorize multiple passwords of varying complexity.
As awareness about the security implications of password-based authentication continues to grow, a number of cloud services have started supporting two-factor authentication mechanisms, often through the use of keychain fobs, hardware dongles, one-time password generators, and smartphone apps. The web authentication landscape, while clearly evolving, is still very fragmented, and at this point in time it’s still hard to find two services that support the same authentication mechanisms.
CloudGate UNO, by virtue of acting as a centralized gateway to a large number of cloud services, is in the unique position to address these security concerns.
Through the creation of fine-grained security policies, CloudGate UNO administrators are able to restrict a user’s access to any number of cloud services based on the user’s IP address, location, the device they’re using, the time of day, or any combination thereof. In addition, administrators can create password policies, or require their users to use biometric or two-factor authentication. ISR is also a member of the FIDO Alliance, which is currently spearheading an effort to standardize a stronger web authentication protocol under the auspices of the World Wide Web Consortium (W3C). CloudGate UNO’s Universal Second Factor (U2F) implementation has also been certified by the FIDO Alliance.
Single sign-on, while offering clear security and usability benefits, is in itself fairly limited. Because current single sign-on protocols are highly standardized, it’s relatively easy for cloud services to support. This, in turn, makes it easy for single sign-on providers like CloudGate UNO to target a large number of these services. In other words: single sign-on is easy, it’s all the rest that’s hard.
While CloudGate UNO is perfectly capable of acting as a standalone identity management system, it usually doesn’t operate in a vacuum. Often (especially larger) enterprises already have an Active Directory or another LDAP-based identity store in place, so CloudGate makes it possible to keep its user, group and organizational information in sync with existing identity stores.
On the other side are the cloud services that CloudGate UNO provides access to. Most of these also maintain some form of user and group information, and CloudGate provides functionality to automatically provision and deprovision users and groups for a number of widely used services, such as G Suite and Office 365.
For integration use cases that are not covered out of the box, CloudGate offers both a CSV-based batch registration service, as well as a REST-based API to allow customers and third parties to build their own custom integration solutions.
Easier to use
For users, the most immediate benefit of introducing CloudGate, is that they no longer have to authenticate to the diverse set of cloud services they use to perform their daily tasks. After signing on to CloudGate, they will be automatically authenticated to these services, and no longer have to worry about maintaining a list of bookmarks and remembering a multitude of passwords.
For administrators, the benefits reside mostly on the management side of things. As users join and leave the organization, administrators no longer have to worry about creating or removing user accounts on the various cloud services that are in use in their organization, but can instead rely on CloudGate to handle that for them. Similarly, administrators no longer have to configure IP whitelists, password restrictions and/or authentication mechanisms on these cloud services (if at all available), but can instead define these in CloudGate to be immediately and globally applicable. Lastly, CloudGate provides administrators with an insight as to how, where and when users access their cloud services, allowing them to detect and investigate any irregularities that might occur.